Phishing attacks, it’s time to fight back!
It’s the cycle of routine distraction and reaction – a modern-day feature of the way we work and go about our day-to-day business – which actually makes us and our people the weakest link in even the most robust cybersecurity setup. This is the side of our human nature that phishing is designed to target, and they’re doing it very well! Phishers continue to dupe even the savviest of user, and win. As we go about our everyday work, the possibility of a phishing email turning up in our inbox is the furthest thought from our mind. Meanwhile, entire global networks of organised criminals are designing and rolling out faster, more sophisticated attacks every second of every day!
Not convinced? A staggering 80% of Australian businesses fall victim to phishing attacks, and believe or not, research has shown that people are six times more likely to click on a phishing email than a regular marketing email.
To avoid getting caught, your employees and your business need to cover those weakest links. Here we look at what Phishing looks like today and give you our top tips for how you can boost your defences!
Phishing and Ransomware: The Dastardly Duo
You’ve probably heard and read heaps about ransomware this year, right? WannaCry, NotPetya, Bad Rabbit… Ransomware has undoubtedly been the hottest topic on the cybersecurity circuit this year (did you know that Merriam-Webster officially added ransomware to the dictionary in September this year?). But let’s think for a moment about how that ransomware gets into your systems to start with.
Yes, Phishing was originally designed to tempt your unwitting uncle into sending his money to Nigeria or you to divulge your personal details and credentials that Phishers then monetise. But Phishing doesn’t just come back to bite the clicker; the exposure of one user’s credentials is just the “in” that ransomware needs to wreak much more widespread, even company-wide chaos.
“… phishing tends to be the most dominant attack vector for the proliferation of ransomware because phishing emails have become so much more convincing and believable. In fact, Australians are five times more likely to click on a phishing email than a marketing email,” says Sophos VP of Products.
The risk Phishing poses to the personal data security of your employees is bad enough, but the more extensive threat to your organisation and its ongoing viability is huge.
4 Ways You Can Get Hooked
How Today’s Phishing Attacks Work
Phishing is designed to convince you to provide something valuable to attackers that they can monetize or use to launch a wider attack. Here are the four main modes of Phishing attack you need to be aware of:
- The Classics: Those fake banking emails or package delivery alerts. Click-baity and getting even better and better at fooling the keenest eye.
- Mass Phishing: Opportunistic mass attacks that use a company’s brand name to lure customers to spoofed sites where they feel comfortable imparting their credit card details, login credentials, or other personal information that then gets onsold.
- Spear Phishing: Targeted attacks where emails impersonating a specific sender or trusted source are sent to particular individuals urging them to take certain actions like transfer money or provide credentials. You know that big data we’re encouraging businesses to leverage to market their offerings in more appealing ways to their customers? Well the Phishers are already 10 steps ahead and using social engineering and target data to increase their click-through and conversion rates.
- Business Email Compromise (BEC) attacks: Highly sophisticated and engineered attacks where the sender’s email address is not spoofed, it’s actually compromised. The message will appear to be from a high-level exec and will have an element of time-pressure to prompt fast action. BEC attacks are much harder to spot, and target company funds transfers and are therefore highly lucrative. BEC losses alone reached $3.1 billion across 22,000 enterprises in 2016.
4 Ways You Can Fight Back Against Phishing
Combining Top-Tier Technology + Empowered People.
Top-Tier Technology can take you a long way:
- Stop threats at the door: Email and web protection for live threat up-dates, block malicious attachments, Anti-spoofing, URL filtering, URL protection, Malware sandboxing
- Secure the last line of defence: What happens once you’ve been inadvertently hooked? Next-generation anti-exploit and anti-ransomware protection can identify, analyse and potentially neutralise malware and clean up any traces.Empowering your People is the only way to strengthen the weakest links:
- Train and educate your staff on a regular basis on how to spot and deal with phishing emails. Run controlled phishing simulations or “drills” to test your team, measure your performance, and review how you can improve your human defence mechanisms.
- Make sure your employees know your business processes so they can spot out-of-character requests and make sure you have two-stage approval processes so that “click to send now” isn’t even an option.
4 Ways We Can Help!
Maxsum, backed by our security partner Sophos, offers the top-tier defences you need to combat the Phishing threat to your organisation. But as always, technology is only part of the solution. Educating your people is also key. Here are the four ways we can help to give you the best possible protection.
- Front and last-line of defence technology packages – Talk to us about using Sophos’ award-winning technology to secure your lines of defence.
- Simulated Phishing Attacks – Want to test your cyber-resilience and whether your staff are susceptible or not? We can run controlled simulations of phishing attacks on your organisation to test your vulnerabilities and response and provide guidance on how to overcome your weak spots.
- Training for your staff – Ask us about how to tailor and deliver a Cybersecurity training package for your staff.
- Downloadable resources – Check out our downloadable PDF below on How to Spot a Phishing Email. Print it out. Give to your staff. Stick it up in the lunch room. Build their awareness.
This is the second article in our Maxsum Security Blog Series – Security Threats to SMBs – What decision makers need to know now and why.
By this stage, pretty much all of us have had that call from the bank. “Mr. Ciancio, we’re just ringing today to discuss some unusual activity on your credit card ending in numbers 1234…”
As you get on with the day-to-day grind of running of your business, you probably don’t give too much thought to what IT policy makers are doing in Canberra.