Each year, the headlines in the media about cyber-attacks don’t change much, with ‘cyber-attacks are on the rise’ and ‘cyber-attacks are getting more sophisticated’ being just two we see most often. And we’re sorry to be the bearer of bad news, it’s not just hyperbole.
Not only was 2020 no different, but the COVID-19 pandemic and the enforced mass migration to remote working presented a whole new range of new attack opportunities for cyber criminals.
Now, phishing as an attack technique is nothing new, but since the COVID outbreak, prospective attackers have been exploiting everyone’s thirst for public information:
At first, it was about the spread of the virus around the globe. Websites and emails with official looking maps were used to deliver malicious payloads to anyone who made the mistake of clicking on unverified links. In fact, over the first few months, literally thousands of new domains referencing COVID-19 or coronavirus were registered by enterprising criminals wanting to lure a few victims.
Then, when things got very serious, lockdown and government announcements were the key focus. An email that looked like it might be from your employer saying “you’re being put on furlough and you need to read these documents” wasn’t really unexpected and many people wouldn’t have thought twice before clicking on a link or opening a document.
Cyber criminals are now focusing their campaigns on COVID vaccination messages. It’s the perfect cover; so many people are desperate to get their lives back to normal they will jump at any chance to speed up getting their vaccine.
Based on research released by some of the world’s biggest cyber security product companies, there are no signs that these phishing campaigns and the registration of website domains are abating. Not only that, it has been estimated that 30% of phishing emails are able to bypass default security measures.
While technology will be able to prevent some suspicious emails from reaching end users, phishing isn’t solely a technical problem. Social engineers know that people can be coerced into carrying out actions they are trained not to (i.e. click on links and attachments). So, even if security teams invest in the best technology solution to protect your business, all it takes is one unaware employee to click on a malicious link to potentially compromise an entire network.
So, when our clients ask how they should manage the phishing threat, we tell them that a combination of the two in a defence in depth strategy will always provide more effective protection than any single solution.
There are often a few things that can help end users identify a phishing email; aside from checking that the ‘from’ email address is legitimate (which isn’t always as straightforward as it seems). One of the potential flags to look out for is where the message body places a very short deadline on an action in order to force you to click a link—this might be an ‘overdue invoice’ that must be paid via an online form immediately otherwise legal action will be taken. This style of phishing email is designed to make the recipient act before thinking or checking with a colleague.
If you’re unsure how you would answer the question in the title of this blog post, it’s impossible to measure how vulnerable your organisation is.
A phishing email can result in a ransomware attack or it might involve sending thousands of pounds to a cyber criminal. Either way, it’s important to give employees the tools to help them understand the risks they are managing as they go about their day to day operations.
One way to measure the current awareness of your employees, and help them understand the nature of the risk, is with a Phishing Vulnerability Assessment (PVA).
A PVA is designed to boost awareness of the cyber security risk and demonstrate how all employees can help to protect their company while online. An assessment typically includes a controlled phishing campaign over an agreed duration and will measure any number of areas, such as the percentage of recipients who opened the phishing email, how many recipients clicked on the link in the message, and location data to capture any departmental or specific office-based trends.
Do you know how your people would deal with a phishing email? Get reassurance that they will take the right actions and you are helping them to help you and themselves at work and at home.
If you do think you have been the victim of a phishing attack or would like to speak to one of our specialists about protecting your organisation against cyber threats, please get in touch to speak to one of our specialists.
This article was published in partnership with our cyber security parters PGI.
© SES Secure Limited and ses-escrow.co.uk, 2021. Unauthorised use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Financechain Limited trading as SES and ses-escrow.co.uk, with appropriate and specific direction to the original content.