We asked a number of industry experts what advice they have for organisations in the battle to prevent the rise of phishing attacks. Here is what they had to say.
Jurgen Sorton, Senior Product Manager for Security at Vox
Phishing attacks are on the rise and show no signs of slowing down. According to the latest Mimecast State of Email Security 2019 report, we have witnessed an increase in phishing attacks globally, with 94% of organisations having experienced attacks in the last 12 months.
There are various forms of phishing attacks but essentially all attacks attempt to gain sensitive, confidential information such as usernames, passwords, credit card information, network credentials and more, by posing as a legitimate individual or institution.
These attacks are becoming more sophisticated in order to get around security solutions that are being put in place across most organisations. The most common form of phishing is not typically targeting specific individuals, but rather popular sites such as PayPal, which are cloned. Emails are then sent to many individuals instructing them to click on the malicious link to resolve account discrepancies in the hope of obtaining their credentials.
With spear phishing, the fraudsters apply a more targeted approach to their craft. While this requires a little more effort as fraudsters need to acquire information about the targeted individuals, their task is made easier by using social media websites, such as LinkedIn, which has a wealth of information about the targeted individual. Whaling is a form of spear fishing where executives such as CEOs are targeted. Gaining access to a CEO’s email account allows criminals to target individuals in the organisation’s accounts department instructing them to release payments to the criminal’s account.
Criminals are not only using email as an attack for phishing. Vishing is a form of phishing where criminals use the telephone to obtain personal information through social engineering.
So what can organisations do to prevent these attacks? A holistic approach is required, one that includes security specific solutions, awareness training as well as changes to internal accounting controls. The first step is to implement security solutions that protect the company’s email environment. Managed service providers, such as Vox, offer a range of best of breed security solutions which are specifically designed to mitigate the risk of phishing attacks.
While these solutions will significantly reduce the risk of such attacks, it is important to remember that implementing a security solution is not enough. Security solution providers are constantly innovating new features to meet the increasing sophistication of these attacks. This means that the solution requires constant management by certified security specialists who understand the relationship between product and skills and offer fully managed security services to ensure that the business remains protected.
In addition to the security solution and managed services, organisations need to institute security awareness training for their staff. This educates employees to the dangers of phishing or other online scams. In the case of Vishing, security awareness training provides the only line of defence. Lastly, companies need to improve internal controls to mitigate the risk of whaling attacks as previously mentioned. In the event of a successful whaling attack, improved internal accounting controls ensure that payments are not made to the criminal’s account.
MJ Strydom, Managing Director, DRS
In spite of the fact that phishing is one of the oldest tricks in the cyberthreat book – mitigating the risk of phishing breaches is still today, easier said than done.
Phishing is still the front-line attack method by cybercriminals wanting to infiltrate businesses. Staff awareness programmes can certainly assist to some degree but they only lessen risk slightly – a layered approach is required if you want to achieve greater success against this scourge.
Hackers are increasingly sophisticated and knowledgeable; and are deploying new techniques aimed at bypassing email security filters. Even the most security conscious staff members can fall foul of a cleverly constructed phishing attack.
Phishing attack prevention is still a work in progress for cybersecurity specialists. Technical professionals must understand the end user’s role in phishing detection and the human role of the incident responders during phishing response. Emerging technologies support users and incident responders with phishing detection and response.
A well-crafted phishing email is virtually identical to an authentic email, with unsuspecting victims sitting just a click away from letting an intruder into their employer’s systems or onto their own devices. The results are the same – in the case of the individual – usually the loss of identity credentials through downloads of malware or ransomware. In the case of businesses, loss of reputation; customers and long-term damage to the enterprise.
Training alone can’t protect from phishing. According to Forrester, one of the most influential research companies in the world – phishing prevention requires a multifaceted approach that combines technical controls augmented by user education. Each layer in this strategy acts as a safety net in case the layer on top of it fails.
Companies need to kick off with the implementation of technical controls aimed at protecting end users. Email security solutions must be deployed and should include: content filers; authentication and threat level intelligence tools that are designed to reduce the likelihood of malicious emails ending up in your employees’ inboxes.
That is not to say that continuous staff education is not required. Quite the opposite – staff need to learn how to recognise phishing attempts. This can be considered the last line of defence as malicious mails will already have broken through the technical controls. Mechanisms need to be put in place that assist staff to report and test for phishing attempts. Staff performance in this regard also needs to be measured. Be wary of naming and shaming users who become attack victims. Public admonishment of staff may make them less likely to report phishing attempts.
One thing is certain – despite your best efforts your staff will be successfully phished. Planning for that event and factoring in both technical and human failure/error are essential parts of a well thought out anti-phishing strategy. It is essential to have an incident response plan in place as well as the deployment of technologies such as browser isolation and multifactor authentication, in order to limit the impact of an attack. All of these measures will combine to assist with the speed and quality of recovery from these attacks.
Zaheer Ibrahim, Cybersecurity Practice Lead for Sub-Saharan Africa at Trend Micro Sub Saharan Africa
Phishing is essentially a form of an attack that tricks users into thinking that the email is from a legitimate source. Thereafter, once the user is ‘phished’ they will then proceed to provide critical, personal information such as their credit card details, account numbers, identification details etc. to what they believed to be a trusted source.
However, when captured by the hackers, the data allows access to the recipient’s banking information, which can be potentially very dangerous with detrimental effects. If the phisher is planning to coordinate another attack, they evaluate the successes and failures of the completed scam and begin the entire cycle again.
