As long as we store our information electronically, do our banking, talk to our loved ones and shop online, malicious actors will try to access or steal our data (and money).
Given we won’t be reverting to hard copy storage any time soon, it’s important to be aware of the risks and put in place defences that won’t impact your operations.
One of the main ways an attacker gains access to an organisation’s systems is through phishing – and that doesn’t only mean links to fake banking websites in order to gain access to your personal information.
A criminal with the goal of hacking a corporate system will initially research an organisation’s employees and all the information available online about them – usually with those handy repositories of information, Facebook, LinkedIn, Twitter and Instagram – this process is called Open Source Intelligence (OSINT).
From there, they can develop convincing emails that trick their targets into clicking a link or visiting a website, infecting their system with malware.
In any corporate environment, regardless of the technical protection in place, the end-user is the last line of defence; making it vital to educate the workforce on identifying threats.
Did you know?
What is phishing? Read more Read less
Phishing is a form of social engineering/scam that is used to obtain sensitive data, such as personally identifiable information, banking and credit card details, and passwords.
Targets can be contacted via email, telephone (vishing) or text message (SMiShing) by someone posing as a legitimate institution. The information is then used to access company networks and important accounts, and can result in identity theft and financial loss.
It is important to note that, while email, telephone and SMS are the most common forms of contact, cyber criminals are always looking for new ways to reach their targets.
Social media or instant messaging applications, such as WhatsApp, provide ideal openings for phishing attacks, since they are frequently used by people on the move who may not be paying close enough attention to the content.
More than a third of these social media phishing attacks are being directed through pirated video downloads and streaming content, which tempt viewers with popular or pre-released movies or music, shock news or fake competitions.
It may look like a fun quiz on Facebook, or a potentially useful accounting app, but it’s possible to build in hidden malware to even the simplest and most straightforward-looking content.
Even legitimate apps contain clauses in terms and conditions which entitles them to acquire (and potentially share) your sensitive personal data, so think twice before clicking on any unknown link – and then think twice more.
What are the types of phishing attack? Read more Read less
There are many forms of phishing attack, but they all rely on humans to be part of the process.
Mass phishing/spam: This is the most basic form and you have likely received many of these emails. The attacker obtains a list of email addresses—perhaps from a dark web marketplace—and sends the same email to all recipients. This is what we would typically call a spam email; it’s indiscriminate, not personalised and the attacker hopes to hook some of the recipients, but won’t expect to have a high number of people falling for the attack. Hackers also often use text messages (Smishing) and phone calls (vishing) as a vehicle for their scams.
Spear phishing: When the attacker uses information they have gathered about you from OSINT to craft a more personal email, this is called ‘spear phishing’. The email will typically include your first name and information on topics which you are known to be interested in. For example, if you’ve frequently posted on social media about a particular sports team or band, the email may include an exclusive offer to fans of that team or band; you are more likely to take an action if the topics are about something you are interested in.
Whaling: When the attackers are looking at the ‘big fish’ in an organisation (such as the senior management team), this is called ‘whaling’. It’s no different from spear phishing, but more time and effort may be spent to ensure the email contains information the recipient is likely to click on.
Why can phishing attacks be harmful to business? Read more Read less
While many of us are getting better at spotting a spam email, attackers are constantly changing their approach in order to achieve their goals – most often to gain access to an organisation’s networks.
When it comes to business, spear phishing and whaling are refinements hackers have developed to obtain specific data from particular targets, generally the high-ranking officers of an organisation.
Long-term planning and research into this individual’s online behaviour will provide cyber criminals with enough information to construct a convincing and credible trap, with the end result being that sensitive data or financial resources may ultimately be transferred.
Whaling is even more sophisticated and dangerous. Cyber criminals target the whales in an organisation, such as a Chair or CEO, who have the authority to access critical business data – and impersonate them in order to issue realistic business requests.
These may include not only financial transfers but the release of sensitive employee information on a company-wide scale, including National Insurance or social security numbers and tax information.
What are some tactics criminals use? Read more Read less
Despite education, phishing is expected to continue to increase in 2019. In 2018 alone, it went from 75% up to 83%. That’s why it’s important to take note of phishing trends to ensure you’re aware of current and potential future attacks.
