 "Cyber attack")
Digital identities are now easily compromised at the hands of fast-paced technological advancements. In a recent report by an information security company, Cyberark, it was found that 100 per cent of Indian organisations expect identity-related compromise this year, stemming from economic-driven cutbacks, geopolitical factors, cloud adoption and hybrid working.
The latest in the cyber attack market is a re-invented form of "CEO scam" causing trouble for individuals and businesses.
What is a 'CEO scam'?
Typically a criminal posing as a senior person in the company tries to persuade staff to make an urgent payment or task that may compromise sensitive information. The request is often made via email, sometimes when the senior person is out of the office.
Attackers craft a highly realistic-looking email (with minor changes) that impersonates the company's CEO or another high-level executive and uses information learned about the target to make the email seem authentic. "Scammers tamper with minor details of the identity (such as letters in email) and often make the whole situation believable by gleaning data from social media sites – for example, the open information regarding a CEO or higher executive on tour, working remotely, etc.," says Rohan Vaidya, regional director – India & SAARC at CyberArk.
In addition to the deceptive urgent emails, cybercriminals are now using Whatsapp, SMS, phone calls, and other social networks as the medium to dupe employees into leaking information or transacting money.
Recently, Truecaller published a blog sensitising people about rising CEO scams. The blog said that various Truecaller employees received a WhatsApp message from a sender claiming to be their co-founder, Alan Mamedi.
More From This Section
Some scammers even use "deep fakes", using artificial intelligence (AI) to clone the CEO's voice or image, making it almost impossible to tell whether it's real or fake.
Earlier in April, a Meesho employee, Shikhar Saxena, shared an incident where he received a message from a fraudster who pretended to be the Meesho CEO, Vidit Aatrey, asking him to make some urgent payments.
Possible reasons behind growing Identity-centric attacks
The "CyberArk 2023 Identity Security Threat Landscape Report" found that identities -- both human and machine -- are at the heart of nearly all cyber attacks.
"We've all read about how layoffs and churn have affected industries, not just tech but retail, finance, and others. In our report, we found that 80 per cent of organisations expect employee churn-driven cyber issues in 2023," says Vaidya. Of all the respondents, 86 per cent said that loss of confidential information stemming from employees, ex-employees, and third-party vendors had been cited as a major concern.
Third parties, including partners, consultants, and service providers, were cited as the riskiest human identity type (44 per cent). Moreover, credential access was highlighted as the number one risk for respondents (cited by 45 per cent), followed by defence evasion (34 per cent), execution (34 per cent), initial access (31 per cent), and privilege escalation (26 per cent).
AI has become one of the leading tech-related topics in 2023. The report cited AI-powered malware as the top AI-related cyber risk to organisations in 2023.
CyberArk notes that out of all the surveyed organisations, 78 per cent of employees are using advanced but unapproved AI-enabled tools to help them in their daily jobs. Data is easily compromised by unverified AI tools, leading to a larger risk of identity theft.
Cyber sense, zero trust, and other ways to overcome identity-led attacks
In another recent incident, Nithin Kamath, the CEO of Zerodha, tweeted a thread detailing a new scam perpetrated by people impersonating FedEx and BlueDart employees. Kamath mentioned an incident where his colleagues received a call from someone claiming to be from FedEx. The scammer told the colleague that their parcel was confiscated by the police on charges of carrying drugs and asked him to pay a fine in order to have the parcel released.
"Like common sense, organisations should sensitise their employees to sharpen their cyber-sense. Though it may be difficult or out of the norms for junior workers but they must question emails/calls/messages received under the identity of higher executives or sources that cannot be trusted," opines Vaidya.
According to the recent PwC report, CEOs of Indian companies are increasing cyber investments, adjusting supply chains, and changing their physical footprint in response to geopolitical conflict.
"Among many methods, 'Zero Trust Alignment' can help organisations limit data/information leaks," says Vaidya. This includes stringent access controls and multiple application logins regulated via workforce management. "In our survey, respondents cited that identity management (79 per cent) and endpoint security/device trust (78 per cent) are "critical" or "important" to supporting Zero Trust.
According to CyberArk, the top three measures to improve identity security that organisations plan on introducing in 2023 include; just-in-time access (cited by 32 per cent of respondents); adopting least privilege principles to secure business-critical applications (32 per cent); and automatic provisioning and de-provisioning of access (31 per cent).
"Anything and everything related to identity should not be stored with individuals but with digital vaults, especially in DevOps and Automation areas," Vaidya concludes. According to the CyberArk report, over half of surveyed organisations look to trusted cybersecurity partners to help forecast and design solutions for future cyber risk in 2023.
