5 ways to beat spear phishing
For years, criminals have been trying to trick you into giving them money or giving away personal details. Today is no different, it’s just that the method of attack has changed from face-to-face to email, says cyber security commentator Pete Roythorne.
October is European Cyber Security Month (ECSM), but just in case you’re not yet familiar with the term, ‘phishing’ refers to fraudulent email messages appearing to come from legitimate sources. These emails will contain links to malicious websites or have attachments that can download malware to your system.
They used to be easy to spot and avoid, but according to Verizon Data Breach research, a massive 30% of phishing emails were opened in 2015 – up from 23% in 2014. At the same time, the number of people clicking on the enclosed link or attachment also rose from 11% to 13%. Figures any email marketer would be proud of, and given the huge numbers of people these emails are distributed to, cause for considerable concern for businesses of all sizes.
Phishing is getting more sophisticated
Over the past couple of years we’ve seen some scary new developments. Firstly, ‘spear phishing’. These attacks are seeded with specific personal or institutional information in the hope of making the attack more believable. As such they are often much less easily dismissed.
Secondly, ‘whale phishing’ (or CEO fraud), where the scammers target key business functions with emails purporting to come from high-ranking executives, such as the CEO. According to the Anti Phishing Working Group whale-phishing became a major problem in 2015. Initially they started as unsophisticated money transfer requests, but quickly became much more sophisticated.
The FBI reported a 270% increase in global losses to these types of attacks from January to August 2015. The agency also claims that more than 12,000 victims have been affected globally, with average losses of $120,000, but with some companies being tricked into losing as much as $90m.
Beat the phisher men (or women)
With so much of our information available online, from CEOs’ email addresses to even their travel plans, it’s getting easier for cyber criminals to create convincing phishing hooks. And worryingly, it’s often smaller businesses that are the most under threat as they don’t have the robust authorisation policies in place to stop people being conned into passing over huge sums of money.
Here are five solid security tips to help you shore up your defences:
1. Create strong internal processes
Exploiting a weakness in internal controls is crucial for CEO fraud to work. By tightening up on processes you can lessen the chance of this happening.
2. Education, education, education
User awareness training is critical. The more educated staff are, the more prepared they’ll be when they see a real attack. However, the ever-changing nature of these attacks means training is not a one-off thing, but an ongoing process.
3. Filter your emails
Having a system that filters incoming email an enables you to automatically block obvious spam and phishing emails is a must.
4. Keep patching
Any malware in phishing emails will very likely exploit commonly known vulnerabilities. So, by ensuring you’re up to date with operating system and application security patches you’ll reduce the chance of being breached.
5. Don’t forget the basics
Educate staff on what to do if they’re not sure:
- If something looks out of the ordinary, ask around to see if this is this common behaviour for your CEO.
- Look at the email headers and links. Always pay attention to where a link is actually going, and never trust it to be where you think. The same goes for where the email itself is coming from so be sure to check the email headers.
- Call your CEO and ask. If it’s urgent they’re not going to have an issue if you say you’re processing it, if it’s not genuine they’ll be delighted you checked.
It really is all too easy to be taken in by phishing scams, particularly with the back stories becoming more and more refined. However, with some simple steps you can make sure your business doesn’t find itself hitting the headlines for all the wrong reasons.