Beware of the Phisherman
Cyber criminals and phishing emails
Just as it is the default business communication tool, email has also become the most popular tool for cyber criminals. Phishing, which sees the criminal impersonate an individual or brand to trick a target, is a cyber-criminal’s preferred method of obtaining sensitive information or money from businesses or individuals. These attacks have become both more sophisticated and more prevalent, and this is set to continue into 2017.
Phishing email methods
There are a number of methods used with phishing emails. One example is where the perpetrator sends an email from what appears to be a legitimate organisation like a bank or a vendor, with a link to a fake website. Often these websites are infected with malware, a type of malicious software which is able to gain access to your private computer system and gather sensitive information – bank details, credit card numbers and so on. The sender uses something called spoofing, the creation of email messages with a forged sender address, to trick the receiver into thinking it’s from a genuine sender.
A more elaborate, and harder to detect, method is Business Email Compromise (BEC). Again, the email address will be spoofed, usually so it looks as though it is from the CEO or another high ranking executive. The attacker will often target the finance department and request a large amount of money be transferred to pay an invoice, or another similar request. The attacker, posing as the CEO, will give the details of a fraudulent bank account and will often state that they are held up in a meeting and the invoice needs paying immediately to rush the target into skipping usual policies.
Phishing email attacks
One of the largest instances of a phishing attack this year was at Snapchat’s HQ. A scammer sent an email to the payroll department impersonating the CEO and requested confidential information on current and former employees. Neither the targeted employee nor the security team spotted the fake, and the data was handed over.
These attacks should be dealt with using a combination of technology and employee education. Humans are the weakest link, and attackers know this, so they will continue to evolve and develop their methods for deceiving people.
Educating employees about phishing emails
Employee education and training is an important factor in identifying and preventing these breaches. Employees should receive regular training in identifying a number of potential cyber attacks and what to do if they suspect they have detected one. The organisation should have clear policies and procedures in place on how to handle sensitive information and the sharing of it, as well how to deal with the transfer of funds. However, social engineering techniques are being adopted by the fraudsters to circumvent employee training and company policies. Therefore, emphasis for prevention of targeted attacks must be placed on other, technology-based methods of detecting and blocking these emails from reaching their intended targets.
John Wilson, Field CTO Agari