Smoke & Mirrors: Social Engineering and Sophisticated Phishing

Joy Chick

Phishing and social engineering attacks are prevalent across various industries, including healthcare, government, and finance, due to people’s busy schedules and lack of attention. These attacks have become the easiest way for criminals to obtain sensitive information and credentials. The increasing volume, scope, and sophistication of social engineering attacks are a concern, as attackers continue to evolve their strategies.

It is important to note that cyber attacks can happen to anyone, regardless of their level of technical knowledge. Therefore, individuals must remain vigilant and take necessary precautions to protect themselves and their information online.

The use of emerging technologies like Gen AI and machine learning by cyber criminals has enhanced phishing attacks. These technologies allow for automated and personalized campaigns that are difficult to detect and deceive people. This underscores the need for individuals to stay informed about the latest cyber threats and adopt robust security measures.

However, AI and Gen AI can also be used to enhance cybersecurity efforts. Companies like Microsoft employ AI to evaluate the security of user identities, devices, networks, and data. This technology can detect anomalies and breaches by analyzing vast amounts of information, while Gen AI automates these processes and reduces the burden on cybersecurity specialists.

To effectively combat social engineering attacks, individuals are advised to use phishing-resistant multi-factor authentication (MFA) and remain cautious of potential threats. However, it is important to recognise that MFA is not foolproof, as attackers have found tactics, such as SIM jacking and creating fake websites, to bypass these security measures. Maintaining a high level of vigilance is therefore essential.

The inconvenience of managing multiple passwords poses another challenge. Remembering different passwords for various accounts can be difficult and can lead to security risks. Password management solutions are necessary, and individuals should avoid reusing passwords and credentials across multiple accounts.

Responsibility for online protection should not solely rest on users. Collaboration among industries, authorities, and society as a whole is crucial for implementing effective cybersecurity measures. Biometrics and device-based authentication methods, such as Fast Identity Online (FIDO), are increasingly being adopted to securely verify users’ identities.

A zero-trust approach to identity verification and security is essential. This approach involves continuously verifying identities, granting minimal privileges, and assuming that breaches can occur, focusing on prompt detection and remediation.

In the era of cloud services, protecting workload identities is crucial. As more customers transition to the cloud, safeguarding non-human identities becomes increasingly important. Streamlining and decentralising verifiable credentials are necessary to ensure robust protection.

AI has the potential to revolutionise the security industry by identifying anomalies, detecting breaches, and taking real-time action. It simplifies the work of cybersecurity professionals by reducing reliance on multiple tools and logs.

Overall, security is a collaborative effort that requires the active participation of various stakeholders. By staying informed, adopting robust security measures, and fostering cooperation among industry players and societies, we can effectively combat the growing threat of cyber attacks and safeguard our digital ecosystem.

Moderator

In a recent discussion on the topics of smoke and mirrors, social engineering, and sophisticated phishing, Joy Chick, the President of Identity and Network Access at Microsoft, and Lucy Hedges, a technology journalist and TV presenter, explored the intricacies of cyber attacks and the necessary steps to protect against them. The discussion provided insights into the deceptive tactics employed by cyber criminals, including the use of smoke and mirrors to create illusions and misdirect attention. These tactics often result in successful social engineering attempts, where attackers manipulate individuals into revealing sensitive information or compromising security.

Both speakers stressed the critical importance of educating people about the various tactics employed in cyber attacks. By raising awareness and promoting digital literacy, individuals can become more vigilant and better equipped to identify and defend against deceptive strategies. Chick emphasised the need for organisations and individuals to invest in comprehensive cybersecurity training covering topics such as phishing awareness, safe browsing habits, and password hygiene.

Furthermore, the discussion highlighted the increasing sophistication of phishing techniques, noting that attackers are constantly evolving their methods to outsmart security measures. Traditional approaches to identifying phishing emails, like checking for spelling errors or suspicious links, are no longer sufficient. Cyber criminals have become adept at crafting highly convincing and targeted emails that are nearly indistinguishable from genuine communications. This necessitates the implementation of advanced security measures that go beyond traditional email filters and firewalls.

In conclusion, the discussion underscored that smoke and mirrors, social engineering, and sophisticated phishing are persistent threats that require continuous improvement in cybersecurity practices. Education and awareness are key to mitigating these risks, and organisations should prioritize implementing robust security measures to counter the evolving tactics employed by cyber criminals. By staying informed and proactive, individuals and businesses can enhance their defenses and safeguard their sensitive information from falling into the wrong hands.

Lucy Hedges

Social engineering and sophisticated phishing attacks are emerging as increasingly concerning threats to our digital society. These attacks exploit human vulnerabilities and security gaps and are executed by highly skilled perpetrators. It is worth noting that emerging technologies, such as Gen AI, are accelerating the innovation curve in these attacks.

To effectively defend against these threats, it is crucial to have a deep understanding of how social engineering and phishing attacks work and how they are evolving. These attacks are becoming more sophisticated, necessitating individuals and organizations to stay informed and updated on the latest tactics employed by cybercriminals. Without this knowledge, countering these threats becomes increasingly difficult.

In this context, Lucy Hedges implicitly praises Joy Chick, highlighting her authority in the security landscape and her exceptional leadership role in managing Microsoft’s Identity and Network Security Solutions. With oversight of the largest user base in the world, encompassing both consumers and commercial entities, Joy Chick’s leadership underscores the importance of expertise in combating security threats.

Lucy Hedges emphasizes the evolution of social engineering attacks over time, noting their increased intricacy and sophistication. It is crucial to recognize that cyber attacks can happen to anyone, regardless of their technological knowledge or industry of work. This serves as a reminder that no one is immune to such threats and that everyone must take precautions to protect themselves and their data.

In conclusion, the escalating threats of social engineering and sophisticated phishing attacks present a significant risk to our digital society. The evolving nature of these attacks calls for continuous education, awareness, and the adoption of advanced security measures. Strong leadership, exemplified by Joy Chick, plays a pivotal role in navigating and mitigating these risks. Cybersecurity is a collective effort that demands vigilance from individuals and organizations alike.

Moderator:
Smoke and Mirrors, Social Engineering and Sophisticated Fishing. Joy Chick, President, Identity and Network Access, Microsoft. Lucy Hedges, Moderator, Technology Journalist and TV Presenter.

Lucy Hedges:
Hello, hello. I hope we’re all having a great event so far. Lots of insights and lots of inspiration to go home with after today. So we are here to talk about social engineering and sophisticated fishing. You know, these are the kinds of attacks that involve the use of deception by incredibly skilled perpetrators who are really adept when it comes to exploiting human vulnerabilities and security gaps to really capitalize on trust to gain unauthorized access to sensitive information and systems. Now these kind of attacks are moving at unprecedented speed which is in no small part down to emerging technologies like Gen AI that’s really accelerating the innovation curve when it comes to modern social engineering which is ultimately escalating its threats to our digital society. So it’s crucial or critical even for us to really understand the intricacies of these attacks which are getting more sophisticated by the day in order to really understand how to defend against them. Now I am joined by someone who is very well-versed in this area. Joy Chick is, I think it’s fair to say, a force to be reckoned with in the security landscape. She runs Microsoft’s Identity and Network Security Solutions running the world’s largest security systems across consumer and commercial which has over a million enterprise users, a billion enterprise users and almost a billion consumers on a monthly basis. So Joy, how are you?

Joy Chick:
Great. Thank you, Lucy. And good afternoon, ladies and gentlemen. It is actually my first time visiting the kingdom and it’s very much a great honor to be here.

Lucy Hedges:
Absolutely. Now we’ve got a lot to get through in a short space of time so I’m going to dive straight into my first question. So we’re going to start by defining the problem and the impact of this issue. So why are phishing and social engineering attacks such a big problem in cybersecurity?

Joy Chick:
Yeah, with any breaches, the most important thing that our criminals want to get is your credentials. Yes. And guess what? The easiest way to get credentials is through social engineering and phishing. That’s because it’s easy when we are busy. It’s easy for us when we’re not paying attention. Yes. You click on that email link and you get hacked. I think we talked over the break, like, geez, even us as security professionals, we get tricked sometimes. And when it happens, it really feels like it really breaches our trust, if you will. But it happens. And actually when it happens, it’s not just for consumers, it’s across the entire industry whether it’s healthcare, whether it’s government, critical infrastructures, financial industry. Yes. And the impact is devastating.

Lucy Hedges:
Yeah. I think there’s this misconception, isn’t there, that these kind of attacks happen to people that aren’t very clued up, they don’t work in tech, they don’t really know. But it can happen to anyone.

