Phishing attacks remain prevalent and are a pressing reason for organisations across all industries to remain assertive and up to date in their cybersecurity practices.
Phishing attacks can bring organisations to their knees, with cybercriminals often able to rely on simple tricks to break into email accounts and networks. For example, phishing attacks can fool employees within an organisation into opening infected emails in business email compromise (BEC) schemes, which can infiltrate entire companies with spyware and ransomware.
The United States Federal Bureau of Investigation reported a 136 per cent increase in identified global exposed losses relating to BEC and other email account related scams between December 2016 and May 2018.The United Kingdom’s (UK) 2019 Cyber Breaches Security Survey recently revealed that phishing consistently registers as the country’s greatest cybersecurity concern; a claim supported by 80 per cent of surveyed businesses.
In Australia, businesses lost $2.8 million to BEC scams in 2018, as reported to Scamwatch. BEC scams cause businesses significant financial harm, accounting for 63 per cent of all business losses reported to Scamwatch. The average loss is nearly $30,000.
More than 20 years ago, phishing threats emerged as a burgeoning criminal exploit, and since then, phishing has remained a central issue organisations have worked to combat. Despite this, phishing still remains difficult for cybersecurity professionals to beat. This is because:
- Phishing still works. Compromised emails have proven to continuously fool recipients into opening attachments and clicking on links they shouldn’t. A simple scam like this can cause a large-scale breach. A 2018 report by Verizon revealed four per cent of phishing campaign targets fall into the trap.
- Attacks are becoming more sophisticated. Cybercriminals are constantly improving their skills, engaging in social engineering and other methods to make illegitimate emails appear increasingly authentic. We have seen instances where hidden rules have been created in compromised email accounts due to only relying on a username/password to get in rather than implementing 2FA/MFA authentication.
- Businesses are more vulnerable. BEC attacks are becoming more common, not less. In 2018, Australian businesses reported over 5,800 scams, causing more than $7.2 million in losses, a 53 per cent increase compared to 2017. A significant reason behind this increase is BEC, accountable for $3.8 million lost. The point to note is that this is just what has been reported, and the actual numbers could be much higher.
- Automation is helping cybercriminals be more efficient. Emerging technologies are helping cybercriminals develop simpler and cheaper phishing campaigns. Adversaries can now use artificial intelligence (AI), and machine learning (a subset of AI), as well as accessible cloud computing tools and features found on the dark web, to generate compromised emails and phishing campaigns that can be massive and highly effective.
Cybercriminals behind phishing attacks often deploy a variety of techniques, including:
- embedding links in emails or tricking employees into visiting unsecure websites that request sensitive information
- imitating legitimate sender addresses in emails to appear trustworthy and authentic, making it more likely for employees to hand over financial or confidential details
- installing malware via malicious email attachments or ads, letting intruders exploit loopholes and access restricted areas
- attempting to gain company information over the phone by impersonating a senior employee, a member of the IT or finance team, or a trusted vendor.
Many modern attacks effectively mimic legitimate emails to the point that technology alone can’t prevent every dangerous email from ending up in victims’ inboxes. However, organisations can improve their capacity to withstand BEC and phishing attacks by investing in tools like spam filters and web filters. Focusing on the following three key areas can also help organisations limit their vulnerability around phishing attacks:
- Fostering awareness: Employees are the weakest link in organisations’ fight to control cyber threats. It’s essential organisations educate and train employees on identifying suspicious emails, and the correct protocol to take if they receive an email that they suspect could be dangerous. This is particularly important for finance departments, with the rise of BEC attacks.
- New processes: Organisations need to change business processes that might be leaving them vulnerable. It can be useful to establish company-wide policies around sharing finance details with colleagues over email, and put stringent restrictions on making payments in response to email requests. Likewise, employees should be encouraged to call suppliers and finance departments when they’re asked for a payment, to verify the legitimacy of the request.
- Corporate culture: Awareness, education, and new processes are all part of establishing a stronger and safer corporate culture, built around managing cybersecurity and risk. It’s important leaders keep cybersecurity front of mind throughout the organisation, to ensure employees and departments remain assertive.
The basic processes behind phishing attacks have stayed the same for over 20 years, however, the effectiveness of these campaigns is proving increasingly difficult to combat. While modern technology can help mitigate risks, a large part of staying safe involves leaders and employees improving their cybersecurity hygiene. The more organisations can do to strengthen cybersecurity awareness, the less luck hackers will have accessing the network.