Following years of pandemic-induced economic pressure, economies across the Middle East are eyeing a welcome return to normal. The region’s retail sector is also powering ahead: the UAE’s e-commerce market alone is expected to reach $8bn by 2025, with the retail mobile-commerce market projected to grow at 19 per cent CAGR.
McKinsey data found that the number of people in the UAE and Saudi Arabia shopping online on a weekly basis has doubled in two years. This has not escaped the notice of cybercriminals. In fact, in the coming weeks and months, attacks are projected to grow. A high volume of cyberattacks has remained constant or even increased over the past year, according to 59 per cent of cybersecurity leaders in the UAE, discovered Mimecast’s State of Ransomware Readiness 2 report.
Meanwhile, according to the State of Email Security 2022 survey, 90 per cent of Saudi organisations have fallen victim to email-related phishing attempts in the last 12 months.
Cybercriminals refine, enhance attack methods
The increase in cyberthreats is in part being driven by greater digitisation of various aspects of our personal and professional lives, creating valuable sources of information for threat actors as well as potential areas of weakness to exploit.
When the first lockdowns were implemented in early-2020, many office workers were forced to work remotely, a situation that has continued despite lockdown restrictions lifting. While this has undeniable benefits to workers, it has created a security nightmare for many organisations.
With employees working outside the confines of corporate security structures and often under immense pressure, cybercriminals have capitalised by aggressively exploiting the vulnerabilities that come with remote work.
Cybercriminals are becoming increasingly adept at social engineering at scale. To illustrate, instead of targetting a person with a phishing attack, they seek to understand what their target’s persona represents – for example, a young male that enjoys outdoor sports and activities – and then purchase a mailing list with those interests. This allows them to craft more attractive phishing mails that have a far higher chance at success.
The amount of publicly-available personal information on social media is also giving threat actors valuable data to use in the crafting of their attacks. An attacker could type the name of a potential target on Google, which may bring up their Facebook profile and, in the case of outdoor enthusiasts, their Strava profile. From this they can see the types of activities they engage in, where they train, how often, and more.
From here it’s a simple matter of constructing a mailer with the right offer. For example, if the target is an avid cyclist, the attacker could develop a mailer that offers a substantial discount on a bike of the same brand that the person has put on their Facebook profile. This can increase the hit rate of their attacks from around 2 per cent (for untargeted attacks) to as much as 20 per cent.
In another example, a cybercriminal could infiltrate the mail server of a private school and send parents personalised emails asking for a meeting regarding their child. In a twist, the cybercriminal may attach a malicious file and tell parents that it relates to the discussion they’d like to have about their child’s performance at the school.
Such an attack would likely seem so legitimate and convincing that most parents would open the attachment without a second’s hesitation. This may leave them exposed to further infiltration and potential financial losses as the cybercriminal uses their new-found access to infiltrate the victim’s banking profiles.
Knowledge, awareness the greatest weapon against cyberattacks
In light of such high levels of danger, what can be done to safeguard Middle Eastern organisations and citizens from cybercrime?
The first step is to build greater cyber resilience at a national, provincial and local level by investing in appropriate cybersecurity and continuity solutions. A multi-layered cyber resilience strategy that protects people from cyber threats is vital in the fight against cybercrime.
Secondly, it is critical that information about likely attack methods and cyber risks reach every citizen. Everyone needs to join forces, from big business to government departments and even celebrities, to help raise the general level of cyber awareness among the broader population.
Businesses could contribute by sponsoring programmes and internships for cybercrime skills development, which has the dual benefit of improving the region’s defences against cyberattacks as well as improving the region’s global competitiveness at a time when the global cyber skills shortage is intensifying.
Universities can host regular guest lectures and information sessions by cybersecurity specialists to teach students about cyber safety and prepare them for the risks they’ll face.
Organisations in the private and public sectors should continuously train employees to become more cyber aware. Government departments can apply some of the learnings from the pandemic and roll out ongoing national cyber awareness campaigns that teach citizens about basic cyber safety.
Finally, a culture of community defence should be established that encourages victims of cybercrime to report cyberattacks. This can drive greater awareness of emerging cyber risks while also giving authorities valuable information about new attack methods that may aid their quest to bring perpetrators of cybercrime to justice.
How to spot a (likely) scam
Report threats (always) – If you do receive an email that is obviously a phishing attempt, don’t just ignore or delete it. Report it to your security team and, if it warrants it, to the authorities. When email threats go unreported it raises the risk level for everyone else. Conversely, the more we share emerging email threats, the easier it is for everyone to become aware of the threat and take action to avoid any risks.
During sale, check discounts – if you receive an email offer for 70 per cent off a must-have item, proceed with caution. Such a significant discount is likely to feature prominently on the seller’s website, so check there first to see if the offer is legitimate. If you can’t see a 70 per cent off offer on a bike, it’s likely the mail you received is a scam.
Phone to verify – No company or bank will laugh at you if you phone to confirm details before making a purchase or payment. If you’re unsure if the payment you’re making is to a legitimate businesses, give them a ring to confirm the amount, the bank details, and any other details before you make payment.
Pay attention (especially at home) – most businesses now have some form of cybersecurity in place. This means employees may not be receiving potentially dangerous emails as the company’s cybersecurity products filter those out. But this can create a false sense of security – when employees are home, they may see more such emails land in their inbox, increasing the chances of them clicking on an unsafe link or opening a malicious attachment.
Duane Nicol is the senior product manager for Awareness Training at Mimecast