Don’t get hooked by phishing

The unsettling ransomware attack on a number of target organisations recently will re-focus attention on cyber-crime and phishing attacks, according to Quiss commercial services manager Matt Rhodes.

Research indicates the spread of the WannaCry virus was not caused by individuals responding to a phishing attack, but by hackers exploiting vulnerabilities in public systems. However, this is likely to lead to complacency around future attacks.

Cyber-crime awareness remains an issue, with an astonishing 30% of phishing messages being opened by recipients, according to the ‘Verizon 2016 Data Breach Investigations Report’.

More than 90% of hacking attacks are triggered by a phishing campaign, which targets employees to gain access to secure systems or infect systems with ransomware, typically including a toxic attachment or link directing the recipient to a fake website.

Security training should be provided for every employee, though predicting how they will respond to a real threat is key.

Methods of attack change constantly but for cyber-criminals looking to obtain sensitive information, phishing remains an effective, low-risk approach. Their success rate is increased by the ‘it won’t happen to me’ complacency of individuals, and those who believe they could never fall for such an obvious scam.

Cyber-criminals use a personally addressed email and, to appear as trustworthy as possible, it often entails research of targets or some social engineering.

Personal social media profiles or the target organisation’s website will give criminals easy access to most the information they need to structure a convincing email, including names and personal data of friends, colleagues, clients, etc.

Phishing emails usually request the recipient to confirm account details, check an order, etc, which involves opening an attachment or clicking a link that connects to a website.

The websites may not raise alarm bells at first glance, if at all, as they often look genuine. However, they will be fake sites which enable the criminals to obtain log-in details, account passwords, etc.

The appeal of phishing is clear for criminals who stand to gain significant reward for minimal risk. Yet despite all the hype: 10% of people targeted will fall victim to a phishing attack; 23% will open the message and 11% will click on the attachments; 91% of hacking attacks are triggered by a phishing or spear-phishing email; there has been a 55% increase in spear-phishing campaigns targeting employees.

Educating employees on what to look out for and providing regular refresher courses will undoubtedly reduce the risk, but there will always be those who ignore the threat or becomes complacent.

To tackle such threats, specialist service providers can reveal how employees will react to an attack by conducting simulated phishing attacks. They will construct credible emails that appear to come from familiar contacts such as colleagues or customers and replicate real phishing emails, using different emails and toxic attachments.

While recipients are unaware of the tests, it soon becomes clear who needs support as their responses and actions are recorded. The comprehensive report identifies individuals who opened attachments, clicked links, etc, and those who react inappropriately will receive an informative email warning them about the consequences of their actions.

Phishing tackled this way helps identify the weakest points in any secure system: the people who use it.

Worryingly, the initial failure rate is generally around 33% and though more training will probably see this figure fall to approximately 5%, few businesses will ever achieve a zero response. This is because ultimately, we are dealing with humans who sometimes make mistakes.

The threat posed by just one employee opening a harmful email is growing so it is crucial that businesses regularly test their defences and improve their security practices.