The latest ESET APT Activity Report shows improved phishing techniques that threat actors currently utilize, highlighting the need for high-quality cybersecurity awareness training.
A general recommendation about phishing attacks is not to click on anything that looks suspicious. That’s easy to follow when employees receive an email full of grammatical errors and typos from an unknown source.
However, adversaries have been improving their tactics and experimenting with new ways to make their potential victims fall for phishing — tactics that may not be so easy to spot. And it’s not only about using AI to create grammatically correct or more convincing emails. Recently, ESET researchers noticed a new trend among North Korea-aligned groups trying to build relationships with their targets before sending them malicious content.
Statistically speaking, since human error is involved in most data breaches, it is logical that threat actors don’t hesitate to leverage this major attack vector. To address this, ESET created ESET Cybersecurity Awareness Training, a story-driven course available in English, French, Spanish, and Chinese languages informing employees about current cyber threats and helping businesses with compliance and insurance issues.
A costly mistake
Verizon’s 2024 Data Breach Investigations Report shows that 68% of breaches involved a non-malicious human element, like a person falling victim to a social engineering attack or making an error.
Most of those attacks started with phishing (tricking a user into giving sensitive information or downloading malicious content) and pretexting (use of a fabricated story, or pretext, to gain a victim's trust) via email, accounting for 73% of breaches.
In 2024, the number of detected breaches involving pretexting surpassed the number of breaches involving traditional phishing attacks, according to Verizon’s data. This could be one indicator that threat actors feel the need to use more sophisticated techniques against their targets, according to the report.
Breaches involving a human element are not only prevalent but also costly, according to IBM’s Cost of a Data Breach Report 2024 conducted by Ponemon Institute. Ponemon’s researchers looked at 604 organizations in 16 countries and regions, finding that an average business loss due to phishing has now reached USD4.88 million per breach. This makes phishing attacks the second costliest type of attack, right after impacts from malicious insiders, which account for an average of USD4.99 million.
I have a proposal for you
Recent ESET findings confirm this trend of threat actors utilizing improved social engineering techniques.
In Q2 2024–Q3 2024, ESET researchers saw the North Korea-aligned activity cluster Deceptive Development and North Korea-aligned group Kimsuky enhancing their phishing attacks with pretexting methods. For example, both tried to use fake job offers to approach the targeted individuals, and only after the victim responded and a relationship was established did threat actors send a malicious package to the victim.
Another group, Lazarus, distributed fake job offers for desirable positions at large companies like Airbus or BAE Systems and delivered trojanized PDF viewers along with decoy PDF documents. This group also impersonated recruiters on professional networks and work platforms, distributing trojanized codebases under the guise of job assignments and hiring challenges with the aim of cryptocurrency theft.
Kimsuky targeted North Korea experts working for NGOs and researchers in academic circles with fake requests to grant a media interview or give a presentation. They tried to establish a relationship with a good old apple-polishing ― sending amiable emails that praised the target’s expertise and asked for help. Once the attackers gained the trust of their victim, Kimsuky delivered a malicious package, usually disguised as a list of questions that should be answered before the event.
The BlackBasta ransomware gang also adopted this relationship-oriented method when targeting businesses, according to the recent discovery of the ReliaQuest threat research team.
First, they send mass email spam targeting employees, provoking them to create a legitimate help-desk ticket to resolve the issue. Then, attackers posing as IT support or help desk staff contact employees via Microsoft Teams chat and send them a malicious QR code, likely for downloading a remote monitoring and management (RMM) tool that BlackBasta can exploit.
How to avoid a toxic relationship
Seeing the above-mentioned cases, it is clear that employees are a critical component of any business’s security that needs to be taken care of. In general, cybersecurity awareness training not only helps businesses to deflect user-oriented cyberattacks and fulfill compliance/insurance requirements but also decreases losses in case of a successful breach by around 5.2%.
ESET acknowledges this threat vector with the global launch of ESET Cybersecurity Awareness Training, which complements ESET PROTECT, a multilayered AI-powered solution for businesses.
Both employee training and multilayered security are integral parts of what ESET calls a prevention-first approach designed to completely evade cyber threats or mitigate them with no or only minimal disruptions in the business flow. It is a complex strategy of shrinking the attack surface while effectively reducing the complexity of cyber defense.
ESET Cybersecurity Awareness Training aims for both of these goals. First, it helps employees to recognize standard and novel cybersecurity threats abusing human factors. Second, it is easy to deploy and operate thanks to deep integration possibilities with various systems, a customizable training portal, and an easy-to-use dashboard. Thus, businesses don’t need to spend more precious IT staff time on it than necessary.
Let’s make it interesting!
ESET Cybersecurity Awareness Training offers an engaging and story-driven experience that helps employees understand which common bad user habits of can endanger the whole company. It also explains how threat actors think — for example, how they search potential victims’ social network profiles to guess their passwords or impersonate them.
The training is based on three decades of ESET expertise in this area and is designed to change employee behavior, rather than merely to check a box for compliance or cyber insurance.
To keep employees vigilant in the long term, ESET Cybersecurity Awareness Training comes with phishing test simulations that businesses can run an unlimited number of times.
Benefits of Premium Cybersecurity Awareness Training
- Comprehensive online cybersecurity awareness training courses
- Multiple course options ranging from full 90-minute-long training to short courses taking from 5 to 15 minutes
- Best practices for remote employees
- Gamification that engages and changes behavior
- Helps meet HIPAA, PCI, SOX, GDPR, CCPA compliance requirements
- Helps meet cyber insurance requirements
- Certification & LinkedIn badge
- Unlimited phishing test simulations to test employees
- Admin console allowing users to manage customizable groups of employees, track learners’ status, and run phishing simulation campaigns
- School platform where employees can take their enrolled training
- Automatic email reminders to learners
- Deep integration with various popular third-party cloud-based services
Fruitful relationship with ESET
Even the best and most expensive cybersecurity solution in the world can be powerless against one fooled employee who shares their password or downloads a malicious file.
Help your employees to navigate through a maze of the evolving world of cyber threats and improve your defenses with ESET Cybersecurity Awareness Training.