‘Personal Information Leakage’, ‘Corporate Information Leakage’, ‘Cryptocurrency Outflow’ They are typical types of information security incidents that often [...]
Phishing attacks increased 250% last year – Make sure you don’t get hooked!
The Hong Kong Phishing Scam sketch on YouTube is one of the funniest things I’ve ever seen. But don’t let it fool you. Phishing emails represent one of the most dangerous threats facing any business … including yours.
Phishing is growing fast. Microsoft’s Security Intelligence Report found that phishing attacks increased by 250% last year (2018). And, according to Verizon’s 2018 Data Breach Investigations Report, 96% of phishing and pretexting attacks are delivered in emails, accounting for 93% of breaches and 98% of social incidents.
More bad news
Spotting a bad email isn’t as easy as it used to be. Hackers are now hiring native speakers to draft their content, and designers add industry context to make their messages look legitimate.
But so-called “whaling” attacks can be even worse than phishing, because they specifically target senior managers or other key executives. By simulating traffic from familiar services, such as LinkedIn or Office 365, they trick recipients into revealing personal or corporate data that can be exploited for profit.
Whaling works frighteningly well. The Airbus supplier FAAC AG lost US$54 million in a phishing swindle. Even tech giant’s like Google or Facebook aren’t immune. Both fell victim to a billing scam that netted an estimated US$122 million. Although some of the money was eventually recovered, most businesses aren’t so lucky.
Empower your first and last line of defence – employees!
Most phishing and whaling emails do not contain embedded code, so they routinely slip past most email scanners. The only way for businesses to defeat them is to raise awareness of the threat amongst the target audience – their staff!
A big question for most businesses is who should take charge of such awareness building activities – HR or IT? The best answer is both … along with a specialist security services provider. One with the expertise and technology to create convincing simulated attacks, monitor email click rates, and follow up with security awareness training to help staff identify threats and avoid putting the business at risk.
Adura’s Integrated Phishing Awareness Platform sends targeted phishing emails to staff at all levels of the business, tracks each click, and collects metrics on how staff perform. It is loaded with customisable templates designed to tempt an employee.
Anyone who clicks a bad link, is redirected to a phishing awareness page, with advice on how to spot a potential phishing message. Short, 5-10 minute anti-phishing quizzes are included and staff are expected to score a passing grade.
Good security isn’t a one hit wonder
There is no silver-bullet for eradicating risks from phishing. It takes an ongoing effort to educate staff, encourage best-practices, and discourage risky behaviour. Adopting a campaign-oriented approach, with 3-4 email campaigns a year is a good way to educate staff on the threats that are likely to hit their inboxes.
Before you can raise awareness, you need to know where it currently sits. Adura recommends that the first campaign should focus on establishing a company click rate baseline. It can be a rude awakening, with some companies discovering that they’ve been sitting ducks, with click rates as high as 60%.
Subsequent campaigns should focus on different scenarios. Adura’s email template designer produces genuine looking, but entirely fraudulent test messages – anything from Dropbox invitations to download pay slips, to corporate-branded Sharepoint folders.
What does good look like?
If click rates are dropping, then security awareness is improving. However, making a real difference takes time and commitment.
In phishing simulations Adura has run for clients, we’ve seen as much as 60 per cent of staff opening fake emails disguised as social media invites or legitimate-looking internal organisational messages. That is despite those employees having received training on how to spot phishing emails!
The secret of successful security training is repetition. Rolling out campaigns at random intervals every few months keeps staff on their toes. Staff won’t know whether the next email is a test or an actual attack, and will therefore pay more attention to validate the authenticity of the email, the purpose, and the sender.
Although achieving a 100% success rate would be fantastic, a bad link click rate of 5% is a more realistic target for most businesses. It is also important to ensure that the security training doesn’t impact staff morale. From the outset, security awareness and phishing simulation is an educational objective that helps both the employee and the business benefit.
Employers can take the edge off the “testing” process and encourage people by offering modest rewards, such as coffee-shop-coupons to successful staff. Employees that manage to maintain a “clean” security record might even win a more substantial incentive, like an extra vacation day. Email phishing is a massive threat to any business, so HR involvement, such as devising techniques and managing initiatives to motivate staff is important.
It may seem like a lot of effort and cost. However, awareness training may very well protect the business from fraud, intellectual property theft, or even bankruptcy. The fact is that some businesses don’t recover from cyber attacks.
By: Anwar McEntee
Senior Business Development Manager, Adura Cyber Security
Based in Asia since 2001, Anwar combines a strong understanding of the region with extensive experience in the industry to deliver tailored cyber security insights for organisations in Asia.