October – a time of ghosts and ghouls, witches and warlocks, when trick or treaters roam the roads and pumpkin lanterns light the nights. However, October is also Cybersecurity Month, so what better time to look at tackling online trick or treaters – cybercriminals, who can make your working life a waking nightmare – by focusing on preventing phishing attacks.
Don’t fall foul of online trick or treaters, tackle phishing attacks now
While comparing cybercriminals to ‘trick or treaters’ might be a massive underestimation of the havoc they can wreak, the parallel is there that the tricks they play, and ‘treats’ they may steal from unsuspecting victims, can cause complete horror stories. Since the onset of the coronavirus crisis, the prevalence of cybersecurity threats, like ransomware, have rocketed, with reports of devastating incidents becoming increasingly commonplace, and 91% of all cyberattacks are said to start with a phishing email. For the uninitiated, phishing is a type of what is called ‘social engineering’ attack, whereby a cybercriminal sends a message intended to trick the recipient into revealing sensitive data to them, or to install malware on to the victim’s network. In fact, phishing is now the most commonly reported type of cyberattack, with the FBI’s Internet Crime Complaint Center (IC3) recording more than twice as many phishing attacks than any other sort of cybercrime in 2020. So, perhaps unsurprisingly, ensuring email security has reportedly been ranked as the top cybersecurity priority of 2021.
From phishing to smishing
Indeed, phishing attempts are now an everyday occurrence, and there is also a dizzying array of phishing attacks to trip you up. The common-or-garden, standard sort is generally described as ‘deceptive phishing’, where the attacker tries to obtain confidential information from you, which might be used to steal money or carry out other attacks. For instance, this may take the form of a fake email from your bank asking you to click a link and input your account details. However, although many phishing attempts take an indiscriminate, scatter-gun approach, sent to many, according to the SANS Institute, 95% of all attacks on enterprise networks are the result of what is called ‘spear phishing’. This is where specific individuals, are targeted, rather than wide groups of people. In such incidents, attackers may, rather disturbingly, research their victims on social media to customise their messages and make them more believable.
Furthermore, a particularly worrying sub-set of spear phishing is ‘whaling’, where attackers pursue ‘big fish’, such as CEOs. These attacks can involve cybercriminals going to great lengths to steal data, like login details (called ‘credential phishing’), or funds, and can have serious consequences for a company. Similarly, a particular type of scam called business email compromise (BEC) involves a cybercriminal actually compromising the email account of an executive and monitoring their messages to learn about the company’s protocols. They can then capitalise on this by impersonating the individual, sending a fake email from them to another recipient perhaps requesting a money transfer.
Another specific type of phishing attack, Office 365 phishing, is also becoming increasingly common. This is where the attacker tries to gain access to an Office 365 email account, and in this case, the phishing message tends to include a request for the recipient to log in to their account, possibly to reset their password, and again contains a link for them to click on. In addition, just to complicate things further, specific terms have even been coined for phishing variations, with phishing via SMS termed ‘smishing’ and phishing via voice methods, such as voice over Internet protocol (VoIP) or phone, named ‘vishing’, but let’s not make this more complex than it needs to be!
Don’t be a target
However, no matter what type of attack it may be, what you need to know is how not to fall foul of phishing. This can be easier said than done, as the tactics used to trick you into handing over information, become more devious all the time. Nevertheless, it is possible to reduce the chances of becoming a victim of such attacks. For starters, it pays to make it harder for someone to target you. This can be achieved by being careful about what personal information you make available online for would-be attackers, as this could be used against you, to make phishing emails more convincing. So, review your privacy settings on social media and avoid revealing information which could make you a target, if possible.
There are also several steps you can take to keep yourself safer, when dealing with emails. Firstly, if you have suspicions that a message seems suspect, it is wise to ignore the email display name, which may have been chosen to deceive you, and examine the actual email address of the sender, to see if it looks authentic. This can be a glaring giveaway, if the domain name seems dubious – for example, not containing the legitimate company name format of the supposed sender. Another clue to look out for is if the spelling, grammar and punctuation in the email are poor, making it look unprofessional, as many phishing attacks come from overseas.
In addition, if you are not expecting a document to be sent from an alleged sender you know, do not click on any attachment, but give the person a call to check it is legitimate. Indeed, always be wary of clicking on email attachments or links, unless you can be sure they come from a reliable source. This is imperative, to avoid unleashing damaging malware on your network. It is also important not to be swayed by thinly veiled threats asking you to act urgently, but take your time and check out whether any request is genuine. However, above all it is vital to remain vigilant and retain a healthy sense of scepticism regarding unsolicited emails received out of the blue.
The human firewall
In fact, while it is essential to ensure your organisation has reliable IT security in place to combat these threats, the first line of defence against such attacks will always be your people, who can act as a human firewall to defend your business network. It is therefore crucial to ensure that they are completely ‘click clever’, by educating them to be aware of phishing dangers. Indeed, this is now more important than ever, as cybercriminals will take full advantage of the fact that there are increasing numbers of remote workers, who may be less informed about these issues. Such education can be easily achieved by deploying a process of simulated phishing and security training, like that offered by Prodec Networks. With this, you can send out imitation phishing emails to test which employees may be particularly pish-prone, and then arrange for those who are identified to undertake special security training. This cycle of testing and training can then be repeated further times, as required, until everyone becomes more savvy about identifying suspect messages.
So, although such attackers may be getting more persistent and cunning, by educating your workforce to spot the pitfalls, and employing a high-quality email security solution, such as those provided by Prodec, from Fortinet and Cisco, you can avoid falling foul of these online trick or treaters.