Joy Chick:
Anyone and to every one of us.

Lucy Hedges:
Hands up who’s been a victim of a phishing attack or have clicked on a nefarious link in the past. I know I have. I was busy, I was on the move and I clicked a link in WhatsApp and, you know, my phone got taken over. Exactly. It was really scary, a really scary time. You know, things are evolving so quickly at such an incredible pace. It really keeps us on our toes and especially you in your line of work. So how have social engineering attacks evolved over time and in what ways have they become increasingly sophisticated?

Joy Chick:
Yeah. And I want to say the sophistication is both volume, scope and also just the scale, if you will. And, you know, from Microsoft, you know, we see globally all the attack that happens across our cloud services. Just some data points. In 2021, we see about almost 600 passwords get attacked every single second. OK. And in 2022, that number has doubled to over a thousand. And guess what? In 2023, we haven’t finished yet. And the numbers has already quadrupled to 4,000 passwords attacked every single second. So it is really that exponential scale, if you will. And also at the same time, you know, our criminals are getting very well funded. And, you know, frankly, I would say that they’re innovating at the speed just like our cybersecurity professionals, if you will. So they get really well organized and many are backed by nation state and the multinational criminals, if you will. And some of the patterns what we see is, you know, you can say the old days or the easiest way is really just to send you an email, trick you to a website, and then you accidentally type your credentials and, you know, and you get hacked. And that still probably remain to be predominantly the primary attack factors. So we tell all our users, our customers to turn on multi-factor authentication, which by itself, by the way, so multi-factor authentication is in addition to a password, you know, second factor, you know, SMS, you know, second factor authentication. By itself, it really reduces attack by 99.9%. Yes. However, the, you know, cyber criminals then continue to work around it. So some of the techniques is called, you know, MFA SIM jacking, because the majority of the MFA is through SMS. So what the attacker does is they get in between your, you know, telephony and your, you know, your phone. So they intercepted the SMS signals and then kind of reply that multi-factor authentication on your behalf. So that’s something they are escalating. So then we said, hey, then we can talk about, you know, maybe doing phishing resistant MFA, if you will. But the reality is, you know, I think Lucy, you and I all get a lot of MFA prompts every day. Yes. Sometimes we just get fatigued and frankly confused. Yeah. So what happens, you might accidentally approve the one that is not being intended. And then there’s other methods. For example, like, you know, the criminals can do something called adversary in the middle phishing, which is they can fake a website that looks exactly like the real website and get you over there and then store your credentials through that method. And sometimes they can come across as from some kind of official authorities. And like, you know, hey, I come from officially some tech support. So you thought you are being helped, but instead you are being hijacked.

Lucy Hedges:
Yeah, it really is unbelievable just how sophisticated and complex these attacks are. And like you say, these kind of nefarious characters are moving at the same pace in which the industry is moving. And, you know, if these guys could only just apply this incredible knowledge to good, the world would be a much better place. But unfortunately, that’s not how it works. You’d be out of a job, that’s for sure. And I’m gladly to be, if that’s the case. Let’s talk about Gen AI, because, you know, this is a massive talking point at the moment for various reasons. So how are cyber criminals leveraging emerging technologies like Gen AI and machine learning to really enhance these phishing attacks and create more convincing and targeted phishing emails and websites like you just discussed?

Joy Chick:
So I would say, you know, in the past, we probably, for those of us a little bit more sophisticated, we say, hey, maybe you can detect phishing email forms, like, you know, an email is poorly written with grammar mistakes. Or kind of in a form, you know, it is, you know, sort of massively produced, you know, so like, I don’t need this, right? So you kind of can filter some of that. Or the address looks a bit dodgy. Or the address looks a bit dodgy and all that. But now with Gen AI, they can improve the quality of the email. So, A, it’s a lot more compelling email. And frankly, they can also tailor that email. A, they can tailor to be more coming from, like, your work, you know, from people you know from work. Because they can actually use some of the AI to learn what’s your context. Yes. You know, so through that. They can also tailor to your own personal needs. Like, Lucy, if you like, you know, shopping or sort of specific website, they might tailor as if it comes from that specific website that’s tailored to your needs. So they have more context about you. So from that perspective, you know, I think it makes it a lot harder to detect it’s a phishing email. And frankly, a lot easier to trick people. Yes. And at the same time, also, Gen AI helps, you know, to generate these phishing email campaigns much faster. Yes. And the fact that you can, you know, using kind of natural language. So even for the, you know, attackers, they actually have to write less code. They have to write less scripts. And they, you know, Gen AI help them to automate the phishing campaign for what it’s worth. So, yes. So I think that’s why we see the, you know, the attack patterns that has been exponentially escalating over the years.

