We spoke to Crystal Morin about the rise of sophisticated fraud campaigns and how employees and organisations can stay safe.
Back in the day it seemed as though fraudulent emails, texts and advertisements were far more obvious, typically because of a nonsensical story, bad grammar or a clearly suspicious prompt. But nowadays, largely due to more advanced technologies, scams are harder to spot.
According to cybersecurity strategist at Sysdig, Crystal Morin, opportunities for cyber professionals are huge, however, this can be a double-edged sword as it also provides threat actors with ample opportunities to expose and exploit weaknesses.
“Even with the abundance of openings, I still hear about the struggles of the job search within my security circles,” said Morin. “Targeted and well-phrased job posting and recruiting efforts can be enticing to new graduates and seasoned professionals alike these days. Throw in a malicious link to apply to the position or sign up for an interview via Calendly or Zoom and the criminal has already won. It’s that easy.”
Trust is earned
When it comes to identifying risk, addressing challenges and avoiding further harm, Morin noted organisations and their employees should always strive to “trust but verify”. Not only do job applicants have to ensure that the job they are applying for is legitimate, but professionals involved in the hiring and onboarding phases have an obligation to confirm they are engaging with real people.
“I know if I were on the receiving end of someone assuming I was an AI-generated person, it would sting a little, but the reality is that organisations truly need to verify everything about a candidate. For the longest time, folks tasked with hiring have focused on the alignment of a resume with necessary qualifications and job history verification.
“Of course, there are standard background checks, but in some cases those are no longer enough. With falsified or AI-generated documentation and images, nefarious candidates, like the multiple instances of North Korean threat actors posing as IT workers, can complete the entire hiring process.”
To verify the authenticity of a candidate, she advises companies and their employees to look for the obvious, unnatural and non-human flaws that are sometimes present in AI-generated videos. For example, if you are in a video call giveaways include unnatural facial and body movements, as well as inconsistent speech patterns.
“Ask the candidate to turn their head to one side or hold up a certain number of fingers and watch the movements closely. For images, you can use Google’s Reverse Image Search or AI detection tools. These tools may tell you if an image was AI-generated or used elsewhere, under other aliases.”
Fear, uncertainty and doubt
The constant need to stay on top of and even ahead of cybersecurity education can be overwhelming and for Morin, often leads to information overload for the employee, who may be exposed to too much at once.
“These increasingly important and mandatory training programmes consume a small portion of what may be several hours or days of training. With information overload, cybersecurity awareness often goes in one ear and out the other.
“However, organisations are attempting to make up for this failure with awareness campaigns. Cybersecurity risks, breaches and identity protection best practices have become a hot topic in the morning news, bank newsletters and on social media. The effectiveness of these awareness campaigns, though, is still up for debate.”
She is of the opinion that the error tends to be made on the part of the user and their organisation, as training may be subpar or unmemorable, with many people often not realising just how advanced and sophisticated modern-day threats have become.
This in turn can lead to FUD, or fear, uncertainty and doubt, a disinformation strategy often used to negatively influence decisions in the security space, in order to push a product or damage a rival company.
“I work in the cybersecurity industry and previously worked in intelligence and I question everything even remotely suspicious by nature. I often don’t read the marketing emails from my bank and I imagine many others are the same.
“Friends and family often come to me with questions about identity breach headlines in the news, curious about whether or not they’re true, if it impacts them and what they should do in response. To me, this says the employee training and awareness campaigns have yet to overcome the FUD.”
Morin describes cybersecurity as a team sport with an offence and a defence. To win, we all need to work together.
“The only way to combat global threats is through strategic partnerships. This includes open information sharing across public and private entities, joint initiatives and a willingness to collaborate and support one another in drills and investigations.”
Her parting advice? Don’t deprioritise cybersecurity protocols and certainly don’t believe everything you see or read on the internet.
“With deprioritised cybersecurity, social engineering campaigns would probably be even more successful than they already are and malicious links would run rampant across the internet. Organisational deprioritisation would potentially lead to infrastructure breaches and failures as well, resulting in the worst-case scenarios that are only in the movies.”
Don’t miss out on the knowledge you need to succeed. Sign up for the Daily Brief, Silicon Republic’s digest of need-to-know sci-tech news.
