An increasingly popular form of cyber-crime-Phishing poses a very real and significant threat to organisations as well as individuals around the world. According to a recent report by Verizon, in the last year, nearly a third of all data breaches involved some sort of phishing attack. The publication of this report further underlines how phishing is a form of cyber-attack that is dangerous to businesses as well as consumers.
What is Phishing?
Phishing is a broader term to describe a form of cyber-fraud. Formed on the basis of fishing, phishing is the “virtual” equivalent of it, which involves tricking an individual into “taking a bait” and then subsequently getting hooked.
This type of attack often would involve cyber-criminals who attempt to impersonate a person or an organisation in order to obtain information or force the victim in carrying out a specific action. Different methods can be used to carry out the attack such as email, telephone, text messaging as well as the use of social media accounts.
Phishing itself is a method of attack, though the key to its success is the requirement of the victim to do something, i.e. open a link, or download an attachment. This action then triggers a “payload” which can be termed as a weapon of choice which can range from being a ransomware to a form of malware.
Alternatively, cyber-criminals could also look to encourage you to visit a fake website which aims to imitate a genuine website, once at the site you would be asked to change your password or confirm a piece of sensitive information.
Research in the past year has shown that 62% of phishing campaigns captures at a minimum one set of user credentials.
The Impact of Phishing:
A good example that demonstrates how phishing can have a huge financial impact on organisations can be seen in the case of the Lithuanian hacker who between 2013-2015 posed himself as a vendor and had sent a number of fake invoices to both Facebook and Google, giving the impression that both companies did business with him. Facebook and Google ended up being duped, which then cost both the firms $123m combined.
Even though the tactic is so simple the key behind its success is to catch people who are unaware, sending an email that looks convincing and to convey a sense of urgency.
Some of the factors that come into play in a phishing attack are:
- Tailored Content – Emails that are designed to communicate to you based on your likes, interest and activities.
- Impersonating – this could involve pretending to be your friends, colleagues, manager
- Trusted brands- Cyber-criminals have an affinity in using the reputation of well-known trusted brands such as PayPal, eBay, Amazon etc., as it builds an (albeit false) level of trust which increases the chances of a target opening and engaging with a phishing email.
How Organisations Can be Kept Safe:
There isn’t a one-size fit all solution when it comes to email security and phishing. Though there are a few best practices that can be implemented which can help protect your organization some of these are:
- Employee Awareness Training – Awareness training can help employees “read” emails that can then be identified as spam
- Implementing Access Management Policies and Processes – Another method that can potentially limit the impact of a Phishing Attack is to limit the access to sensitive systems to those individuals who need the access in order to do their jobs. In a broader context data itself should be protected so that it is in the clear, and that nothing can be modified on a system to grant an access, which in turn reduces the exposure to risk administrator does not need to see the data itself.
- Using Effective Email Technologies – Having a multi-layered approach to email security is the most effective method in tackling the threat of phishing, as well as protecting you against your organisation’s emails being imitated and then being sent to others. In addition to this having a black-list and white-list of email addresses is also important to help filter email messages that come through via acceptable domain names, IP addresses, range etc.
- Comprehensive Separation of Duties – With data all the endpoints would be accessible to everyone and only authorized users would have access to meaningful results. Having a Protegrity protected data-set would eliminate the risk of exposing protected data.
- Least Privilege- Abiding by the principle of least access -whereby users only see the least amount of information in order to perform their admin and operational duties can go a long way in reducing the threat a phishing attack or a malware attack can pose.
Different data protection scenarios can in some cases require different forms of protection. Protegrity offers a variety of protection methods that are suited to a wide variety of datatypes. Find out more by reading our e-book: Privacy by Design: Balancing Defence In-Depth With Advanced Analytics.
*** This is a Security Bloggers Network syndicated blog from Blog – Protegrity authored by Raajveer Loyal. Read the original post at: https://www.protegrity.com/phishing-a-popular-tactic-in-cyber-crime/