It’s the job of PGI’s cyber experts to stay on top of the ever-changing cyber security landscape to keep our clients secure. Here are some of the key trends our experts have identified:
Mobile ransomware: Because mobile devices are central to our everyday lives, mobile ransomware will increase. In particular, personal photographs are at the forefront of our valued data. These are often taken, stored and viewed on a phone, with offline backups or printouts being very rarely produced. As an emotional capture of a transient moment, photographs are irreplaceable, causing individuals to seriously consider paying for their return. This, coupled with a fragmented ecosystem of handsets with a huge ‘long tail’ of unpatched devices leaves open a wide, target-rich environment for attackers to exploit.
Credential compromise: Credential compromise increased by more than 70% since 2017, leapfrogging malware infections to become the most commonly experienced impact in 2018. This is of particular concern given that multiple services often sit behind a single password. In addition, reports of data loss have more than tripled since 2016. We believe the significant increases across all three categories since 2016 not only speak to the growing phishing threat, but also to organisations’ heightened awareness of—and attention to—the effect these attacks have on businesses.
Email and phone number spoofing: Because spoofing an email address or phone number is relatively easy to carry out, it will continue until organisations work out how best to defend against these techniques. In both cases, these are when the attacker either emails or phones and the email address or phone number appears to be different from their real details (for example the mail may look like it comes from an internal address, or the phone number may be a trusted number).
Mandate/CFO fraud: This is a whaling attack, where email purporting to come from a member of the Board will be sent to, for example, the CFO or FD of the organisation. It will typically require an immediate payment to a new account, and the sender will be ‘unavailable’ because they’re in a meeting, on a flight or absent for some other reason. It may be followed up with a (vishing) call or SMiShing text message confirming the urgency with which payment is required. A variation of this, known as Business Email Compromise or ‘BEC’ is when an attacker is able to hack into a company’s email system, often via webmail, and use the victim’s account to send the emails instructing a payment. This is often facilitated by weak passwords used by senior executives. The attacker logs into the victim’s email system and intercepts any messages confirming that the payment has been made and deletes them. This tactic is typically used to slow down the investigation while the criminal launders the money.
Why does phishing work so well? Read more Read less
More than 90% of cyber-attacks are initiated by phishing emails, with open rates up to six times that of a typical marketing email.
Some of the most common tactics include approaches purporting to be from a reputable body such as a bank or government office, claiming that a transaction is being denied or held up due to incomplete information, or from a tax authority offering a refund or audit.
Equally dangerous are emails purporting to be from an individual’s own bank or business, or online marketplaces claiming that billing or shipping addresses are incorrect, credit cards expired or that registration with the company is out of date.
All these emails provide a ‘spoof URL’ link where victims are asked to resubmit critical information, often as part of ‘routine security’.
Phishing emails can tantalise with promises of prizes or legacies, or scare with threats of a virus or security breach. They may also come from known contacts’ addresses with a spoof link, maybe asking for help or claiming acquaintance with a genuine friend.
These, and many more approaches, are being used successfully by hackers worldwide, with spear phishing and BEC on the rise.
The World Economic Forum report of 2018 suggests that cyber-attacks are ranked as the top risk to business in North America and the fifth in Europe.
With services on offer like ‘attacks-as-a-service’, ‘ransomware-as-a-service’, ‘phishing-as-a-service’ these people are professionals, and everyone must be vigilant.
What does a phishing email look like? Read more Read less
It’s important to remember that the attackers typically have a good understanding of human psychology and will use this against their targets.
Generally, we are keen to help others, don’t want to disappoint or say no, and will respond promptly if something is ‘urgent’.
We’ve listed some examples below of the sort of things to look out for in phishing emails, but bear in mind that these are not exhaustive:
Sounds too good to be true. Don’t remember entering a competition to win a holiday? You probably didn’t. Attackers use eye-catching statements to attract their target’s attention.
