Organizations can learn a thing or two from cunning, marketing-savvy hackers.
An online job posting for an email marketing manager includes these duties: driving the execution of email marketing tactics through deployment and analysis and collaborating on lead nurturing campaigns and strategies. Oddly enough, you could change this title to cyberattack marketing manager. Cybercriminals have blown right past the typical phishing exercise and are now using ‘customer reach’ tactics usually the domain of corporate marketers.
It’s difficult to make the jump to understanding the mindset and approach of today’s cybercriminals because organizations need to function within a regulated, compliant framework. However, there are similarities in methodologies and techniques that can be studied and from which security and IT teams can gain helpful insights. One of the main objectives of any cybercriminal is to persuade individuals to provide them with their or their company’s private information, open a malicious document or click on the link to a rogue website. And importantly, they want to maximize hit rates to scale-up their operations – just like any digital marketer!
Cybercriminals have become more cunning practitioners. Most of us are aware of the stereotypical, badly designed questionable emails, complete with poor English and spelling mistakes. We automatically assume these are phishing attempts from old-school cybercriminals. Now, at the other end of the scale, when we receive a slick email that is perfectly designed with no mistakes, should your employees also be suspicious? Can cybercriminals really be that good?
Worryingly, cybercriminals are getting that good. They are honing their skills and investing in creative marketing and design. In addition to this, they are also looking at other forms of digital marketing, including the use of artificial intelligence and big data analytics to target individuals on a mass scale to provide real and justifiable reasons for more of us to open an attachment or click on a link.
Cybercriminals Borrow Marketing Practices to Great Advantage
In this modern threat environment, cybercriminals are adopting other typically legitimate practices. Organizations are spending vast sums of money to gain credible endorsements from celebrities and people in a position of trust to encourage potential customers to look at their products and services. The cybercriminal has also embraced this approach to support their malicious activities – but they are not restricted by laws, compliance, or ethics. They simply use sophisticated fake news and fake endorsements to do the same thing. The difference is that they can use anyone they want without permission or legitimacy. They use the money they saved by avoiding large celebrity fees, to invest in the complex technologies that enable them to impersonate real people in a position of trust and authority, including news sources.
This means that organisations and the public in general need to become even more alert and establish new ways of checking that the facts presented are true and the source of the email is legitimate.
Cybercriminals are becoming very effective at leveraging the skills and expertise of the best marketing departments and copying legitimate techniques and approaches. But as marketing best practices evolve so will the threats from cybercriminals. The real danger is when they start to utilize new and more innovative disruptive marketing techniques. Cybercriminals have masses of data, good technical capabilities and are well resourced. The likelihood they will utilize new technologies is extremely high and even if legitimate businesses begin to deploy these technologies, they won’t be able to catch up. Cybercriminals’ time-to-market will accelerate, because ethical or legal standards are not their concern.
How can a legitimate organization fight back?
- Step One: Visit your digital marketing teams and learn about the latest, most sophisticated marketing techniques.
- Step Two: Engage all security and IT teams in understanding the newest email and other digital marketing practices.
- Step Three: Run scenarios from the perspective of the cybercriminal to see how they might use these new practices.
- Step Four: Continually educate all employees on what new types of email schemes might be coming their way.
By turning your organization’s collective knowledge back against cybercriminals you can strengthen your chances of avoiding an attack. ‘Beat them at their own game’ is the marketing slogan to have!
About the Author
Tom Brennan is Chairman of CREST USA, an international not-for-profit accreditation and certification body that represents and supports the technical information security market. In this role, he works with government and commercial organizations to optimize the value of CREST as a cybersecurity accreditation body and industry standards advocate. Brennan also serves as an industry evangelist and educator on the value of using accredited cybersecurity products and professionals to improve consumer privacy, security and protections worldwide.