The rise of phishing and what you can do to protect yourself
“The CEO emailed me and said he had lost his wallet on the way to London from Germany. He said he didn’t have enough funds to book a hotel and asked me to transfer €5000 to his personal account so that he could get a taxi, book a hotel and have enough funds for his stay in the UK. It was my first week as a finance assistant and I didn’t want to get on the wrong side of the CEO so I transferred the money. It was only later when we were reconciling the bank accounts and I told my Manager did we realise that the email hadn’t come from the CEO and he knew nothing about it. By that time, it was too late, the money had gone and because I had transferred it freely, the bank couldn’t do anything about it”
Unfortunately, this type of situation is becoming all to common. 75% of organisations experienced a phishing attack in the last year and 50% of all small business hacks have come from a phishing scam.
Phishing is a term used where digital means are used to steal users’ data and there are a few different types:
- Deceptive phishing is where the fraudsters send mass generic emails to lots of email accounts in the hope that at least a small percentage of the recipients will fill in the details, or click on the link.
- Spear phishing is where an individual is targeted for the phishing scam, using information that has been gained online from company websites and social media.
- Whaling phishing is where a senior employee is targeted, such as the CEO or Finance Director.
- Pharming is where websites are targeted and details are stolen from people who believe they are putting their details in a legitimate website.
- Dropbox/ Google Docs this is where users are asked to fill in their details on a well-known document management website in order to access a document such
The above situation was a clear incident of spear phishing. Spear phishing forms 91% of phishing attacks and has become more and more sophisticated than the original foreign investor or prince who needs somewhere to send their money.
In this case, the fraudsters had reviewed the company website to see the CEOs plans to travel to a conference in London, accessed HR contacts by deceptive phishing an email account which wasn’t protected by 2FA and seen a new email account set-up, reviewed the new user’s social media to see when her start date was and when she “checked-in” on the way to work that morning. Finally, they had looked at the CEO’s social media and seen he had posted about the airport he was flying from. From there they could get the flight times.
It seems a long-winded and complex way of extorting €5,000 but it opens up the floodgates for that organisation. Now it is known that the organisation is easy to breach and more and more spear phishing emails were sent to try and get more money. Luckily in this case, it was realised and the company took steps to secure their systems.
The financial cost of falling victim to a phishing scam is estimated to be on average $3.77 million in terms of cost of remediation, productivity loss and fines from regulators. Breach of data could leave a company liable to fines under GDPR/DPA and we have seen increasingly high fines being issued by the ICO where reasonable steps to protect data has not been taken. Perhaps though, the biggest impact is on PR with 44% of UK consumers saying they would not work with a company who had experienced a data breach.
So what can companies do to protect their data?
The UK’s National Cyber Security Centre advises a multi-layer approach that encompasses both technical and HR measures to prevent attack.
The first line of defence is to prevent the emails from reaching your inboxes in the first place. The second line is robust user training to identify phishing emails and the third line of defence is an action plan for if your organisation is breached.
- By enacting anti-spoofing controls such as DMARC, SPF and DKIM you prevent your domains from being spoofed.
- Reduce the amount of information you put in the public domain. This is difficult in a time where genuine service users make decisions on a company based on the website, reviews etc but having a specific PR strategy can reduce the risk.
- Spam filters are an absolute necessity. Using well-known, frequently updated spam filtering technology prevents most (not all) of phishing emails being delivered to the inbox. In quarantining these emails, it gives users a chance to fully review them before deciding if they are genuine or not.
- Training. Whilst the technical measures are important, there will still be phishing emails that fall through the net, so it is vital that colleagues know how to spot a spam/phishing email and take the necessary time to review emails to ensure they are genuine.
At Giotech, we have created a Top 10 tips for spotting a phishing email which can be accessed and downloaded here: https://giotech.co.uk/wp-content/uploads/2020/03/Phishing-emails-top-10-tips.pdf but in short users should check:
- Who the email is from – is it a company email address or a spoofed email address designed to look genuine.
- Who is the email to? If you have been BCC’d in to the email, be cautious.
- What time was it sent? Most phishing emails are sent when they know a user has a lot of emails and will be rushing through them such as before start of the day.
- What does the email contain? Are there links or attachments – were you expecting these to be sent?
- A sense of urgency. Is there an unreasonable time limit or an incentive for completing the details?
- Dropbox files, google drive links. If this is not your company’s standard way of transferring data then be wary.
- Contact details. Can you contact someone to check the validity of an email? If there is no contact number, address, name or email then this is a key indication that the email is not genuine.
- Spelling and grammar. Phishing emails often have spelling and grammar mistakes as they are written by non-native speakers or run through translation services. Genuine senders will care about their branding so will use correct spelling and grammar.
- Report any spam/phishing emails. By reporting any spam or phishing emails using your spam-filter vendor’s systems, you are helping to improve their service to yourself and others, as well as automatically blocking any further emails from that domain. Don’t just delete them, report them!
- Enact multi-factor authentication across all your accounts as well as using web blocking software to prevent access to dangerous sites. Even if a colleague clicks on a phishing link, if the website is blocked they will not be able to navigate to it. If macros are blocked then again this can prevent malicious activity and even if the colleague fills in their details, if multi-factor authentication is setup the hacker will not have access to the code and the user will be alerted that someone is attempting to log in to their account.
- Password Managers are another way of protecting accounts. If the user does not know the password then they can’t fill it in on a non-genuine URL and password managers will only prompt a password for the right URL.
- Set up a separate administrator password for all devices. If the user clicks on a downloadable bit of software it will prompt for an administrator password. This can prevent trojan software being downloaded by mistake. Keep administrator passwords secret so that any software download must be authorised through a robust changes policy.
Whilst the above will help to prevent data breach and goes a long way to demonstrating your organisation’s reasonable compliance with data protection, it only takes one email to sneak through, one employee to click on the link and one account not to be fully protected before the hackers have access to the system.
If this happens, you need to respond urgently to prevent further breaches. A security incident response/management plan is vital – ensuring everyone knows who is responsible for remediating any breach and having the right tools and expertise to do so.
The threat of phishing emails is on the increase. The potential harm of falling victim to phishing emails, likewise, is on the increase and with every company processing or controlling personal data there is an onus on every company to take all reasonable steps to ensure data security.
At Giotech, we can advise on the right solution for your industry, size and complexity of company as well as providing end-user training. Schedule a call with our experts and we can help you to ensure the safety and security of your data.