Phishing Attacks: Avoid Losing Business Data Featured

Phishing Attacks: Avoid Losing Business Data
Phishing will continue to be prevalent, so it’s important that companies tackle the issue with a strong strategy and tools to back this up.

Phishing is not a new type of cyber-attack, but it is an extremely effective way to gain access to a firm’s data. According to Microsoft’s latest security intelligence report, adversaries continue to use phishing as a preferred method of breaching businesses: detections rose 250% between January and December 2018.

Indeed, cyber-criminals are thinking of increasingly innovative ways to target employees, by looking at their social media profiles and sending bespoke emails based on what they find – known as spear-phishing. For example, an email appearing to be a Microsoft Office password reset request might instead lead to a malicious site where business credentials are entered by an employee and subsequently stolen by criminals.

Other phishing attempts see criminals posing as someone known to the user with the aim of convincing them to transfer cash. These so-called ‘business email compromise’ attacks have become a “persistent hazard”, says Tim Sadler, CEO and co-founder of Tessian.

An analysis of business email compromise attacks by Barracuda Networks found nearly 60% of messages contained 50 common subject lines. Among them were: ‘Request’ (36%); ‘follow up’ (14%); ‘urgent/important’ (12%); ‘are you at your desk/available?’ (10%); and ‘payment status’ (5%).

Attackers find out email addresses by searching social media sites such as LinkedIn, or simply stealing them from other breaches. “Every time we hear about a big breach, quite often a database full of users has been stolen,” says Oz Alashe, CEO of CybSafe. “That database of credentials – even if it’s just an email address – is worth something to a cyber-criminal.”

email-marketing

Spotting phishing emails

It’s a growing issue, so what does phishing look like? It can be really difficult to tell if an email is fake, says Tony Gee, associate partner at Pen Test Partners. However, he says one sign is urgency: “They require you to do things quickly, for example, ‘you need to make this payment today’.”

Fraudulent emails are increasingly tricky to spot, agrees Steve Malone, cyber resilience expert at Mimecast. “Registering a similar-looking domain name or even using foreign alphabet characters that look the same is an increasingly common and unfortunately very successful strategy. It could take as little as a well-known logo or image to gain employees’ trust in the validity of the sender.”

And today’s attacks can be stealthy: employees often have no idea they have fallen victim to phishing. Patrick Martin, cybersecurity analyst at RepKnight cites the example of a PA who clicked on an Office365 link. “They accessed the document and carried on their work. But it was a bogus website and criminals had harvested the employee’s credentials: the attackers set up email forwarding on the account and were harvesting around 6,000 emails including HR data. The company didn’t spot it for two days.”

Advertisement
Connected to the Internet, your Mac is just another target

It is a major concern, so it’s important firms implement a company-wide approach to tackling email phishing. There are steps organisations can take to help end users be aware of rogue emails, Gee says. For example: “Use an email gateway: just put a tag in the email that says, ‘this is from an external source’. Some firms don’t do this and it’s such a helpful thing.”

Asaf Cidon, VP content security at Barracuda Networks, warns companies not to rely solely on traditional security that uses blacklists or URL reputation analysis for spear-phishing defence: this doesn’t protect against attacks using ‘zero day’ links. “Implement DMARC email authentication and reporting; it can help stop domain spoofing and brand hijacking,” he advises.

At the same time, employee education is integral. “All staff need training on how to spot and handle phishing emails,” Martin says. “It needs to be tied into some kind of user policy for the system or network they are on. Stress the consequences for them and the company.”

“Regular staff awareness training is so important,” agrees Gee. “So many people do it once a year and it’s not enough. You need to encourage staff to be more aware.”

Gee says training should include: “What does phishing look like? How can they spot emails? What should people do when they do think an email is suspicious?”

Phishing emails often have typical traits that employees can spot. Martin advises: “If an email contains links, hover your mouse over it so you can see where it will take you.”

