Phishing attacks aren't going anywhere, so listen up! Here's how to recognise, analyse and limit your risk
According to Proofpoint, almost one in four people who receive a phishing email will open it. Nearly 10% of these will also click on the email’s malicious attachment or dangerous link, putting their data, and potentially your business at risk.
Phishing is a cyber attack method that has been around for over two decades, and it still makes up more than 90% of targeted cyber crime. A large percentage of phishing attacks focus on stealing credentials like login details for sites, in the hope that they can use this valuable information to steal money.
In Proofpoint’s The Human Factor 2016 report it was highlighted that phishing campaigns are focusing more and more on businesses rather than individuals. According to the research, the most common methods of attack included voicemail notifications, package delivery updates, and invoices and financial documents sent via email. The phishing attacks seem to occur most frequently in the morning, around 9am – 10am, potentially with the hope of catching employees before their IT staff can see the messages and act to remove them.
Phishing attacks aim to steal money in several ways; from selling stolen credentials to trading confidential documents and using stolen data to make fraudulent transactions. The latest study from the security company, RSA estimates businesses worldwide lose more than £300 million per month purely to phishing.
How do you effectively detect, mitigate, and respond to the threat?
The first step to a successful phishing attack is managing to get through a business’s security filters. Poorly crafted and especially obvious scam emails will easily be stopped by filtering. However, the sophisticated attackers know this all too well and so they work to create messages that look trustworthy and legitimate.
In general, there are three types of victims of phishing attacks
- Enablers – victims who are convinced to disable security, open files, and click on links to give away personal information.
- Facilitators – individuals who are asked to input credentials into realistic looking but ultimately fake login pages, and they do so willingly and without any knowledge of the trap.
- Gophers – employees with certain access levels who are tricked into moving money funds or changing shipments via messages from a fake email from a manager.
In comparison to other types of cyber attack, phishing success is more reliant on human behaviour than exploiting technology, which is why awareness training can help mitigate the risk of people to businesses and their susceptibility to fraud.
A spear phishing study conducted by T. Halevi, N. Memon, and O. Nov, discovered that diligent and industrious workers are more likely to be caught out by phishing emails than others. The messages they fall victim to most often prey on their desire to be more efficient, hint at urgency or mention that they can up their productivity. Departmentally speaking, sales and finance are three times more likely to get phished than IT or customer service.
What are the most common types of malicious message?
After looking at phishing messages that made it to the employee inboxes of a large US company over the last two years, Proofpoint found that around 45% of these malicious messages looked as though they came from internal IT. A further 25% were a mix of generic subjects, urgent issues, government notices, and external and account verification.
Further to this, social engineering continues to play a bigger and bigger part of phishing. Phishers use the correct names of fellow employees, managers, or executives, mention well-known projects or co-workers, or even add legitimacy to the scam with calls/voicemails corresponding to the sent email.
How is a phishing attack successful?
A phishing attack’s only chance of success is to get past security filters. To do this, attacks try any number of tricks to find loopholes to exploit.
Some of the ways attacks can get past filters include:
+ Using compromised but reputable mail services
+ Using innocuous language
+ Fast changing URLs and domains
+ Using compromised friend and family email accounts or very good mimics to fool the receiver
Attackers are now also making sure they take advantage of the expanding attack areas. Multiple work locations, various devices, and collaborative web apps are new spaces for cyber criminals to occupy. Coupled with the always there and increasing pressure to respond, there’s, even more, likelihood that someone will fall victim to attack.
What do you need to defend against phishing attacks?
+ Limit your attack surface
Businesses need to look at what users are doing, analyse their behaviour and patterns, scan for when confidential data might be compromised, and monitor and evaluate messages, URLs, attachments, and user clicks.
+ Expand your defence coverage
One in five clicks on phishing messages occur outside of a business’s network perimeter. Employing cloud solutions allows you to deploy and scale your security measures to the size of your business users, no matter where they are, what device they use, or type of cloud application. As businesses move to the cloud so security measures must too.
+ Use predicative defences
Just as organisations use big data to better understand their customers, so cloud-based threat intelligence and statistical modelling can be beneficial against potential attacks. Machine learning can build user models, flag suspicious or anomalous messages, and score them (in real time) against up-to-the-minute threat models, content inspection, and phishing campaigns already in existence. This creates a system of defences that can spot new and emerging attacks before a user is able to download an infected attachment or click a bad link.
+ Train your team
As long as humans are around to be exploited, phishing attacks will continue to exist and be successful no matter how modern the security system. To provide the best possible defence, it’s worth investing business funds into training staff on how to spot and respond to a phishing attack. Creating both a technological and human barrier to phishing attacks is the best-layered defence a business can have.
Xenace provides a wide range of security solutions and systems to help businesses efficiently detect, mitigate, and respond to advanced threats by protecting email, social media, and mobile applications. To learn more about how we can help, contact us now.
We also run an interactive phishing attack solution called Phishwise, for businesses that want to train staff to understand and defend against email cyber attacks. Visit the website to find out more or get in touch now to talk about how we can work with you.