How to Catch Plenty of Phishers
- 10 August, 2018 13:34
Does your company have effective phishing protection in place or are too many hackers slipping through the net?
If the latter, you’re not alone.
Advanced malicious cyber activity against Australia’s national and economic interests is increasing in frequency, scale, sophistication and severity, according to the Australian Cyber Security Centre’s (ACSC) 2017 Threat Report.
At the same time, ‘rudimentary techniques and known network vulnerabilities’ continue to be used to compromise networks which lack baseline cyber security measures.
Research suggests there are plenty of those. According to a recent WatchGuard online poll, a third of small businesses don’t run any form of program to combat phishing attacks – the practice of sending fraudulent emails in order to extract confidential information including passwords, credit card details and sensitive corporate data.
It’s an extraordinary omission, given 90 per cent of cyber hacks and attacks begin with a simple phish. Ongoing education for staff is a remarkably effective way to thwart phishers and I firmly believe this should be the primary focus of any corporate security initiative.
If you’re one of the small percentage of firms which have an effective program in place already, congratulations. For the remaining majority, here’s why it’s more important than ever to get proactive about ensuring your staff, and the valuable information to which they have access, aren’t compromised by online opportunists.
Opportunistic targeting is simple and cheap and ACSC posits it will continue for as long as computers, networks and devices fail to implement baseline security.
Like other fraudsters, on and offline, phishers have honed their craft since the early noughties, when email communication became ubiquitous.
Mass blanketing of all and sundry with fake invoices, password resets and other rudimentary attempts to generate clicks still occurs but, in the main, hackers have become smarter and more sophisticated in their efforts to infiltrate organisations and businesses.
We’ve seen the rise of ‘spearphishing’, a more intense tradecraft whereby individuals are targeted by emails that purport to be from known senders – clients, colleagues and the like.
Some hackers now take this tactic a step further by impersonating an individual in authority – a CEO, director or other decision maker – and attempting to use the power of the position to exhort their targets to take urgent action. This could be wiring money, releasing sensitive documents or doing something within the company which benefits the phisher.
Telling security stories
Obtaining funding and resources for an ongoing phishing protection program can be a challenge in organisations where senior staff aren’t awake to the dangers the practice can present.
Sharing stories about phishing attempts, successful and otherwise, and the business risks they pose, is a simple and effective way to ensure the issue becomes top of mind with decision makers and staff across an enterprise.
There’s no shortage of material. Cautionary tales abound – of companies of all stripes whose staff have fallen victim to phishing attacks, with results that range from damaging to devastating.
Our experiences include the human resources director who released information about employees’ earnings to phishers who used it to file tax returns and claim refunds on their behalves and the materials firm which belatedly learnt a salesperson was sharing confidential bid information with someone who’d successfully impersonated a colleague.
Conversely, there are plenty of cheerier tales of companies where sharp-eyed employees have sensed something is amiss and double checked with the purported sender before acting on a request for information or action.
Getting employees to share stories of their experiences with phishers should be encouraged. They’re only likely to do so if they feel confident they’re not at risk of being named and shamed for falling victim to what in hindsight may seem like obvious scams but, rather, will be treated supportively. We all make mistakes. Making it ok for staff to admit they’ve done so can make mitigating the fall-out from a phishing attack faster and cheaper than if victims are tempted to cover it up.
The goal should be to encourage a healthy cycle of prevention, education and reporting which gets staff talking to their peers about phishes they’ve observed and avoided. This has the dual benefit of allowing you to identify patterns of attack and to target your protection efforts more precisely.
Tools that work
Encouraging staff to remain alert to the possibility of attack reduces the risk of their falling victim to a phish but education alone is unlikely to be sufficient defence against every threat. Small and medium enterprises which value the integrity of their intellectual capital and sensitive data should consider coupling their awareness raising initiatives with a security solution to detect and avert malicious DNS requests.
DNSWatch does so by blocking access to these sites and redirecting the user to a safe page which educates them on the risk and warning signs of a phish. It’s an effective way to engage people about the risks of clicking on phishes and an opportunity to reinforce security messages at a moment when they’re likely to have greatest impact.