You may have heard about it and the devastating effect it has had on individual consumers who have had their passwords and bank details stolen before having their accounts emptied by criminals and their life savings spirit away.
But imagine if the target was your business with the hackers intending to steal as much as they can from you because your cyber security infrastructure hadn’t plugged the loophole that the ‘phish’ swam through
The dictionary definition of ‘phishing’ is ‘the fraudulent practise of sending emails purporting to be from reputable companies in order to induce individuals to reveal personal information, such as passwords and credit card numbers.’
The individual concerned could be one of your employees who inadvertently opened an innocent-looking phisng email which landed in his or her inbox.
How sure are you that your own staff would be savvy enough to spot it and that your firm’s cyber security measures are robust enough to deal with it?
Key to safety
Charlotte Riley, Director of Information Security at CSS Assure commented: “The two main keys to safety with phishing are education of your employees and having a robust set of security controls in place to deal with any attack.
If the phish is spotted by the email’s recipient before it is opened, then the damage can be contained. However, if the recipient proceeds to click through to the unsafe link, we can put in mitigation and remidiation factors to ensure the damage is minimised.”
Held to ransom
It’s not overly dramatic to say that a single mouse click can unleash severe, nightmarish consequences for a business. What if the malicious attachment contained ransomware which took over your entire system and locked you out until you paid up? We have seen this on a massive scale both in Europe and in the US which multi-billion-pound companies felt helpless to act.
The thought of a security breach troubled the minds of IT managers for Bristol City Council after they read research about the increase in numbers and sophistication of phishing scams. In response, they set up a phishing attack on their own employees.
It has not been reported how many employees fell for the deception, but those who did click on the phishing link were immedditately directed to a special training programme set up to help them avoid being taken in by any real attack
A council spokesman said: “Like all organisations, we face increasingly sophisticated and varying threats to our digital systems. This report provides assurance that, of the threats we are aware of, measures are in place to maintain the security of our systems.
We continue to work closely with a range of organisations to ensure our systems can effectivly respond to the risk of cyber-attacks and that all data remains safe and secure.”
How extensive is the threat level? Research has revealed that 76% of organisations reported some kind of attack in 2017.
Symantecs 2018 Internet Security Threat Report says the average user receives 16 malicious emails a month – so with just 20 employees you are potentially at risk to attack 320 times a month or 3,840 ‘bullets to dodge’ in the course of a year.
Continues to grow
Nick Pomponio, Director of Operations for CSS Assures said: “Phishign attacks are a very real threat to the wider security apparatus of companies of all sizes and in any location, which continues to grow in sophistication. It’s international nature was shown earlier this year when a Nigerian based business email compromise (BED) attack targeted more than 500 business, mainly industrial companies.
The scam primpted recipients to download a malicious file which, when it got into their computers, gained authorisation and autonomy to exploit their organisation’s data and networks.”
Types of attack
Spear phishing – This is a more concetrated and targeted attack than the bulk phsing emails that typically land in an ‘Enquiries’ mailbox. Aimed at specific individuals or companies to gather personal information to improve the chances of success for a full hack.
Whaling is a spear-pshing attach directed at senior executives or other high-profile targets and contains content which is generally an executive issue like potential legal proceedings or a format complaint.
Clone phishing is a practise whereby a previous legitimate email contaning an attachment has it’s content and recipient addresses stolen and copied or cloned into a new message with the attachment replaced by a malicious version. It is then sent from a spoofed email address to appear to come from the original sender.
Once actioned the phishing email either asks for personal information required to ‘verify’ an identity or re-directs the recipient to a spoofed, bogus website dressed up to look like a legitimate organisation, but is controlled by fraudsters
The resulting damage can only be imagined.
The number one source for transmitting malware is a fake invoice email attachment at 15.9%, but it is closely followed by a fake email delivery failure notice at 15.3%.
Apparent legal or law enforcement documents come in at 13.2% with scanned documention at 11.5%
Said Mike Wills, Director of Strategy at CSS Assure: “Spotting which weapon has been deployed against you is half the battle and vigilance and training are the watchwords. Taking steps to protect yourself is the smart move – much smarter than having to explain to the board how the crisis they are experiencing could have been avoided.”