Time limits. Attackers often use ‘fear of missing out’ and threats of losing access to convince their targets to click links they shouldn’t. Is a deal for a limited time only, even a matter of minutes? Will your account be closed if you don’t click a link within hours? It’s important to remember that trustworthy organisations will have processes in place to ensure their members have plenty of time to complete tasks.
Requires a click. What the hyperlink looks like and what it actually links to are often very different in a phishing email. While the link looks like it will take you to your bank, if you hover over it you may notice a completely different URL or a very similar one with a spelling ‘mistake’, e.g. www.lIoydsbank.com – the second ‘L’ is an uppercase ‘I’. Many organisations are moving away from including links to follow within their communications. It’s always recommended you don’t click links in emails, but go directly to the website.
Includes an unexpected attachment. Attackers will often attach documents that sound important, e.g. an invoice for immediate payment. Unexpected attachments, those with file names that don’t make sense, and files from unknown senders should never be opened as they often contain ransomware or other viruses.
Sender is unknown. Even if the email looks like it’s from an organisation or person you know, but you’re suspicious of the subject, the way the name is written or the content, it’s best practice not to click on it.
Bad spelling/grammar. While emails full of grammatical or spelling errors are becoming increasingly rare, they are often a sign that the email is not from the organisation it claims to be from. It may also be that the language used is odd, e.g. including too many colloquialisms or too formal.
Generic greeting. Emails that start with ‘Dear %first_name%’, or similar, may indicate that they are fake. If an organisation can’t get your name right, or haven’t tested to remove this sort of error, then it’s possible that the email is not legitimate.
Requires sensitive information. Banks and other institutions will never ask for your account information, particularly not by email. You should immediately delete any email that asks or this information.
Account verification. If you receive a request for account verification out of the blue, it’s vital to check for signs of phishing because it’s very likely it’s a scam.
Threats. Receiving an email about a legal issue will certainly speed up your response time – essentially, people who are frightened that they have done something wrong will be more likely to click on a link or open an attachment.
How do I protect my organisation against phishing attacks? Read more Read less
Malicious actors are always looking for ways to access valuable data, so it’s a never-ending battle between the attackers and defenders.
You may have noticed several software vulnerabilities which have been discovered—e.g. Heartbleed, Shellshock and Ghost— and have made the press in recent years.
But, there are many more being discovered, almost on a daily basis. This is why patching of systems and running antivirus software is so important.
In this ever-changing environment, vigilance on behalf of the defenders is vital.
There is a wide range of tools available when creating an in-depth defense architecture to combat the technical incursions, including built-in email filters, threat monitoring platforms, programs which rewrite a URL and advanced anti-malware analysis.
However, it’s far more effective and productive to focus on people’s awareness of the cybersecurity problem.
This involves training personnel to proactively identify their phishing vulnerabilities and to assess the end-user risk.
People constitute the last layer in our defensive model, and they can undermine even the best technical controls if they aren’t trained appropriately.
It is recommended that organisations adopt a more people-centric approach. Training should be designed to help change ingrained personnel behaviors and to establish and reinforce a strong defensive line against increasingly sophisticated phishing attacks.
There are three key aspects to mitigating the risk of an attack:
Security testing: Regular security testing to ensure that in the event a user’s account is compromised, the damage is mitigated (using two-factor authentication for example). System administrators can also carry out simulated phishing attacks, or penetration tests, to test the system’s susceptibility to attack, as well as carrying out regular vulnerability scans with trusted software.
Training: Even with the best email filtering, the last line of defense will always be the end user. Research has shown that a more frequent and regular programme of training, for instance monthly or quarterly, is more likely to reinforce personnel awareness of cyber-security risks, with a stronger message more simply stated.
Processes and procedures: A defined policy should be established for how phishing attacks are handled. For example, hands-on testing methods generally yield better results than educational videos or lectures, and practice sessions can be regularly instituted with either carrot or stick rewards. End users should be challenged with phishing simulations set up in recognised attack modes, including Commercial, Corporate, Cloud and Consumer emails. Users should be trained in identifying the various types of phishing emails, and constantly challenged with new variants in order to keep up with the versatility of hacking attacks.
In addition, IT Training should be given on how to respond to reports of spam email, identifying the depth of incursion and the seriousness of the risk.