There are several phishing scams out there, namely:
- Vishing – Phishing done over a voice call
- Smishing – Phishing done through an SMS
- Spear Phishing – This type is essentially the same as traditional phishing, with the only difference being that this method is targeted at a specific user in an organisation
- Whaling – Almost identical to spear phishing, this type is targeted at a particular target audience, such as C-level executives
As per the Trend Micro mid-year report, we have seen a decline in phishing activities on the whole from the first half of 2018 to 2019. Despite there being an evident decrease, the statistics uncovered are still astronomical, with their impact being detrimental and far-reaching in any organisation they penetrate. With the decline of phishing, we have seen a huge effort made to increase business’ email compromise attacks which could include CEO and board member fraud.
Offerings such as the Worry-Free Services we offer, powered by XGen Security, uses Machine Learning with other detection techniques for the broadest protection against ransomware and advanced attacks. It protects devices on or off the network and optimises performance by applying the right protection technique at the right time.
What’s more, our Hosted Email Security protects against Business Email Compromise (BEC) with enhanced Machine Learning, combined with expert rules, analyses the header as well as the content of an email to protect the user. This ultimately ensures the authenticity and reputation of the email sender, as well as making it possible to screen out malicious senders.
Now that we have understood the various methods of phishing attacks and what they are exactly, as well as their impact on companies, let us look at how best these can be avoided:
- As these attacks are targeted at the end user, the most important safety technique is education and an awareness of what the best response would be
- Think before you click any unknown, undetected source or item to open
- Ensure that your software on your PC is up-to-date
- Never give out your personal information unless it is to a verified source
- Emails received should continually be examined for grammatical errors and spelling mistakes
- One should give the email sender’s display name a closer look to inspect the email’s legitimacy
- Be cautious of emails from individuals or organisations that ask for personal information from the onset
- Emails that call on a sense of urgency or have an alarmist tone should not be hastily acted upon, with this being a decoy to trick people
- An embedded URL may seem perfectly valid, but hovering above it may show a different website address that gives the attackers away
How can Trend Micro assist in this fight against phishing?
For effective source verification and authentication, we use Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM), and Domain-Based Message Authentication, Reporting and Conformance (DMARC).
The Trend Micro Cloud App Security solution enhances the security of Microsoft Office 365 and other cloud services by taking advantage of sandbox malware analysis for ransomware, BEC, and other advanced threats. It also protects cloud file sharing from threats and data loss by controlling sensitive data usage and protecting file sharing from malware. In short, we cover you from the endpoint to the cloud.
Selina Bieber, Regional Director for Turkey and MENA at GoDaddy EMEA
The impacts of phishing emails are a pervasive security risk you face as a small business owner or a solo entrepreneur. Phishing scams are attempts by hackers to get users to hand over sensitive information, like passwords and credit card information. It often involves sending spam email that looks like it’s coming from a trusted source, like a bank (this is the bait), that then links to a fraudulent website impersonating the trusted source (this is the trap). The unsuspecting target then enters the information the attacker is looking for, thinking it is actually on a site they trust.
It usually works with you being enticed to click a link in an email to update information, which then takes you to a fraudulent phishing trap site instead that looks like your bank’s portal, or to a social media site, PayPal or even a SARS eFiling website. You’ll be asked to punch in your user name and password, which will then be captured by the scammer, who then uses it to compromise the account, ransack a bank account, or even sell it to other hackers to cause further damage.
According to the 2019 Security Threats and Trends Survey by KnowBe4, 96% of organisations believe that email phishing is the biggest security risk facing their business over the next year.
Here are a few good practices to help beat the scammers:
Recognise the tell-tale signs
Some phishing emails are obvious because they are badly written and formatted that no real bank, as an example, would send them out. Others are more carefully put together and could fool the average user who just takes a casual look at the format and the content. Either way, there are some tell-tale signs that can indicate that an email you receive is not legit:
- Generic email greeting, such as ‘Dear customer’. Your bank has your full name on record
- A link of a url that you do not recognise or looks suspicious – check the link source before you click on it, often by hovering over the link
- Unexpected attachments
- Grammar and spelling mistakes
- Urgent calls to action – ‘Log in within the next 48 hours, or your account will be closed’, ‘Your account has been breached’, or ‘To receive your refund, you must login in the next 24 hours’.
Educate your team
Educate your team about the dangers of phishing emails and the signs that an email might be a scam. Consider introducing policies that forbid them from opening attachments they are not expecting or clicking on a link in an email they do not recognise. You may also consider making it company policy not to use the same password for different websites. Ask employees to alert you when they see emails that seem random or suspicious.
Enable two-factor authentication
Two-factor authentication is about using something you know (your password) and something you have (a one-time pin received on your phone, your thumbprint, or a token) to sign into an online service. Even if you accidentally give your banking login and password to a scammer, they will not be able to do much with it if they don’t have access to your phone. It can be an essential extra layer of security for your sensitive data.
Install anti-virus and anti-malware software
There are a lot of scams and malware variants on the Internet, and installing anti-virus or anti-malware software can help to keep your devices and data safer. When it comes to phishing, up-to-date security software can help by catching the virus or malware and quarantining it, should a user click on a phishing email. Also, check with your service provider to see if they offer security monitoring solutions to help block suspicious emails before they enter your inbox.
Get SSL for your website
If the email passes all of the steps above, and you click a link to visit a website, there are two more checks to do: check to make sure you are on the company’s actual website; and, check the website url address bar to see it has an SSL certificate. With South Africans growing more savvy about the importance of online security and more concerned about potential cybercrime, no small business can overlook the importance of installing an SSL Certificate for their website. The reassuring presence of the familiar padlock symbol in the URL bar as a sign of SSL security, protecting the transmission of personal information, shows online visitors and shoppers that you take security seriously and that your website has additional security protections in place.