According to Kaspersky researchers, another targeted threat to watch out for is corporate doxing – the process of gathering confidential information about an organisation and its employees without their agreement to harm them or profit from it.

In a press release on Monday (29 Mar), the global cybersecurity firm stated that proliferation of publicly available information, data leaks, and advancement of technology are leading to a state in which tricking employees into giving out confidential information or even transferring funds is “becoming easier than ever before”.

Kaspersky noted that one of the methods used to dox organisations is Business Email Compromise (BEC) attacks. BEC attacks are targeted attacks in which criminals initiate email chains with employees by impersonating someone from the company.

In February 2021 alone, it detected 1,646 of such attacks – underlining the vulnerability of organisations when it comes to the exploitation of publicly available information.

Kaspersky explained that the general purpose of such attacks is to extract confidential information, such as client databases, or to steal funds.

For instance, its researchers regularly analyse cases in which criminals impersonate one of the target organisations’ employees using emails very similar to the real ones to extract funds.

An example of a BEC attack with banking details replacement (Source: Kaspersky)

According to Kaspersky, such attacks would not be possible on a massive scale without criminals gathering and analysing public information available on social media and beyond, such as names and positions of employees, their whereabouts, vacation times, and connections.

However, it noted that BEC attacks are just one type of attack that exploits publicly available information in order to harm an organisation.

Kaspersky went on to say that the diversity of ways organisations can be doxed is staggering and, besides the more obvious methods such as phishing or compiling profiles on organisations using data leaks, includes more creative, technology-driven approaches.

One of the most trending corporate doxing strategies is identity theft

It is noteworthy that one of the most trending corporate doxing strategies is said to be identity theft.

As a general rule, doxers rely on information to profile specific employees and then exploit their identity. Kaspersky explained that new technologies, such as deepfakes, make such initiatives easier to execute provided there is public data to begin with.

For instance, a deepfake video believed to be some organisation’s employee could harm the company’s reputation – and to create it. Doxers would simply need some kind of visual image of the target employee and basic personal information.

Voices could also be abused – a top-level speaker presenting on the radio or in some podcast could potentially end up having their voice recorded and then imitated later – for instance, in a call to accounting requesting an urgent banking transfer or sending over clients’ database.

“While doxing is generally believed to be an issue for regular users – we often see it figure in social media scandals – corporate doxing is a real threat for an organisations’ confidential data and one that should not be overlooked,” said Roman Dedenok, security researcher at Kaspersky.

“The doxing of organisations, just as of people, may result in financial and reputational losses, and the more sensitive the confidential information extracted is, the higher the harm. At the same time, doxing is one of the threats that could be prevented or at least significantly minimised with strong security procedures within an organisation,” he added.

Read about the threat of doxing, and where one’s data may end up here.

In order to avoid or minimise the risk of a successful attack on an organisation, Kaspersky recommends the following measures:

  • Establish a rigid rule to never discuss work-related issues in external messengers outside of the official corporate messengers, and train your employees to strictly adhere to this rule.
  • Help employees become more knowledgeable and aware of cybersecurity issues. This is the only way to effectively counteract the social engineering techniques that are aggressively used by cybercriminals. To do so, you could use an online training platform.
  • Educate employees on basic cyber threats. An employee who is well versed in cybersecurity issues will be able to thwart an attack. For instance, if they receive an e-mail from a colleague requesting information, they will know to first call the colleague to confirm that they actually sent the message.
  • Utilise anti-spam and anti-phishing technologies.
Subscribe
Notify of
0 Comments
Inline Feedbacks
View all comments
You May Also Like

Government ups cyber-security measures

By Howard Lee Following a spate of security breaches to government websites late…

Huawei named one of top 10 most valuable brands by Brand Finance

Earlier today (29 Jan), Huawei announced that Brand Finance, a leading brand…

European Commission bans TikTok on official devices

BRUSSELS, BELGIUM — The European Commission on Thursday banned TikTok on official…

Musk ‘temporarily’ suspends another journalist’s Twitter account

WASHINGTON, UNITED STATES — Elon Musk temporarily suspended the Twitter account of…