Duane Nicol, Senior Product Manager for Awareness Training at Mimecast
Following years of pandemic-induced economic pressure, economies across the Middle East are eyeing a welcome return to normal. With White Friday and the end-of-year Dubai Shopping Festival on the horizon, as well as a hotly anticipated FIFA World Cup in Qatar having kicked off, the region is set to be a hub of activity and tourism over the coming months.
The region’s retail sector is also powering ahead: the UAE’s e-commerce market alone is expected to reach $8-billion by 2025, with the retail mobile-commerce market projected to grow at 19% CAGR. McKinsey data found that the number of people in the UAE and Saudi Arabia shopping online on a weekly basis has doubled in two years.
This has not escaped the notice of cybercriminals, who are almost certain to attempt to spoil the party for Middle East consumers. In fact, attacks are projected to become more prolific in the weeks and months ahead as cybercriminals prey on shoppers with a range of attack methods.
In Mimecast’s latest State of Ransomware Readiness 2 report, 59% of cybersecurity leaders in the UAE reported that the volume of cyberattacks have held firm or even increased over the past year. The State of Email Security 2022 report also found that 90% of organisations in Saudi Arabia have been the target of an email-related phishing attempt in the past year.
Cybercriminals refine, enhance attack methods
The increase in cyber threats is in part being driven by greater digitisation of various aspects of our personal and professional lives, creating valuable sources of information for threat actors as well as potential areas of weakness to exploit.
When the first lockdowns were implemented in early-2020, many office workers were forced to work remotely, a situation that has continued despite lockdown restrictions lifting. While this has undeniable benefits to workers, it has created a security nightmare for many organisations.
With employees working outside the confines of corporate security structures and often under immense pressure, cybercriminals have capitalised by aggressively exploiting the vulnerabilities that come with remote work.
Cybercriminals are also becoming increasingly adept at social engineering at scale. To illustrate, instead of targeting a person with a phishing attack, they seek to understand what their target’s persona represents – for example, a young male that enjoys outdoor sports and activities – and then purchase a mailing list with those interests. This allows them to craft more attractive phishing mails that have a far higher chance at success.
The amount of publicly-available personal information on social media is also giving threat actors valuable data to use in the crafting of their attacks. An attacker could type the name of a potential target on Google, which may bring up their Facebook profile and, in the case of outdoor enthusiasts, their Strava profile. From this they can see the types of activities they engage in, where they train, how often, and more.
From here it’s a simple matter of constructing a mailer with the right offer. For example, if the target is an avid cyclist, the attacker could develop a mailer that offers a substantial discount on a bike of the same brand that the person has put on their Facebook profile. This can increase the hit rate of their attacks from around 2% (for untargeted attacks) to as much as 20%.
In another example, a cybercriminal could infiltrate the mail server of a private school and send parents personalised emails asking for a meeting regarding their child. In a cruel twist, the cybercriminal may attach a malicious file and tell parents that it relates to the discussion they’d like to have about their child’s performance at the school.
Such an attack would likely seem so legitimate and convincing that most parents would open the attachment without a second’s hesitation. This may leave them exposed to further infiltration and potential financial losses as the cybercriminal uses their new-found access to infiltrate the victim’s banking profiles.
Knowledge, awareness the greatest weapon against cyberattacks
In light of such high levels of danger, what can be done to safeguard Middle Eastern organisations and citizens from cybercrime?
The first step is to build greater cyber resilience at a national, provincial and local level by investing in appropriate cybersecurity and continuity solutions. A multi-layered cyber resilience strategy that protects people from cyber threats is vital in the fight against cybercrime.
The Dubai Cyber Security Strategy, introduced in 2017, plays a vital role in strengthening cyber resilience in the UAE. The recently-launched CyberIC program in Saudi Arabia will develop the domestic cybersecurity sector with the aim of developing more than 10 000 skilled cybersecurity professionals over the next few years, boosting regional cyber defences.
Secondly, it is critical that information about likely attack methods and cyber risks reach every citizen. Everyone needs to join forces, from big business to government departments and even celebrities, to help raise the general level of cyber awareness among the broader population.
Businesses could contribute by sponsoring programmes and internships for cybercrime skills development, which has the dual benefit of improving the region’s defences against cyberattacks as well as improving the region’s global competitiveness at a time when the global cyber skills shortage is intensifying.
Universities can host regular guest lectures and information sessions by cybersecurity specialists to teach students about cyber safety and prepare them for the risks they’ll face.
Organisations in the private and public sectors should continuously train employees to become more cyber aware. Government departments can apply some of the learnings from the pandemic and roll out ongoing national cyber awareness campaigns that teach citizens about basic cyber safety.
Finally, a culture of community defence should be established that encourages victims of cybercrime to report cyberattacks. This can drive greater awareness of emerging cyber risks while also giving authorities valuable information about new attack methods that may aid their quest to bring perpetrators of cybercrime to justice.
|How to spot a (likely) scam
Check the discount – if you receive an email offer for 70% off a must-have item, proceed with caution. Such a significant discount is likely to feature prominently on the seller’s website, so check there first to see if the offer is legitimate. If you can’t see a 70% off offer on a bike, it’s likely the mail you received is a scam.
Phone to verify – no retailer or bank will laugh at you if you phone to confirm details before making a purchase or payment. If you’re unsure if the payment you’re making is to a legitimate businesses, give them a ring to confirm the amount, the bank details, and any other details before you make payment.
Pay attention (especially at home) – most businesses now have some form of cybersecurity in place. This means employees may not be receiving potentially dangerous emails as the company’s cybersecurity products filter those out. But this can create a false sense of security – when employees are home, they may see more such emails land in their inbox, increasing the chances of them clicking on an unsafe link or opening a malicious attachment.
Report threats (always) – if you do receive an email that is obviously a phishing attempt, don’t just ignore or delete it. Report it to your security team and, if it warrants it, to the authorities. When email threats go unreported it raises the risk level for everyone else. Conversely, the more we share emerging email threats, the easier it is for everyone to become aware of the threat and take action to avoid any risks.