Additional checks

It’s also a good idea for firms to do additional checks, such as phoning and verifying the email sender when large payment requests are received. “Think twice before you click on a link on an email; always check who the sender is,” Alashe advises. “If you are not expecting a request to make a change, call the person who sent the email to verify who they are.”

At the same time, Gee advises firms to send fake phishing emails to staff to help prepare them for the real thing. “You can use something like the Gophish platform where you create your own training.”

In addition, says Gee, companies can use social media ‘honeypots’: fake profiles including an email address. “If someone is starting to send phishing emails to that inbox, you know you are under attack.”

This should all be built on a foundation of strong general security hygiene. Passwords are still the most common form of protection for employee accounts and need to be secured due to the rise of credential theft via phishing attacks, says Morey Haber, CTO, BeyondTrust.

Advertisement
ZoneAlarm Extreme Security

Meanwhile, says Martin, companies should take some steps to quantify how much of their company emails, data and credentials are out on the web being shared, discussed and sold. They can do this by using a free tool such as Have I Been Pwned, which matches email addresses with known breaches. “In response, firms can take some preventative action – which could be as simple as enforcing password resets.”

Companies can also act preventatively by monitoring out of hours anomalous activity such as logins, data transfers, login failures and password resets, says Martin.

Phishing will continue to be prevalent, so it’s important that companies tackle the issue with a strong strategy and tools to back this up. And if employees do fall for phishing attempts, firms need to consider how they will react.

A more supportive approach is more successful if people are making mistakes, says Alashe. “Blame is something we need to avoid. It doesn’t help us truly address the issue and actually contributes to the problem.”

Ransomware atack
Also see: Ransomware is going nowhere

#phishing #cybercrime #cyberattacks #cyberthreats #socialmedia

Leave a comment

Make sure you enter all the required information, indicated by an asterisk (*). HTML code is not allowed.

back to top

Popular Cyber News

Top Tips to Protect Your Business Against Social Media Mistakes

Top Tips to Protect Your Business Against Social Media Mistakes

11 May, 2019

Don't let social media become the go-to platform for cybercriminals looking to steal sensitive corporate information or ...

Study Shows Extent of Cyber Risk

Study Shows Extent of Cyber Risk

10 May, 2019

A new study shows SMBs face greater security exposure, but large companies still support vulnerable systems as well. ...

How to Secure your Azure Storage accounts

How to Secure your Azure Storage accounts

14 May, 2019

Enterprise data is growing exponentially and becoming more complicated, making it harder to manage, and an even bigger c...

Vodafone is Challenging Huawei Report of Telnet 'Backdoor'

Vodafone is Challenging Huawei Report of Telnet 'Backdoor'

01 May, 2019

Vodafone is challenging a Bloomberg report that security vulnerabilities and backdoors within Huawei networking equipmen...

Malware: Doesn't need to be new to cause serious damage

Malware: Doesn't need to be new to cause serious damage

05 May, 2019

The good news is: The development of new malware exploits has slowed significantly.

Microsoft adds Plug and Play to IoT

Microsoft adds Plug and Play to IoT

03 May, 2019

Microsoft just announced that it wants to add the advantages of Plug and Play, which allows you to plug virtually any pe...

Twitch streamers take action to secure their accounts against hacks

Twitch streamers take action to secure their accounts against hacks

30 April, 2019

Twitch has an account hacking problem.

Over 22 billion IoT devices are out there

Over 22 billion IoT devices are out there

20 May, 2019

Enterprise Internet of Things (IoT) remains the leading segment, accounting for more than half of the market, with mobil...

Todays Cloud Security

Todays Cloud Security

06 May, 2019

Enterprise cloud security is making real progress, however emerging technologies call for security teams to keep up with...

Categories

Home Tech Reviews UK

Mobile Tech Reviews UK

×

Sign up to keep in touch!

Be the first to hear th latest Cyber and Tech News straight to your mailbox.

Check out our Privacy Policy & Terms of use
You can unsubscribe from email list at any time