Opening one wrong email could spell disaster

The recent spate of ransomware attacks, which affected organisations across the world, from global law firms to national power suppliers, will again focus attention on the dangers of cyber-crime and phishing attacks in particular.

  • 7 years ago Posted in

Phishing, where individual employees within an organisation are targeted is on the rise. Criminals can constantly attack organisations, knowing they only have to be successful once to gain access to secure systems and infect them with ransomware or steal valuable data.

Quiss Commercial Services Manager, Matt Rhodes explains:

Security training should be essential for every employee, with emphasis on the dangers of email phishing attacks.

Everyone should receive refresher sessions, with regular updates on what to look out for and what to do with suspect emails. But unfortunately, it’s hard to know how an individual will react when they are targeted.

Criminals are developing ever more sophisticated attacks and the cost to an organisation can be far more than just any ransom demanded, with a serious data theft or breach causing untold reputational damage.

How cyber safe is your organisation?

In the fight against cyber-crime, the first step is ensuring every employee knows security is the responsibility of everyone. It means a shift in security culture driven by the answers to some simple questions:

·         Does your cyber security training cover the latest attack methods?

·         How often is your training updated?

·         Do your employees know what a suspicious email looks like?

·         How resilient is your organization to a cyber-attack?

·         Could an attack be identified and stopped before any serious damage is inflicted?

·         How quickly could your organisation recover from an attack?

·         Would a successful attack cause long-term damage?

·         Do you have a plan in place to cope with an attack?

·         Have you assessed whether vital information is backed up appropriately to allow you to recover quickly after an attack?

·         Do your suppliers and customers take cyber security seriously? (A successful attack on them increases the chance of a successful attack on you.)

Remember, anyone who is not taking cyber-security seriously is a risk to the future of your organisation and you must act to ensure they are part of the solution, not part of the problem.

Phishing on the rise

The appeal of attack by phishing is obvious, as they are cheap to undertake, with only a low risk of capture for the criminals and offering potentially huge rewards if successful.

Unfortunately, the statistics confirm the success, with 10% of those targeted, falling victim to a phishing attack and 11% of those victims, clicking on toxic attachments or links.

Security begins with explaining the dangers and showing everyone what to look out for in a phishing attack.

How to recognise a phishing email

For criminals to get all the details they need to undertake an attack, they will usually scour personal social media channels or your website and company social media feeds.

This is the unfortunate side-effect of sharing your life with friends or ‘engaging’ with your public, we often reveal more than we should; much of it can be used against us. Criminals will find the information needed to create emails that closely imitate communications from trusted sources like colleagues, clients and suppliers.

Regardless of who an email looks to be from, each one should be studied carefully before opening:

The sender - Ask yourself: do I know who this is? Is this their usual email address or just similar to one I think I know?

Subject – Give your emails meaningful subject lines and expect the same. Ask yourself if the subject looks unusual or unexpected. Be careful if there are spelling mistakes, excessive punctuation and irrelevant, extraordinary or poorly written subject lines.

Content - Fraudulent emails will typically ask for some activity to be undertaken, like visiting a website, completing a form, sending some seemingly innocuous data or simply replying to the email.

Be particularly careful if the email claims to be from a computer company (possibly the one that looks after your system/infrastructure), a trade body, a government department or any financial services organisation.

Emotion - Criminals will often use emotional language or scare tactics, with messages delivered with a sense of urgency to encourage a rapid response before you have time to think. It might claim you will be fined or miss a bonus if you do not respond immediately.

Greeting - Beware if there is no personal greeting or it sounds odd. Most legitimate organisations you deal with know your name and will typically include partial account numbers, your postcode etc., to reassure you.

Links - Links in emails can easily be disguised and might take you to malicious websites that resemble genuine sites, like your Hotmail, iTunes or Mobile accounts. Hovering over most links will show the true destination.

Attachments - Do you recognise the format of the attachment. And remember attachments can transmit viruses, so open them only when necessary and do so with caution; be very careful with .exe and .zip files. Does the email mention the attachment and what to do with it? Are you even expecting an attachment?

Discovering risks

Regular security training will cut the risk, but there is always someone who ignores the warnings and becomes complacent. The people likely to make a mistake pose a real threat to security – but how do find out who these are?

Undertaking phishing attacks on your own employees is a good way to find those people likely to react inappropriately to an attack and those who follow the rules.

To mitigate the impact of modern phishing attacks, service providers like Quiss will conduct simulated attacks on your organisation to discover how each of your employees reacts.

Credible emails are created to appear to come from likely contacts, familiar to employees and replicate real Phishing emails to target employees.

Copying recent attack methods, everyone within an organisation at every level, can be targeted at different times, using unique emails containing links or toxic attachments, with recipients unaware they are being phished.

How each individual responds to the ‘fake’ phishing email is recorded in a comprehensive report, along with their actions. The report highlights if anyone opened any attachment, clicked a link, etc., or if they notified their manager about the attack.

Typically, those that respond other than as they should, will be informed they have been caught by a phishing attack and will be reminded to be more vigilant in future.

The service is not designed to highlight problem employees, but to ensure everyone is aware that security is everybody’s responsibility, whilst identifying areas for improvement, so organisations can concentrate training where it’s needed.

Experience dictates a failure rate of around 33% at the beginning, but after more training it will reduce to around 5%. Unfortunately, the failure rate is unlikely to ever be 0%, because we are dealing with humans.

The potential damage caused by just one employee opening the wrong email is huge and organisations should regularly test their defences to improve their approach to security.

Phishing employees will help find the weak points by and allow organisations to develop strategies to deal with the real attack when it happens, as it surely will.

By Barry O'Donnelll, Chief Operating Officer at TSG.
By Dr. Sven Krasser, Senior Vice President and Chief Scientist, CrowdStrike.
By Gareth Beanland, Infinidat.
By Nick Heudecker, Senior Director at Cribl.
By Stuart Green, Cloud Security Architect at Check Point Software Technologies.
The cloud is the backbone of digital cybersecurity. By Walter Heck, CTO HeleCloud
By Damien Brophy, Vice President EMEA at ThoughtSpot.