Last month, it was reported that Roblox – an online game creation platform – had suffered a data breach after one of its employees fell victim to a phishing attack. This resulted in 4GB of internal documents being stolen and posted online, including creators’ email addresses, identification documents, and spreadsheets.
According to a Roblox spokesperson, the hacker used ‘highly personalised’ social engineering tactics to obtain the documents. As cybercriminals get more and more sophisticated and their traps get harder to spot, how can organisations and employees ensure that they protect their data and systems?
Cyber Protection Magazine spoke to four cybersecurity experts to understand how such attacks occur and how best to prevent them.
Fight the phish
Unfortunately phishing attacks are very common – according to ClearedIn, 83% of organisations experienced at least one phishing attack in the last year, with approximately one in 99 emails containing suspicious links to deploy malware. Perhaps even more concerning, however, 97% of people cannot identify such scams.
Jeannie Warner, Director of Product Marketing at Exabeam, explains what a phishing attack is and how they lure individuals into their traps:”Many network attack vectors start with a link to a phishing URL. A carefully crafted email containing the malicious link is sent to an unsuspecting employee. As soon as it’s clicked, malware is loaded and the cycle of information loss and damage begins. Any company that houses sensitive data should aim to nip this problem early on by identifying and alerting these malicious links.”
“Phishers typically include upsetting or exciting (but false) statements to get people to hand over their usernames, passwords, credit card numbers, social security numbers, date of birth and other personal information,” adds Bryson Medlock, Threat Intelligence Evangelist at ConnectWise. “They have the ability to spoof and/or forge the https:// that you normally see on a secure web server and a legitimate-looking web address, which is why you should always type the web address yourself instead of clicking on displayed links.”
From these descriptions, we can see that the Roblox data breach is a clear example of the consequences of a phishing attack. As Neil Jones, Director of Cybersecurity Evangelism at Egnyte, points out, this serves as a reminder “that organisations’ IT security programmes are only as strong as their weakest links. Here, we see how advanced social engineering and spear-phishing tactics can lead to exfiltration of sensitive documents and ultimately impact a brand’s reputation. Such focussed tactics are much more likely to generate exfiltration payments to cyber-attackers, because organisational insiders logically have easier access to sensitive data than outsiders do.”
Paul Farrington, Chief Product Officer at Glasswall, agrees that, “this latest incident reminds organisations that without a proper understanding of online privacy risks, they can be left defenceless against hackers.”
Building stronger defences
There is no one single action that will prevent such attacks but, as Farrington emphasises, “the solution to fending off cyberattacks like this at both an individual and company level is twofold: training and technology. Training will arm employees to be alert to risks and follow best practices. This can be as simple as using strong passwords and multi-factor authentication, not opening links and/or attachments from unfamiliar sources, and using anti-virus software.
“On the technology side, taking a proactive, zero trust (never trust/always verify) approach when it comes to security can not only protect the companies that implement them but their customers as well. Having these measures in place will not only assist with preventing attacks, but it’s also more cost effective and efficient than using employees as an organisation’s first line of defence.”
Jones echoes his message: “In addition to general cybersecurity awareness training, anti-phishing education and restricting access to company data based on a user’s ‘Business Need to Know’ are powerful deterrents.”
However, Medlock stresses the importance of offering varied training options that are tailored to the individual: “Understanding generational behaviour differences is key for bolstering security training. No one size fits all, and experts need to step up their game and create training that is relevant to different groups of workers. This will be fundamental in improving internet safety and security. Teaching cyber security awareness as early as primary school will also help to consolidate good habits, such as password hygiene and spotting a phishing email, early.”