Phishing attacks remain in the news. ZDNet reported last week that a prolific phishing operation—which already had a list of 50,000 CEOs, CFOs and other high-level executives—has expanded with a new database of additional targets.
Separately, the UK’s 2019 Cyber Breaches Security Survey revealed that phishing remains the country’s top cybersecurity threat, cited by 80% of businesses and 81% of charities.
It has been more than 20 years since phishing became part of our collective consciousness. Adversaries still use a variety of techniques, including:
- An embedded link in an email or tricking an employee to go to an unsecure web site that requests sensitive information.
- Spoofing the sender address in an email to appear as a reputable source and request sensitive information.
- Installing a malware via a malicious email attachment or ad, which will allow the intruder to exploit loopholes and obtain sensitive information.
- Attempting to obtain company information over the phone by impersonating a known company vendor or IT department.
Typically, if an attack method has been around for two decades, we would have figured out how to stop or minimize it. The fact that phishing remains a huge threat is attributable to several factors:
- Phishing still works. People still open emails or attachments that they shouldn’t and sometimes it only takes one mistake to create a huge breach. According to the Verizon 2018 Data Breach Investigations Report, 4% of the targets of any given phishing campaign will click it.
- Attacks are more sophisticated. Adversaries are constantly upping their game, using social engineering and other methods to make their emails appear more legitimate than ever.
- Businesses are more vulnerable. Business email compromise (BEC) attacks are rising. Between October 2013 and May 2018 the FBI reported losses and potential losses of more than $12 billion globally due to BEC and email account compromise attacks.
- Automation. It is simpler and less expensive for adversaries to launch massive attacks, using automation and inexpensive tools via cloud computing and the dark web. Why take a targeted approach when a shotgun is so easily available?
Because many of today’s attacks do such a good job mimicking legitimate emails, you can’t count on technology alone to prevent every malicious email from getting through to a potential victim. But you can limit your vulnerability by investing in technologies such as spam filters and web filters and focusing on these four key areas:
- Awareness. You have to make people aware that these threats are out there, they are real and they can cause significant harm to your organization. With the rise of BEC attacks, people in finance are particularly vulnerable.
- Education and training. Once you’ve raised awareness, you have to follow up with education and training. Ensure employees look at language, grammar, spelling, logos, etc. Teach them to be wary of emails that require urgent action. There are many ways to prepare employees; training should be ongoing and mandatory.
- New processes. If business processes are leaving you vulnerable, change them. For example, when you walk into a bank you can’t just take out a large amount of money without having an officer or manager approve it. With email, the person receiving the email should not be the person releasing the money. Also, train your people to call suppliers and verify by phone whey they are asked for a payment that is in any way suspicious.
- Corporate culture. Awareness, training and instituting safer processes are part of building a corporate culture focused on cybersecurity and mitigating risk. It’s important for business leaders to remember and remind their people that everyone is responsible for cybersecurity, and everyone has a part to play.
The fundamental techniques used in phishing attacks haven’t changed in more than two decades. Phishing is still about getting people to do things that seem legitimate but aren’t. Modern technology can limit vulnerabilities, but organizations must still account for the people element.
The more you can do to shape your corporate culture around cybersecurity awareness, education and training, the better prepared your people will be to avoid clicking on the wrong link or opening malicious attachment. Phishing may never go out of season, but with the right approach you can minimize the risk that your organization will ever get hooked.
Sean Duca is vice president, regional chief security officer, Asia Pacific and Japan, for Palo Alto Networks.