Cyber Risk Aware Blog

Phishing; The root of all evil...

[fa icon="calendar"] Feb 14, 2017 6:45:00 AM / by Stephen Burke

Stephen Burke

What exactly is Phishing ?

Phishing involves cyber criminals tricking (a.k.a. "social engineering" ) business and home computer users into giving them their data over the Internet.  "Spear Phishing" is another term you may often hear. The difference with a "spear phish" is that the email is very targetted against specific individuals in specific organisations wheras the other is a pure "numbers game" to cast as many phishing lines as possible to catch a phish.

Phishing attacks are aimed at "unaware" users to trick them into unwittingly giving away usernames; passwords; banking and credit card details. Phishing involves the use of emails which contain corrupt web URLs (links), malicious file attachments containing malware or multimedia messages that lure the user to fake web pages where they record the users data entry.

The criminals are preying on three (3) well-known human vulnerabilites;

1. Curiosity

2. Staff are busy and click happy

3. Staff are trusting and want to be helpful, especially if they think they've been contacted in error and wish to report it to the sender. ( I know! I know!  lets not go there...  )

Below is a graph taken from Phish Tank which shows the most used company names in criminal phishing campaigns during 2016. To me this really highlights how criminals use well known brands that people "trust". It is also worth noting that in 2016 there was a 250% growth in phishing scams.

Phish Tank

Do staff or home users really fall for phishing emails?

Yes they do, and in a big way, especially small and medium businesses but so are large companies encountering incidents daily.  This is the single biggest reason why I founded our company. Whilst serving as a CISO, no matter what technical defenses I architected with the infrastructure and network teams, we always ended up responding to security inicidents caused by human error. The 2016 Verizon Data Breach report gives a very good  insight into the scale of the human phish vulnerability.

Out of eight(8) million sanctioned mock phishing emails, 30% of recipients opened the email (an increase of 6% from the previous year).  12% of those went on to click on a link or open an attachment. 

Phishing Threats to be aware of.....

"Ransomware" and "CEO Fraud" (a.k.a. Business Email Compromise) are the two (2) main threats at this time, with thousands of companies and individuals being affected weekly. Delivery of banking trojans such as Dridex or data breaches are other threats but I will talk about those soon.......

Ransomware leads to all of your data on the local hard-drive (C drive) AND any network drive or external disk drive/USB key attached to your computer, being encrypted and not accessible unless you either restore the data from a backup  or pay the ransom (bitcoin). 86% of ransomware infections originate in a phishing email. To date, people and businesses who could not restore from backup or did not have a bitcoin account, have paid over 2 billion dollars in ransoms and the problem is getting worse. The typical cost for a home user is roughly 1000 dollars whereas if the criminal gang realises they are dealing with a company, the ransom goes into tens of thousands if not hundreds of thousands. 

"CEO Fraud" is where an email is sent to company staff having been made to look like it came from the CEO. Interestingly, the emails are targetting CFO's or finance staff where they are being asked to wire money into a bank account at short notice. A great example I often share is of a healthcare CFO receiving an email that said "I am currently offsite with our external audit team. Can you please wire $147,000 into this bank account and I will fill you in when I get back". The CFO duly obliged.

To date, according to the FBI over 3.1 billion dollars have been raised by cyber criminals using this scam alone.

So what is the best defense to avoid falling victim ?

Create a human firewall with your staff being your last line of defense and greatest security asset. You have already invested in technical defenses(Firewalls, Anti-Virus, Web Gateways etc) and still the incidents keep occuring, so it is time to do something different and more cost effective.

Raise staff awareness and reduce the risk by 20% in a matter of minutes by sending out a mock phishing email to all staff.  If your worried about staff tipping each other off,  use our unique "burst mode" that sends out many different emails in a single campaign.

Your first campaign creates an initial baseline for you to reference as you keep doing this every month to keep awareness high. Initial baselines typical start with staff being 50-60% phish prone. After about 4-6 months it will drop to 10-20%. This is a big increase in staff awareness and a dramatic reduction in risk for the business.  

So why has awareness risen? The key is that every time a uers fall for a mock phish, they will receive an instant  message specially crafted by you. Trust me, as soon as this happens, your staff are not going to want be caught again. Right away staff will start to check emails more closely.  Your instant message will offer security tips, perhaps even a tangible message about what the impact could be to the company if this had been for real. Any user I have ever spoken to about this will say "I do not want to be the person that causes any harm to our business".

All results are recorded with repeat offendors being easily identified, who can receive follow up training with our highly enjoyable and brief courses and security videos.  You may also wish to auto-enrol them in a course if they fall for one of your phishing emails.

If you are worried about how phish prone your staff are and of the possible consequences of not raising awareness,  we would be delighted to help build your human firewall.

For further information or if wish to run a free phish prone assessment, please visit our website www.cyberriskaware.com

Best regards

Stephen

Topics: Phishing, CEO Fraud, Ransomware, Spear Phishing, Staff Awareness, Phish prone

Stephen Burke

Written by Stephen Burke