Monday, 17 February 2020

What Can You Do about the New Phishing Threat?

Phishing attacks are on the rise – again. And attackers are trying new ways of targeting your organisation and your staff.

Phishing attacks are on the rise – again. And attackers are trying new ways of targeting your organisation and your staff. How can you stay one step ahead?

One in every 99 emails is a phishing attack, according to the Avanan Global Phish report. Frighteningly, that same report found that one in every 25 brand emails is a phishing attack.

Phishing activity via email rose nearly 41 percent last year.

There’s also a new phishing threat in town. In a recent blog, we highlighted how phishers are also adopting new ways to phish in their prey: on social media sites.

Social media phishing is rising at an even faster rate than the threat by email. Last year it rose by 200 percent.

You can’t rely on technology alone to solve the problem

Another worrying trend is the evolution of approaches to bypass existing security protections. It is, of course, ever thus: as soon as IT finds a way to plug a vulnerability, hackers start looking for a new one to exploit.

In our recent blog, we identified ways in which hackers are disguising links using zero-width (invisible) characters. By doing so, they were able to bypass Microsoft’s URL reputation check and Safe Links URL protection.

It’s clear that while having the right security processes, tools and settings in place, you also need a further line of defence. So what are canny organisations doing to ensure their organisation, systems, data and people are protected from this widespread threat?

Educating their people about phishing (and keeping them updated!)

As well as being your greatest weakness, your people are your best line of defence against the phishers. Having a trained and switched-on team who know how to spot a problem (and are given the tools to easily report and quarantine anything suspicious) will stop most phishing attacks in their tracks.

To help you give your people the tools they need, Grant McGregor partners with a leading training provider. A combination of online learning and practical tests creates a really sticky learning experience.

Users are taught how to spot a potential phishing attack. Then tested to see how they’d fare in a real-life phishing scenario. Impersonation plays a big role in phishing attacks. But when we impersonate the phishers it’s much less risky.

If users fail to spot the potential phishing activity, they are directed to a further training opportunity rather than a malicious site. There’s reporting to confirm training is completed and also to demonstrate a reduction in potentially harmful clicks.

Stay current

Training your people to be “a human firewall” can’t be a one-off event.

Everyone in the team – including senior executives – will need regular refresher training. This isn’t just about remembering what was learnt. It’s also about staying up to date with the new threats that are out there.

As we can see from the changing trend towards using social media to launch phishing attacks, the threat from phishing is constantly evolving.

For example, Facebook is now the third most-impersonated brand in phishing attacks. Twitter and Instagram brand impersonations are also on the rise. And Netflix is another popular brand to impersonate by phishers.

You might think this doesn’t apply to your work environment, since these are all brands that users interact with in their personal time and, even then, not their work devices. However, all it takes is a little lapse in concentration for an employee to forget that they don’t use their work account to manage their Netflix subscription and click on a link.

More likely, however, is the fact that too many users still use the same password and once it’s given away…

Seek expert support

Staying abreast of the changing threat landscape can seem like a lot of work. For those who aren’t experts in the field, it can be difficult to know where to start.

But there is plenty of help available for those who want it. Grant McGregor, for example, offers a free online service to enable you to check whether any of your corporate accounts have been compromised and the details for sale on the dark web. You can use it here.

This is a really important step towards ensuring that compromised accounts aren’t used to launch further phishing attacks.

As we’ve said many times before, training is the best way to start. It helps to demystify the topic and give team members greater confidence to act when they spot something that doesn’t seem quite right.

If you would like to find out more about the training we can provide, or anything else about the topic – such as implementing effective email security, for example – you can contact our team here.

Image credit: Abscent / Shutterstock.com