With targeted and increasingly sophisticated phishing scams continually on the rise, the ever-evolving world of digital communication presents the optimal backdrop from which fraudsters can readily strike.
But what form do phishing scams take, what practical steps can be put in place by organisations to protect themselves and what part does human behaviour play in protecting systems and people from cyber threat?
Andrew Parsons, a partner in the dispute resolution team at international law firm Womble Bond Dickinson, comments: “Practically, there are processes and checks which can be put in place to mitigate the risk of phishing scams, but in the first instance it’s important to understand the different forms they can take.
“Employees within a large organisation may be able to spot the more obvious phishing emails as they tend to have a couple of common themes; they either look completely innocuous or they tap into fear, for example “your bank account has been hacked”. Hackers will often tailor emails to topics relevant at the time and they will certainly tailor to an organisation, with larger scale operations being particularly susceptible where facts are readily available to build a credible picture of a person and imitate an email address. A seemingly urgent email from someone imitating your managing director is relatively simple to execute as this information is online for all to view.”
People often expect to only be exposed to phishing through scam emails, leading them to wrongly assume the legitimacy of phone calls and divulge information. In a recent global report by Mutare, over 47% of businesses reported that they had experienced some form of voice phishing, or vishing, in the last 12 months.
Andrew adds: “Vishing occurs when someone phones you with the intent of deceiving you into sharing personal data with them. As a method of phishing, it came before email but has been making a resurgence in recent years. Large organisations, such as universities, banks and financial institutions are often targeted and should be extra cautious in terms of employee training and have complete clarity on which information employees are allowed to pass on over the phone. However, smaller businesses should also be aware of their own vulnerabilities as the value of data is relative to the value it has to your organisation.
Supply chain vulnerability
Andrew continues: “Supply chain attacks more commonly occur when you have outsourced part of your business, such as your HR department or payroll, for example. Rather than trying to hack you directly, the hacker may go for one of your suppliers who have weaker security and are linked into your systems.
“Multifactor Authentication (MFA) fatigue attacks is a strategy used to get around multi-factor authentication and usually take the form of fake emails repeatedly requesting access information from someone. This can lead to the recipient eventually getting so frustrated they either turn it off or hand over security codes.
“MFA fatigue attacks are relatively new, sophisticated methods, however in reality they make up only a small percentage of attacks. Phishing emails are still the most common threat, and, in these instances, it is a numbers game; the hacker will send hundreds or thousands of phishing emails to an organisation looking for that one click, playing the odds and hoping they can get past the barriers for at least one individual.”
It's not personal
Whilst people often think they have been personally targeted by the hacker, in most cases they haven’t – it is pure opportunity.
Andrew comments: “In less targeted attacks hackers don’t make decisions based on ‘interesting information’. The market value of the data is irrelevant, it’s what the value is to the organisation, to you. They will scan the internet and pick the lowest hanging fruit. That said, if they can, hackers will look to target different and specific demographics, for example the aged, the less experienced in roles and the vulnerable.
“Only a small number of hacker groups are using data to commit fraud, they aren’t stealing data to exploit it, they are stealing it to either sell or ransom it. There is a whole industry and eco-system based around the buying and selling of stolen data, running behind hacking attacks. In terms of how you get this information back; in most cases they send a ransom note. Some even provide instruction manuals and operate helplines to help victims to make payment of the ransoms.”
Human behaviour – a vital piece of the puzzle
Human behaviour plays a vital role in ensuring organisations and people stay safe and protected from the threat of phishing.
Andrew sums this up: “In the phishing space, human behaviour is critical. Ensuring everyone in your organisation has had regular training so they know the signs to look out for, as well as having a level of consciousness about their own data security are key.”
For more information, visit our re:connect hub.