Disinformation is one of the world’s most debated topics. From Vote Leave’s now infamous Brexit bus; to Donald Trump’s hysterical “fake news” allegations; to Vladimir Putin’s warmongering rhetoric, disinformation – whether real or imagined – is an inescapable reality of the modern world.
But disinformation campaigns aren’t restricted to the political sphere – according to research from Weber Shandwick, 87% of executives say the spread of disinformation is one of the most significant reputational risks to businesses today.
Despite the internet’s irrefutable role in modern disinformation campaigns, we don’t typically see disinformation as a cybersecurity threat. This misconception could prevent security teams from effectively tackling such campaigns, with potentially disastrous consequences.
This article will outline what disinformation is, how it relates to social engineering and cybersecurity, and how security teams can fight back.
What is disinformation?
Not to be confused with misinformation, disinformation intentionally disseminates false information, often to further a political agenda. Misinformation, however, is the unintentional dissemination of incorrect information. This article will focus on disinformation.
Russia has long been a master of disinformation, with some experts considering the modern definition as a loan translation of “dezinformatsiya” derived from a KGB black propaganda department title. Ironically, the practice itself was subject to a disinformation campaign; one Soviet defector claimed Stalin coined the term in 1923, giving it a French-sounding name to suggest disinformation originated in the West.
Disinformation has been an enduring element of geopolitics since its inception, a recent example of which is “Russosphere”, a Russian disinformation campaign targeting African countries in an attempt to promote anti-Western, pro-Kremlin ideology.
What is social engineering?
The European Union Agency for Cybersecurity (ENISA) defines social engineering as “all techniques aimed at talking a target into revealing specific information or performing a specific action for illegitimate reasons.” By this definition, it’s easy to see the link between social engineering and disinformation. The latter is a social engineering instrument.
There are three core elements of disinformation for social engineering purposes:
- Missing context: Data communication can be intentionally deceptive or lacking crucial details; this occurs most often on various online platforms, such as social media, where threat actors share images alongside a caption irrelevant to its content.
- Deceptive editing: In this scenario, the threat actor manipulates visual media, such as photos, videos, or illustrations depicting real news stories or events. They distort reality by selectively altering essential components, crafting an alternate message.
- Malicious transformation: Among the three categories, this one is the most severe. Using artificial intelligence (AI), cybercriminals can manipulate videos to fabricate realistic yet counterfeit content, commonly called “deepfakes”. Adversaries employ these methods with specific intentions, such as orchestrating ransomware campaigns to amass financial profits or manipulating social consequences, including influencing election outcomes.
Disinformation, social engineering, and cybercrime
Cyberattacks that leverage disinformation and social engineering techniques are incredibly sophisticated and relatively new. The world is more anxious than ever, and cybercriminals have no qualms about capitalizing on this fact. Hence, the rise of malvertising.
Malvertising, or malicious advertising, involves cybercriminals injecting malicious code into digital adverts or articles. These adverts and articles spread disinformation, luring victims into clicking on an article that plays on their fears or prejudices, then deploying malware onto their devices.
As public awareness of phishing increases, difficult-to-detect malvertising campaigns have become a popular malware deployment technique. The sheer volume of daily digital content makes it incredibly difficult to distinguish between legitimate and illegitimate content.
Mitigating the threat of disinformation and social engineering relies heavily on cybersecurity awareness training. Organizations must train and re-train their employees on detecting potential disinformation and social engineering attacks, stressing the following best practices:
- Trust nothing: Employees must treat every email, text, article, or advert as a potential threat. This approach will ensure that no attacks succeed through complacency.
- Carry out due diligence: Employees must question whether the content they are about to click on comes from a legitimate source. Fake domains or email addresses with spelling errors are a sure-fire indicator of a scam.
- Go straight to the source: Employees should never mindlessly click links or open attachments. To avoid a phishing scam, users should contact the alleged sender directly or type in URLs manually.
- Question urgency or emotion: Communications that urge users to click “now” or suffer consequences are more likely than not a social engineering scam. Similarly, employees should avoid content attempting to fearmonger or play on prejudices at all costs.
Social engineering and disinformation techniques have the potential to turn your employees into unwitting insider threats. Insider threat management tools will detect any suspicious activity and prevent employees from inadvertently leaking any of their organization’s data.
To conclude, disinformation plays an oft-overlooked role in social engineering and cybercrime. Organizations must understand what disinformation is and what it looks like to prevent themselves from social engineering attacks effectively.
Addressing the threat of disinformation requires a collective effort from individuals, organizations, and governments. By staying vigilant, fostering critical thinking, and promoting digital literacy, we can work towards a more informed and resilient society in the face of disinformation and its associated cybersecurity risks.
Follow me on LinkedIn. Check out my website.