From the massive consumer data leak at Equifax to the state-sponsored infiltration of Kaspersky, high-profile security breaches hit almost every major industry in 2017. These incidents act as a reminder that even large corporations are failing to deal with clear deficiencies in their digital practices.
While software vulnerabilities and improperly configured cloud services have grabbed headlines over the past year, phishing attacks have been a far more persistent threat to the enterprise. An end-of-year report published by Webroot, identified phishing as the leading cause of security breaches in 2017, other studies estimated the business cost of an average phishing campaign at $1.6 million.
This latest wave of phishing attacks is characterized by increasing sophistication and subtlety. Although fraudulent emails and counterfeit websites have been used by cyber criminals for decades, these attempts were distributed as broadly as possible, intending to reach as many potential victims as possible.
However, modern phishers use a targeted technique known as spear phishing to trick specific victims into divulging sensitive personal information and financial details. Most times, hackers will focus their efforts on senior executives, to leverage their positions to access a wealth of high-level business data.
At Smadatek, we have discovered that phishing attacks have become one of the key vectors through which ransomware are delivered into organizations’ networks. Once installed, this software can spread across a company’s IT infrastructure, locking down computers and encrypting critical files. Victims are then prompted to pay the hackers to regain control of their systems.
These payments are small, so most companies end up paying the ransom even though they have no assurance that the hackers will make good on their end of the exchange. According to some reports, over 93% of phishing emails are now being used to distribute this type of malware.
In August 2017, the hacking group behind the Defray virus used this exact combination to attack a few healthcare providers across the UK and US. In each incident, the hackers used custom-designed phishing emails that were difficult to discern from authentic internal communications. For instance, UK hospital employees received emails containing subject lines such as “patient reports”.
Once opened, the email directed readers to download an attached Microsoft Word file. As soon as the attachment was downloaded, users would receive a pop-up message informing them that their files are now encrypted.
Public service organizations are especially vulnerable to ransomware attacks because any system downtime can lead to disastrous consequences for their customers. Government or state-run institutions also tend to lag behind with basic IT security. Critical updates and patches are often neglected, and most computers are running on unsupported operating systems.
How to Protect Against Phishing Attack
At its heart, phishing is a human problem. To protect your business, you must carry out a comprehensive educational program that teaches employees to identify phishing threats.
Some organizations have taken the added step of introducing disciplinary measures for employees that habitually click links in spam emails. These repeat offenders may be subjected to further training or even formal disciplinary actions in extreme cases. This practice has proven to be ineffective, as an individual’s vulnerability to phishing attacks depends more on corporate culture, workplace norms, and email habits than lapses in personal responsibility.
Instead of shaming phishing attack victims you should create a workplace environment that encourages employees to take part in implementing cyber security best practices. Provide employees with accessible communications systems that allow them to report potential threats to concerned departments. Informal channels of communication should also be established so that vulnerable users can seek second opinions on suspicious links and emails.
All internal and outgoing emails should follow a consistent, concise format with clear branding that identifies them as authentic communications. Companies should use a single domain for all email addresses to minimize any confusion by customers or employees. Companies should also consider implementing a DMARC policy that specifies which machines may send emails using the company domain. Any email received from servers not authorized should be rejected.
We Can Help You Prevent Phishing-Related Security Breaches
Protecting your business requires vigilance, knowledge, training and the right tools. At Smadatek, we can provide your business with the knowledge to combat these sophisticated security threats.