Twilio Cyber Attack: Social Engineering is Real and Really Dangerous
Phishing is a costly trap to fall into, with the indirect cost of lost productivity ballooning from $1.8 million in 2015 to $3.2 million per company on average in 2021. This makes it a prominent attack to be on the lookout for, as companies are still falling victim to phishing attacks with each passing day.
Recently communications giant Twilio confirmed hackers accessed customer data after successfully tricking employees into handing over their corporate login credentials with a phishing attack.
The attack used SMS phishing messages that purported to come from Twilio’s IT department, suggesting that the employees’ password had expired or that their schedule had changed, and advised the target to log in using a spoofed web address that the attacker controls.
Twilio said that the attackers sent these messages to look legitimate, including words such as “Okta” and “SSO,” referring to single sign-on, which many companies use to secure access to their internal apps. (Okta was itself hit by a breach earlier this year, which saw hackers gain access to its internal systems.)
In total, cyber crime, which includes everything from theft or embezzlement to data hacking and destruction, is up 600% as a result of the COVID-19 pandemic. Along with volume, cybercrime has also risen in severity, with breaches and hacks being critical, if not fatal wounds to companies today.Cybersecurity Ventures expects global cyber crime costs to grow by 15 percent per year over the next five years, reaching $10.5 trillion annually by 2025, up from $3 trillion in 2015.
Attacks of all types are on the rise. A recent Forbes Advisor research, which used data from the FBI's Internet Crime Complaint Center (IC3) from the past five years, found that there have been over 1.6 million breaches when the top ten most common breach methods are added up. Attacks like extortion, personal data breach, and identity theft all saw growth in volume, as well as damage.
“Among all types of cyber attacks, one stands out from the rest as something organizations of all sizes must be extra wary about, is phishing attacks,” said Osman Erkan, founder and CEO of DefensX. “Phishing attacks are the practice of sending fraudulent communications that appear to come from a reputable source, and are usually performed through email, but can also take place through text messages. The goal of these attacks is to steal sensitive data like credit card and login information or to install malware on the victim's machine. From there, attackers can facilitate access to your online accounts and personal data, obtain permissions to modify and compromise connected systems, such as point of sale terminals and order processing systems--and in some cases hijack entire computer networks until a ransom fee is delivered.”
Phishing is commonly used by cyber criminals, as an attack that exploits an organization's last line of cyber defense – the employees – says Erkan, who is one of the top cyber security experts in the world.
“The attack starts with a fraudulent email or other communication designed to lure a victim, with a message that is made to look as though it comes from a trusted sender,” Erkan said. “If it fools the victim, he or she is coaxed into providing confidential information--often on a scam website, or sometimes malware is also downloaded onto the target's computer. There are new ways to protect organizations from these increasingly dangerous threats, and we’re doing all we can to enlighten leaders that there are solutions to problems that can lead to compliance-related fines, or even worse, the extinction of their business.”
Twilio said since the attack, it has revoked access to the compromised employee accounts and has increased its security training to ensure employees are on “high alert” for social engineering attacks. They’re not the only ones attempting to bolster their cybersecurity today, as 54 percent of companies say their IT departments are not currently sophisticated enough to handle advanced cyberattacks. Many enterprises are now searching for solutions and protocols to leverage to help thwart off potential phishing attacks.
“Zero-trust solutions that run on the principle of ‘never trust, always verify’ are table stakes today,” Erkan explained. “With this, all entities are considered untrustworthy in this paradigm until proven otherwise through authentication/authorization.”
Though the rise in demand for cybersecurity has mainly been within the past decade, zero-trust is already experiencing substantial growth. The global zero trust security market size was valued at USD 19.8 billion in 2020 and is expected to register a compound annual growth rate (CAGR) of 15.2 percent from 2021 to 2028. The rapid growth can be attributed to the benefits zero-trust can offer when defending against phishing attacks.
“By implementing zero trust into their email servers/services/mobile devices, organizations are better positioned to protect their users against phishing attacks,” Erkan said. “Many existing anti-phishing products rely heavily on blocklists and filters that can only detect/quarantine against known threats. Zero trust-based innovations would block any emails from unauthorized recipients and analyze email contents for the more common/known threats, but that is not enough when it comes to well-funded and profitable criminal enterprises that have mastered the art of social engineering. It’s extremely important to give every employee proven tools that alert them to dangerous messages and prevent them from interacting with dangerous domains if they do accidentally click. For a minor investment, major disasters can be avoided.”
The other main way to combat phishing attacks is simply training employees on how to spot an attack, and what to do when in a breach situation. Phishing exploits an employee's unawareness, and with around 121 business emails being sent and received per person on a daily basis, it can be easy to miss the signs and fall victim to phishing.
“It's important to run regular phishing awareness training sessions in your workplace,” Erkan said, “but that can be time-consuming and drain productivity, and given the sheer volume of emails and text messages we receive, is not enough. That’s why we created DefensX and continually enhance our platform, solutions, and features.”
DefensX converts a traditional web browser into a zero-trust secure browser. Zero-trust threat prevention technology protects users from advanced cybersecurity attacks by isolating threats from reaching endpoint devices, such as desktops, laptops, smartphones, and tablets.
Overall, with technology only expected to advance further, cybercrime and hackers aren’t going anywhere, anytime soon, and neither is phishing, unfortunately. Enterprises must be more cautious, with hackers potentially lurking behind every email and URL. For companies who wish to remain protected in the digital age, zero-trust solutions can help shore up the defenses, while adequate employee training and cloud-based software solutions can help fill in the gaps.
Edited by