What can we do to tackle today’s phishing epidemic?
The cybersecurity headlines in the past few weeks have been dominated by sophisticated nation-state espionage campaigns. But while these incidents raise some important questions about supply chain security in a global economy, I had my eyes on another story — one highlighting the threat facing organisations from phishing and account takeover. It’s a story many of you will have heard before, but that makes it no less important — especially as awareness levels continue to lag.
The good news is that there’s plenty you can do to protect your most prized assets by stopping the phishers in their tracks. Artificial intelligence-powered technologies are here today and already making an impact, alongside more traditional steps like improved staff training.
Keys to the kingdom
Most hackers are looking for the quickest and cheapest ROI possible from their attacks. That’s what makes phishing such a great strategy. It takes advantage of what is arguably the weakest link in an organisation’s security chain, its employees. A new report out illustrates some of the key challenges and the scale of the problem, featuring analysis of nearly 50,000 real phishing campaigns targeting organisations in 23 industries.
Account credentials are the digital keys that unlock access to sensitive customer data and corporate IP. So it’s perhaps not surprising that half of the emails verified by these firms as malicious were linked to attempts to harvest login and system information from users. Compromise a privileged account and you could be on the fast-track towards lucrative corporate data. Phishing accounted for 93% of all data breaches analysed by Verizon last year.
One click is all it takes
Phishing typically works by spoofing an authoritative sender, think a bank or even a colleague, and often creating a sense of urgency — so the user feels they have little time to think before clicking. Some are highly targeted, but even the mass-mailed generic ones may contain relevant info. “Invoice” apparently appeared in six of the 10 most effective phishing campaigns in 2018. Clicking might take the user to a spoofed site requesting the all-important account credentials. Or it could initiate a covert malware download. Nearly a quarter (21%) of reported crimeware emails assessed in this analysis apparently contained malicious attachments.
They could contain info-stealers, backdoors or even ransomware. Over a third of global organisations Barracuda Networks interviewed for its Email Security Trends 2018 report said they’d experienced such an attack. With phished credentials, hackers can also go after large stores of customer data containing even more credentials and personal data — highly monetisable on the cybercrime underground. Another report out this week from intelligence firm Blueliv revealed a 141% increase in the volume of compromised credentials discovered in North American botnets over the past two quarters.
The bad news is that phishing attacks will get increasingly difficult to spot. There’s a strong possibility that cyber-criminals will turn to AI technologies to “learn” the writing style and messaging behaviour of employees so that they can then insert fake emails that look highly convincing.
If you think you’re too small to be a target, think again. If your corporate domain is reputable enough, employee email accounts might be phished and hijacked not just to attack your data stores but also to send out yet more phishing emails to partners and customers. This will make the scam emails look more convincing, and ruin your hard-earned brand reputation in the process.
Given the risks mentioned and the continuous high profile of phishing in the media, it’s disappointing that 20% of global employees responding to another new report said they didn’t know what phishing was, and a further 13% got the answer wrong. Fortunately, there are things you can do today to mitigate the risk of email-borne threats like this.
Start with MFA: Multi-factor authentication (MFA) will mean the hackers can’t access accounts with just passwords, neutering their phishing efforts.
Train your staff: Next should come staff training to turn that weakest link into a sturdy first line of defence. Run phishing tests in short sessions using real-world scenarios and collect feedback on each user. They should be looking for things like unusual senders, attachments and hyperlinks in unsolicited mail. Be sure to involve senior managers and the C-level execs as these time-poor execs are often the worst offenders when it comes to clicking without thinking. Also train part timers and consultants/partners/contractors. It doesn’t matter who clicks on that phishing link, it will be equally damaging.
Invest in the best: Look for email security tools from a reputable provider to scan for malicious URLs and attachments and block the email before it even reaches the user. Behavioural and sandboxing features can help to spot more advanced zero-day threats.
AI is your friend: Although there’s the possibility that the cyber-criminals may turn to AI to make their phishing emails more convincing, the white hats are already using capabilities to automate the detection of spear-phishing. These systems learn your organisation’s unique communications patterns to better spot in real-time when something doesn’t look quite right.
I’ll stop harping on about phishing once it’s no longer causing misery for countless organisations. At the last count over two-fifths (43%) of UK firms experienced a security breach or attack in the past 12 months — a trend likely repeated across Europe. Taking action against phishing will force the black hats to get out of their comfort zone for once.