Phishing and Your Company

The simplest way for a cybercriminal to get your personal information is by having your user give them their credentials and passwords, even worse if they are a privileged user… According to recent studies (https://www.varonis.com/blog/data-breach-statistics/), over 70% of breached companies gained access by staff unknowingly handing over their sign in credentials, generally via faked emails.

The NCSC’s website (https://www.ncsc.gov.uk/guidance/phishing), defines phishing as when attackers attempt to trick users into doing ‘the wrong thing’, such as clicking a bad link that will download malware, or direct them to a fake or dodgy website. The emails will tend to look like they are from known agents such as a bank, government or sales, with links that take them to crafted facsimiles of the real thing where they are asked for sign in or personal information. The page itself can also contain malware embedded in the page which will attempt to infect your PC (sometimes called drive-by attacks).

Phishing and Smishing (via text messages) are on the rise and comprise of four main attack vectors:

  • Spear Phishing – Personalised attacks where they might have your name or other identifiable information about you, causing you to think you have a relationship.
  • CEO Fraud – Targets company executives in attempts for them to verify cash transfers.
  • Deceptive Phishing – The most general, emails pretending to be from legitimate companies asking the user to sign in via a link.
  • Smishing – No longer just emails but SMS texting – where people are more relaxed with text messages and more likely to follow instructions.

In general, common sense can prevail in avoiding these attacks:

  • Limit the amount of personal information you post to social sites (if they have your birthday and your age then they have your date of birth), and don’t click on links! Open your browser and go to the website that way to check the veracity of the email.
  • Generally, a company will start with your username to prove they know you, so, Dear Usershould be an instant red flag.
  • You can also check their email address by hovering the mouse over the ‘from’ address.
  • If you get an email from someone known to you but something feels off, pick up the phone and ask them – they may have been hacked and know nothing about it and will appreciate someone bringing it to their attention.
  • Check for basic spelling errors or language flow, many attacks come from non-native English-speaking parts and grammatical structures vary in different countries.
  • If an email instils a sense of urgency in you, (you owe HMRC a half million pounds), stop! take a breath and check it again, social engineering relies on the fight or flightresponse to overshadow logic and common sense.
  • Minimise the amount of addins, toolbars and third-party web apps you allow into your browser / email clients, not only do they tend to slow your system down they also increase your attack vector.

Another solution is Multi-factor authentication (MFA).

This is generally a password strengthened with a second method of authentication, eg a phone number that is unique to you that will impede (nothing is 100% impenetrable) attacks on your accounts.

If a company or bank offers it, this should be a no brainer to implement throughout your company without delay and will drastically improve account security.