Cyber criminals are adopting ever more sophisticated ways to target their phishing activity. What can your organisation do to minimise the risk? Read on...
If you’re a regular reader of this blog, you’ll know that phishing is a cyber attack vector centred around email communications. Criminals and would-be “phishers” send out spoofed emails with malicious intent.
Emails often contain inducements to click on dodgy links embedded within them which redirect victims to download malware or viruses or share personal information which could be used for further exploits.
This is common. Forrester research has revealed that 91 percent of all hacking attacks today begin with a phishing attack.
While phishing started out as bulk emails sent to huge lists, over time the malicious practice has evolved as cyber criminals have become cleverer and more targeted in their attacks. We now hear terms such as “spear phishing” (using highly targeted, tailored emails) and “whaling” (attacks that are even more targeted – usually at senior executives).
Similar approaches using other mediums, such as SMS texting and telephone calls, have received their own monikers (smishing and vishing, respectively). Social media has also become a source of potential risk. This relatively new attack vector is known as “angler phishing” and uses fake URLs and (often) cloned websites, posts to persuade people to divulge sensitive information or download malware. Social phishing targeted on individuals to exploit their personal insecurities and lure unknowing victims into a relationship with the intent of exploiting them became so prevalent it got its own moniker too: cat phishing.
Most recently, we have learnt that cyber criminals are deploying AI tools to generate more effective phishing emails with concerning success. In 2021, WIRED reported that AI wrote better phishing emails than humans in a recent test. Researchers found that tools like OpenAI's GPT-3 helped craft devilishly effective spear phishing messages.
To minimise these growing risks from phishing activity, there should be a number of different lines in your organisation’s defence:
• Email content filtering – automated tools to scan email content and sandbox suspicious emails to prevent phishing emails from reaching internal teams.
• Domain-based email authentication – to ensure that emails are coming from the senders they purport to be from.
• URL protection – automated tools to scan URLs in email content to pre-scan links and ensure they are safe.
• Attachment protection – automated tools to scan attachments, sandboxing suspicious attachments to remove them from emails before they reach their targeted recipients.
• Remote browser isolation – increasingly popular as part of a zero-trust approach, these tools load webpages in an isolated virtual environment to ensure even if a user clicks on a malicious link, nothing is downloaded to the local device.
• Threat intelligence – security teams should subscribe to threat intelligence sources so that they can update their policies and training regularly to deal with the latest cyber threats and attack vectors.
• Staff awareness training – perhaps your best and most important line of defence; empower staff to recognise suspicious emails and know exactly what they should do in response.
• Reporting – often overlooked, it is vital to have clear processes around threat reporting and to ensure that all staff understand what to report and when and how to do it.
• Incident response plan – know how you will respond if the worst happens. As Forrester emphasises, “If everything else fails, the quality of your incident response will make the difference between a bad problem and a disaster.”
Together, this combination of processes, education and technical tools and controls will help you to strengthen your defences against would-be phishing attempts.
Recent research by Proofpoint shows that while 90 percent of cyber security professionals see cyber security as a priority for their organisation, this isn’t matched by user perceptions. Only 63 percent of users think their organisation prioritises cyber security.
This gap needs to be filled through education and awareness raising. While the UK performs well here internationally, there remains much room for improvement. Proofpoint research found that UK organisations have the highest rates (52 percent) of training for known targeted users. However, while half of UK organisational training highlighted the risk of training, only 30 percent of such training included phishing simulations.
Simulations are a brilliant way to raise awareness, boost user understanding and caution while, at the same time, identifying those who most need further training and support.
That’s important because, as Forrester emphasises, traditional advice about recognising and avoiding phishing emails is out of date. Simply looking for misspellings, grammatical errors and odd language is no longer enough – not when the most dangerous attacks are specific not only to a targeted organisation but to individual users.
The Harvard Business Review warns that cyber criminals are becoming ever-more sophisticated and personalised in their methods of attack. It warns, “By exploiting cyberattacks that steal true information, criminals can combine that with just a bit of misinformation to result in major financial impacts for companies and individuals.”
This means that, more than ever, staff need to be aware and ready to question even the most authentic and personalised communications. HBR’s advice? “Continually learn about new schemes, be cautious and prepare your defences.”
If you need help to prepare any of the cyber defences against phishing discussed in this article, please reach out to our team.
Call us: 0808 164 4142
Message us: https://www.grantmcgregor.co.uk/contact-us
You can find more information about phishing and other cyber-security topics on our blog: