Phishing is the single most common way for malware to be delivered into your network. Here are four things you need to know to protect yourself.
Wikipedia defines phishing as an “attempt to acquire sensitive information… often for malicious reasons, by masquerading as a trustworthy entity in an electronic communication.” Over the past few years this has become cybercriminals’ primary vector, allowing malware to be delivered either as an attachment or via a link embedded within in the text.
One of the reasons it’s so popular is that it takes minimal effort. At its core, phishing is a pretty basic crime. Untargeted distribution of hundreds of thousands of emails is quick, cheap and easy with lists readily available via the Dark Web often as part of an off-the-shelf exploit kit, that can include botnet resource time and malware payloads.
Sadly it’s also incredibly effective. Indeed, according to the 2018 Verizon Data Breach Report, phishing attacks are at the heart of 93% of data breaches, while the FBI’s 2017 Internet Crime Report indicates that business email compromise (BEC) and phishing drive 48% of ALL internet crime-driven loss. Phishing has now become so commonplace that the term itself is understood by pretty much everyone, not just those in the IT security sector.
So how do you stop spam emails from being successful?
This is getting more and more difficult. In the early days phishing emails were easy to spot: such as badly worded requests from Nigerian Princes to safeguard their millions for them. However, over recent years these scams have become more sophisticated and targeted.
This has given rise to new genres: Spear Phising, targeting specific people in companies with well-crafted and believable emails; and, Whale Phishing (or CEO Fraud), where the scammers target key business functions with emails purporting to come from high-ranking executives, such as the CEO.
Understandably these new genres can be much more compelling and therefore much harder to protect against. However, simply being smarter can help. Here are four things every company can do to help defend against phishing attacks:
1/ Educate your staff
Although awareness of phishing is increasing the single most effective form of defence is user awareness training. Staff need to understand basic phishing constructs and how to identify them. The more educated they are the more prepared they will be for when they see a real attack.
And remember that because these attack are constantly changing, training is not a one-off thing, it’s an on-going process. As part of an overall awareness training program, getting your IT team to regularly run internal phishing campaigns can help raise awareness of the mechanics of attacks.
Some of the other key skills you need to focus on when raising staff awareness include:
- Learning to check the “from” address on suspicious emails: Many scam emails will use a “from” address that is as close as possible to the real thing, so staff need to learn to check this really carefully.
- Don’t trust in-email links: The general rule of thumb is: do not click on any links within emails that you are not 110% sure are genuine, and certainly don’t trust anything that has been obscured using a URL shortener.
- Don’t always believe what you read: The rise in CEO fraud means that if staff get a message from someone in the company that looks out of the ordinary, they should ask around to see if it really is a genuine request rather than taking it at face value.
2/ Keeping patches up to date
Email-borne malware will more than likely exploit commonly known vulnerabilities rather than zero-days. So, ensuring that your operating system and application security patches are up to date will to reduce the chance of any payload being successful.
3/ Manage your access rights effectively
Many phishing payloads require administrative privilege on the target machine or network to execute. By removing all non-essential admin privileges from endpoints organisations can prevent the majority of email-based malware threats from executing and spreading across the network.
4/ Make sure you have strong internal processes
Exploiting a weakness in internal controls is crucial for some of the more high-level fraud attempts (see Whale Phishing above). Tightening up on your internal processes means you can lessen the chance of this happening, for example if a large money request is requested it should be signed off by multiple people not just a single person in finance.