The use of impersonation tactics has become increasingly common and effective. Cybercriminals imitate IT support staff to trick employees into installing and accessing tools, and they impersonate employees to deceive IT support staff into inadvertently allowing access.
This was seen recently with high profile events involving casinos and other large organisations. It's believed that hacking group Scattered Spider gained access to these organisations’ systems by calling helpdesks and impersonating IT employees in attempts to reset a user’s password. This is not a new tactic – as it was seen as early as July 2022, when cryptocurrency payment system CoinsPaid lost US$37m due to a social engineering attack. The attackers spent six months preparing and learning operational details, allowing the theft of profiles, keys, and access to CoinsPaid’s IT infrastructure.
Cybercriminals are successfully compromising very large entities as their techniques evolve. The hospitality industry is particularly vulnerable to this kind of attack; workers are by themselves at night and want to be helpful, and this opens the door for an attacker to leverage their trust."Liana Carvalho PrunaCyber Services Manager, Philadelphia
Employees of a large communications firm were targeted by a phishing campaign. Text messages sent to their personal cell phones contained a link to a malicious site appearing to be the employer’s, but which was in fact designed to harvest username, password, and second-factor code. Immediately after their incident response team was notified of the campaign, their security operations centre opened an investigation, which revealed that 15 employees had entered their credentials into the malicious website. Using the compromised credentials, the hacker accessed internal tools and reset customer email passwords on 27 customer email accounts. All employees that were compromised had their credentials locked and rotated and the 27 impacted customers had their passwords reset to prevent anyone from accessing the accounts further.
Data presented in this cyber services snapshot is derived from global incidents reported to Beazley between Q1 2021 and Q3 2023.
The information set forth in this communication is intended as general risk management information. It is made available with the understanding that Beazley does not render legal services or advice. It should not be construed or relied upon as legal advice and is not intended as a substitute for consultation with counsel. Although reasonable care has been taken in preparing the information set forth in this communication, Beazley accepts no responsibility for any errors it may contain or for any losses allegedly attributable to this information. Non-insurance products and services are provided by non-insurance company Beazley affiliates and independent third parties. Separate terms and conditions may apply.