Cybersecurity Awareness Week 3 – Phishing

cybersecurity awareness week
cybersecurity awareness week

Phishing

.. is the attempt to obtain sensitive information such as usernames, passwords, and credit card details (and, indirectly, money), often for malicious reasons, by disguising as a trustworthy entity in an electronic communication. (wikipedia)

FACT: According to the EY study, employees are the weakest link in your security chain, needless to say that securing them is paramount for success. The report found that “careless employees are the most likely source of a cyberattack (named by 74 percent of respondents), followed by criminal syndicates (56 percent), malicious employees (52 percent) and hacktivists (46 percent)”

Phishing is so widespread now, that it makes daily headlines. In the last week we have had North Korea targeting US Power Plants and Apple customers being targeted with phony popups, posing as your iTunes account to verify login details.

Barkly details phishing history and its evolution describing the new mindset of the attacker to focus on the “soft, chewy, center” of the organization. aka: the user

 

So who’s getting Phished?

According to Wombat State of the Phish report, 76% of infosec professionals still report their organizations being victims of a phishing attack, despite growing education around Security Awareness Training programs. Attacks are evolving, but are companies keeping up2date with Awareness Programs? That doesn’t seem to be the case.

Wombat also allude to this in their 2016 Beyond the Phish report, where they analysed “more than 70 million questions and answers in 10 categories, from June 2016 through May 2017”. They found that 1 in 4 employees hide security incidents, and overall 20% of your organisation are likely to be a security threat. Putting it into that perspective is mind blowing

Source:https://www.wombatsecurity.com/press-releases/annual-state-phish-report-wombat-security-shows-simulated-phishing-and-training

 

Spear Phishing / Whaling

The act of targeting individuals by hand picking contacts within an organisation to Phish. This method uses a tailored message and is more often aimed at executive level employees with the goal of extracting money from the victim..

Example:

A spear phishing email is sent from the CEO to the CFO, asking them to pay an attached invoice. Their legitimate email would be gary@futureconsulting.com;

but the attacker might spoof the email to read; gary@futureconsutling.com

The CFO would not think twice about looking at the spelling of the email address.

 

What you need to know

Attackers use Phishing to ultimately gain access to a system in order to steal sensitive corporate data. Phishing encourages users to click on a link, or open an attachment in an email

Although, to the user it might appear that nothing has happened, the attacker has run an .exe in the background and is on it’s way towards the intended target

Example:

Unknown client, GL Contracting Services, sends an email to employees in ABC Construction asking to update the customer information for their new system. The email may be blasted out to Managers, Operational staff, Admin, Sales and higher level mgmt. Curious as everyone is, someone is bound to click the link – (in fact 30% will often click, according to this Verizon Report)

Rules for Phishing

General rule: do not click any links within an email. Copy and paste it into a Safe URL search

Unknown Sender – If you’re unsure of the sender, do not click any clicks or open any attachments. Forward the email to your Security officer

Emails requesting Personal Information – BEWARE. Treat these emails with extreme caution

Emails requesting an Urgent Response – a common tactic used to provoke an immediate response. Our senses our heightened and we do not make good decisions what we are pressed for “urgent matters”.

Stay Calm and seek help from your Cybersecurity Officer

 

But I don’t have time to manage this

The fact is that most companies do not have time to implement a Security Awareness Program, although it might be the one thing that saves you from a breach

We understand that a Security Awareness Officer can be more of a luxury… a “Nice to have”, rather that a “must have”, for corporations today. But consider the rate at which Phishing attacks are growing, we believe that this is going to be a critical position on the Cybersecurity team within the next 3 years.

Some will be lucky to have a dedicated cybersecurity team member who can roll out programs and reach Security Awareness objectives, while others will be caught chasing their tails and pushing Security Awareness aside ahead of other more pertinent matters.  

For those who cannot service this internally, they can outsource this to specialised Cybersecurity companies to manage on their behalf.

This is what we do best here at CyberSecurity Brain. We manage Security Awareness Programs for all sorts of organisations by providing best practices around Security Awareness, Policy formation, and we manage the roll out of Simulated Phishing attacks.  

Our methodology involves a phased approach through Assess, Educate, Reinforce, Measure.

Our goal is make organisations more secure, by securing the front line “the user”. These programs are designed to drive change in user behaviour which can be achieved through ongoing assessment.

What you must do

Speak with us today. Jump on a call with us to talk about the challenges you are experiencing with with educating users. Let us know what you are most concerned about and we will do our best to help you

For more information on Security Awareness, or running a Simulated Phishing Attacks

Contact Gavin at gavin@cybersecuritybrain.ca – 604-734-7055

 

About CSB

CSB’s mission is to educate users on cybersecurity and keep employees safe from ransomware, malware, and phishing attacks. We specialise in a Managed Security Awareness solution, powered by Wombat Security. As a specialist Managed Services Provider for Wombat Security, we help organizations roll out Security Awareness campaigns, Policy Formation, and help with overall Cybersecurity Education.