Phishing is the number one threat to business security, responsible for more than 53% of all cyber-attacks, and whether it’s a personal or business email, we’re all used to the signs of a spam message. Terrible grammar, nonsensical subject lines, requests for large transfers of money to foreign accounts; all too familiar. However, what a lot of employees might not be as familiar with is ‘spear phishing’.
Instead of casting a wide net over the whole ‘shoal’ of a company in the hope that a few lax employees will click on a malicious link, attackers target one person and build a very detailed and targeted campaign around their approach. This form of phishing is far more dangerous because often it’s disguised behind the email of a trusted colleague or superior.
>Read more on How to protect an organisation: 5 cyber security tips
Picture the scene. You work in accounts for a large shipping company. You’re finishing work for the day when you receive an email from your boss, the CFO.
“Hi, Robert. Could you just add XXX onto the payroll for this month? He’s done some freelancing for us, but the paperwork appears to have got lost. I can vouch for him, but it has to be done today! It’s £XXX to the following account…”
It seems legitimate. Especially if you frequently receive messages like this from your boss (let’s call her Sarah). You know it’s not best practice, but if Sarah is happy for this to go ahead, then no problem – right? You set up the payment and leave for the day. One thing sticks in your mind – no-one at work calls you Robert. It’s always ‘Rob’. Oh well, not worth worrying about.
>Read more on Are CEOs the greatest security risk to organisations?
Nobody is any the wiser, but you’ve just been the victim of a sophisticated cyber-attack. Cyber-attackers, who have hacked into your boss’s email (lots of businesses have Office 365 but without any security features enabled which makes it easy for phishing attempts to succeed), have masqueraded as ‘Sarah’, monitored her email style, and made your company transfer them money by appearing as she would do online. The error may never be discovered, or at least by the time it is; it’ll be too late.
But smart the cyber-criminals are, there are almost always one or two small inaccuracies that stick out, and some common themes to look out for. Here’s a quick three-step guide to turning your workforce into cyber-security heroes, not zeroes.
>Read more on Enterprise-wide changes coming to address cyber risk
Why so urgent?
In almost all ‘spear-phishing’ attacks, the communication will retain one of the features of a classic scam – urgency. The transfer of money ‘must’ take place straight away, the employee details ‘absolutely have to’ be sent to a third party within half an hour. Even a more casual request (‘Can you make sure you do this for me now?’) has the same giveaway. Ask yourself – why is it so urgent?
The request might seem reasonable at first, but does it stand up to scrutiny? Is it something that you would typically be tasked with your day to day role? Is this the person who you’d normally liaise with? Is this an issue which should definitely be covered in person or via phone call? Applying these questions can often result in a sudden moment of clarity that everything is not as it should be.
>Read more on Cyber risks are ‘leaving IT in the dark’
Sweat the small stuff
The human capacity to spot patterns, and inaccuracies in those patterns, is top drawer. When we receive a message from someone, we can almost always tell when something has changed, whether that’s tone, sentence length or how they sign off. Even if someone stops using your nickname suddenly! If any of these red flags are appearing, and the request is around anything potentially sensitive (financial, employee/business information, private details), then go directly to the source and raise the question face to face. Something else to watch out for is when you cannot see certain messages from your colleagues even when they insist that they sent them to you. Often, the cyber-attacker controlling your colleague’s mailbox will filter out part of a communication chain in order to ensure exclusive access to it and avoid being discovered in a longer mail exchange.
>Read more on Overlooked email security risks and how to prevent them
For ‘Rob’, it would have been worth carrying out at least one of the above. According to PhishMe’s Enterprise Phishing Resiliency and Defense Report, a successful phishing attack can cost a mid-sized enterprise $1.6m. Unfortunately, people remain the weakest security link, so education is key to curtailing cyberattacks. Education to elevate the awareness of security threats to all people across the organisation – not only in IT or security departments. With everyone taking their own cyber-security role seriously, only then can businesses develop a healthy security stance.
Sourced by Evtim Batchev, CTO at Halian