Lucy Hedges:
Yes. It’s almost enough to make us incredibly paranoid, isn’t it? Absolutely. Yes. And I think the rule of thumb here is to really always assume breach. I think sometimes that can be detrimental. You know, something good might come in and you’re like, I don’t trust that. And you don’t click it or you don’t get involved in it. And that can be detrimental to the user. But unfortunately, the sophistication of which these attacks are coming, it means that we always have to have our guard up. Absolutely. Yes. So let’s talk Gen AI for good. You know, we talked about the evil side, you know, the nefarious side. How can Gen AI, no, would Gen AI also, how can Gen AI help defend and protect in the cybersecurity space?

Joy Chick:
Yeah. I would say both AI and now Gen AI, if you will. So, you know, one of the things that, you know, at Microsoft, we’re really thinking about protecting our customer is you have to think about an end-to-end approach. Because, you know, it starts with identities, user identity and credentials. But, like, you know, you’re using the iPad. The device that you are on, whether the iPad can be trusted or not or it’s being compromised or not, the network we are on, whether the network is secure or whether the network is compromised. And, frankly, the application you access, the data you are trying to really try to protect. So we are really looking at what we call the digital estate of end-to-end for our customers. So from that perspective, as we’re looking through all the, you know, trillions of signals in our cloud services, we can really apply AI machine learning to detect what are the anomalies and how to then real-time, if you will, to help to, you know, help our customer to detect any breach and to remediate it quickly. And then with the Gen AI, what it helps is really to help us to automate a lot of this process as well as helping security professionals so that rather than they have to use different security tools, rather they have to understand the logs, then they can use more human natural languages to understand, hey, if Lucy is being compromised, why Lucy is compromised? So by simply asking that question, rather than have to be the detective to go through all the tools and find out what’s happening. So I think Gen AI really democratize in terms of skill set, skill set that’s required to be a cybersecurity specialist.

Lucy Hedges:
Yeah, yeah. And this is, I think it’s fair to say, quite relatively new territory for a lot of businesses. You know, Microsoft is obviously incredibly well-versed when it comes to this. But do you think there’s maybe a bit of a apprehension or, you know, this lack of knowledge and education that prevents companies from really benefiting from this technology that ultimately is going to affect, benefit their customers and benefit them as a business?

Joy Chick:
Yeah, like, you know, go back to the phishing campaign, if you will. And we always, you know, talk about education is important. Yes. But guess what, Lucy, just, you know, just, you know, admit it. Do you share your credentials across your user accounts? Maybe. Some of them. Some of them.

Lucy Hedges:
But you know, my to-do list is always, you know, switch, you know, on the iPhone, for example, it’s constantly telling you when you’re using multiple passwords. And I know it’s there. Right. But I, you know.

Joy Chick:
But it’s not convenient, right? Exactly. How many passwords do you want to remember?

Lucy Hedges:
I’ll do it later. I’ll do it later.

Joy Chick:
So, you know, we talk about, hey, don’t reuse your, you know, password, don’t use your credentials for multiple accounts. You know, sometimes, like we still say, even to this day and age, we still put a little password on a sticky note on our, like, you know, iPads or computers. I can’t believe people still do that. That is crazy. Right. I don’t do that at least. Or share your credentials with your friends, you know, because of some services you want to use. So these are some of the basics. But the reality is, I would have called it, we don’t want to, you know, have the burden of protecting our users to be on the users. Right? Like, they can have the education, but that’s just not an excuse to say, hey, oh, you get hacked. It’s because you don’t know. Yeah. I think at the end of the day, we ask, why do we need passwords? Frankly, it is really, I mean, passwords is not a magic. It’s really about how to identify, like, Lucy, you as a unique person. And so we now look ahead to say, hey, what is a better way of doing that? So one of the things that’s industry standards is called a Fast Identity Online FIDO. It is an industry standard. It is a way to use leveraged biometrics because your biometrics is uniquely, you know, Lucy. And then in addition, something you have, like your iPad. So both something you are and something you have is a great way to identify Lucy as a unique person and as your credential. But in a way that is so user friendly because you do not have to remember password at all. So some of the examples are like, you know, Microsoft Windows Hello, if you will, the Authenticator app. And then now some of the newer inventions that we collaborate across Apple, Google, Microsoft and industry is about passkey support. So it is a phishing resistant passwordless method that can roam across trusted devices. And these are the things that we’re moving forward as an industry so that we can help our customers to users to be secure. And so they can, you know, prevent things like these, you know, credential theft.

Lucy Hedges:
Yeah. And it really is about time that this stuff becomes more mainstream, more talked about. I was saying to you earlier when we were having a chat about five or six years ago, I wrote an article for the Metro newspaper where I used to work, which was the password is dead. And, you know, I wrote this article, you know, we’re moving on from the password and years later, we’re still using passwords. And I want to say at least now we have more and more ways for us to accomplish that. But we still have a ways to go as an industry. Yeah, absolutely. And of course, not everyone is up to date with these latest mitigation techniques. So what I want to ask you, what role does education and awareness training such as, you know, digital literacy initiatives, what role do they play in preventing social engineering attacks?

Joy Chick:
These are the, you know, if I tell all customers, one thing they need to do is really turn on multi-factor authentication. Because even like we talk about, you may have still legacy, you know, applications. They still use passwords. Turn on MFA, multi-factor authentication itself. By itself, it reduces attack by 99.9% of the time. So I think that’s a great start. But I don’t think that that’s enough, right? So the next thing we really tell, I think that’s more about like, you know, the government and all our enterprise, the commercial customers, is really how do we apply techniques that we call the real-time conditional access risk-based access control. Basically, you know, we’re sitting here. I typically don’t travel this far. So suddenly, if I’m right now at this moment, I signed in into my work account. At least there’s a policy trying to validate, hey, is Joy really trying to access the work at this location at this time? What we call is an anomaly, if you will. And these are the things, if we can apply these in real-time based on user’s identity, based on where their location they’re trying to sign in, and based on what kind of applications and all these kind of we call the risk factors or condition factors, then we can really help to protect our customer. And you earlier talked about zero trust. Yes. You know, one of the key principles we always apply is always use zero trust, what we call assume breach. You always verify, and then you apply the least amount of privileges. You know, so you only get only the access you need with the amount of time you need for the resources you need, right? And you always assume breach so that you can detect when it happens and how can you quickly remediate. And also how can you reduce that blast radius or the impact, if you will. Yeah, yeah. Oh, and then I would say we talked a lot about human identities. But as we all know, as our customers move online, move to more and more cloud services, and guess what? There are more non-human identities than human identities combined. Wow. And so how do we think about protect what we call a workload identity? Just think about all the services, the microservices across the cloud. How do we protect them? It’s equally, if not more important. Yeah. And last thing I would just say is we still have too many identities. So how can we move to a system so that we have fewer identities using techniques like digital identities, that kind of decentralized verifiable credentials, so that we can have portable identities, so that we can make it secure and make it apply across all different applications?

Lucy Hedges:
Absolutely. That’s the way moving forward. Yeah, absolutely. Now, just to quickly wrap up, my final question. What advice do you have for organizations trying to stay secure, in addition to all the amazing things that you’ve said already on this stage? I’m sure there’s a lot of people in the audience that want to know.

Joy Chick:
Yeah, I would say, you know, AI, right? Do what I just said, and then really look into how AI can revolutionize for us in this industry. You know, AI, I think it can be scary. But at the same time, it can use to really help us to secure for all of us. And so I think, you know, keep that mind open. And I think we need to, you know, I would say security is a team sport. Yes. We have to do this together as an industry, as a society together.

Lucy Hedges:
Yeah. And what a brilliant sentiment to end this whistle-stop conversation on Joychik. It has been an absolute pleasure. I did not doubt for a second that this conversation would be nothing but insightful and inspirational. And it’s brilliant to hear from someone like yourself, who is such an impressive force in the world of cybersecurity. So I want to thank you very much. Thank you so much. Let’s give it up for my amazing panelist, Joy. Thank you. Thank you.