Cyber resilience: beware of phishing

By Contributor CSM 15th October 2018

By Contributor CSM Online 15th October 2018 First Published Winter 2016

Beware of the Phisherman

Cyber criminals and phishing emails

Just as it is the default business communication tool, email has also become the most popular tool for cyber criminals. Phishing, which sees the criminal impersonate an individual or brand to trick a target, is a cyber-criminal’s preferred method of obtaining sensitive information or money from businesses or individuals. These attacks have become both more sophisticated and more prevalent, and this is set to continue into 2017.

Phishing email methods

There are a number of methods used with phishing emails. One example is where the perpetrator sends an email from what appears to be a legitimate organisation like a bank or a vendor, with a link to a fake website. Often these websites are infected with malware, a type of malicious software which is able to gain access to your private computer system and gather sensitive information – bank details, credit card numbers and so on. The sender uses something called spoofing, the creation of email messages with a forged sender address, to trick the receiver into thinking it’s from a genuine sender.

A more elaborate, and harder to detect, method is Business Email Compromise (BEC). Again, the email address will be spoofed, usually so it looks as though it is from the CEO or another high ranking executive. The attacker will often target the finance department and request a large amount of money be transferred to pay an invoice, or another similar request. The attacker, posing as the CEO, will give the details of a fraudulent bank account and will often state that they are held up in a meeting and the invoice needs paying immediately to rush the target into skipping usual policies.

Phishing email attacks

One of the largest instances of a phishing attack this year was at Snapchat’s HQ. A scammer sent an email to the payroll department impersonating the CEO and requested confidential information on current and former employees. Neither the targeted employee nor the security team spotted the fake, and the data was handed over.

These attacks should be dealt with using a combination of technology and employee education. Humans are the weakest link, and attackers know this, so they will continue to evolve and develop their methods for deceiving people.

Educating employees about phishing emails

Employee education and training is an important factor in identifying and preventing these breaches. Employees should receive regular training in identifying a number of potential cyber attacks and what to do if they suspect they have detected one. The organisation should have clear policies and procedures in place on how to handle sensitive information and the sharing of it, as well how to deal with the transfer of funds. However, social engineering techniques are being adopted by the fraudsters to circumvent employee training and company policies. Therefore, emphasis for prevention of targeted attacks must be placed on other, technology-based methods of detecting and blocking these emails from reaching their intended targets.

John Wilson, Field CTO Agari

SHARE 0 comment

0

Facebook Twitter Pinterest Email

Contributor CSM

City Security magazine is proud to work with contributors from across the security sector and beyond, including police forces, security associations, security providers, consultants and specialists who produce a range of varied and interesting content.

Subscribe here

Be the first to read the latest issues of City Security magazine when you subscribe. Available free in print or digital format.

DIGITAL VERSION

PRINT VERSION

Filter Articles

By author
First Published
By organisation
Reset

Email: info@citysecuritymagazine.com

Twitter Linkedin

ABOUT

The Authors
City Security Magazine
Forward Features
Testimonials
eReviews
Write for us
Advertise