Spear-Phishing, Social Engineering & Email Attacks. Why prevention is better than cure!

Email attacks, phishing, insider threats, and spoofing have all spiked recently, and these increasingly sophisticated attempts to access your data and personal information are leaving widespread disruption in their wake.

Last year, 32% of businesses and 22% of charities in the UK reported having experienced cybersecurity breaches or attacks within the previous 12 months. The most common types were phishing attacks (identified by 80% of these businesses and 81% of these charities). Many also reported cases of others impersonating an organisation in emails or online (28% of these businesses and 20% of these charities) as well as viruses, spyware and malware attacks.

The nature of these threats

Cyber-attack victims are not necessarily selected at random; many are systematically targeted in order to infiltrate systems. Pen testing tools such as MimiKatz are used to search for the individual credentials of users with domain admin privileges, so that these accounts can proceed to spread malware more effectively. This method is typically behind the largest and most advanced ransomware attacks and breaches, with SOPHOS recently publishing that 54% of businesses have experienced a rise in this method of attack.

Email-based spoofing has also increased, as attackers employ ever more sophisticated methods in their attempts to gain access to money, intellectual property and other credentials. The most common attacks are initially aimed at C-level personnel, before spreading to other members of staff within the organisation. Mimecast’s 2019 report found that this sort of malicious activity from one employee to another could account for as much as 73% of individuals experiencing direct loss of data, finance or brand.

Smartphones today are minicomputers containing a large amount of sensitive information about our lives, including banking details, maps, our health, where we live and where we run. So, it may come as no surprise that 2019 also saw a growth in mobile attacks. Google Play and Apple are getting better at scanning applications, but cybercriminals excel at tweaking their plagiarised applications to avoid detection. When installing little-known applications, always remain vigilant for any small print in ‘free’ trials that require laborious steps to uninstall or unsubscribe. Failure to do so on some apps can result in hundreds of pounds in ongoing monthly payments.

Apps designed to steal credentials for online banking have plagued Android users for some time with malicious code not downloaded until after a user downloads the app – making it more difficult for Google to scan and detect. The malicious code then monitors your actions and keystrokes on virtual keyboards when logging into your banking app.

With the advent of GDPR, protecting our business and personal data has never been more important. So, as phishing, spoofing and spear-phishing increase, businesses must also urgently tackle the biggest risk to their organisation – their users. Yes, human error is a major contributing factor in breaches, which is why many companies undertake internal phishing simulation exercises with employees to evaluate their vulnerabilities. The results are often alarming.

But fear not, there is good news too. Educating employees and nurturing a culture of vigilance and awareness, through the consistent delivery of fresh and engaging training, can make a real difference and arm businesses with an additional line of defence.

Where to focus your resources

In the face of these every-changing threats, some of the old preventative measures can still provide the most effective protection. But there are some new recommendations and technologies to add into the mix too…

Patching

Many of us will have heard of Patch Tuesday, but not everyone places the same value on patch management. It can be a lengthy and laborious task but having a process in place for this is vital – either internally or via your IT support company.

Multi Factor Identification

MFA – or Multi Factor Authentication means having a separate token or device to confirm your user identity. MFA can take the form of an authentication app (such as Microsoft Authenticator) or Authy, which once paired with an individual’s account, provides a sequence of numbers every 30 seconds. The important part is that this is on a separate device to the one you are using – such as your phone. You should set up MFA on any application that supports it but particularly those with access to sensitive information.

Passwords

It is important to use strong passwords and for users to understand their importance. Passwords should not be reused, and this is particularly important for business passwords (or email/password combinations). Wherever possible, consider using an accredited password manager such as Last Pass, 1 Password or Dashlane. Click here to find out more

Awareness

If your users understand the importance of data privacy and the value of their personal information, they are more likely to look after the keys to your network. Fostering an open environment, where employees feel able to discuss possible phishing attempts and questionable emails or calls without the fear of reprimands, is an excellent start. Utilising a continual education platform is even better.

Accreditations and scanning

Cyber Essentials Plus, ISO27001, PCI DSS are great accreditations for your business to acquire and they show your suppliers and customers that you are serious about security. These accreditations align with GDPR and other requirements such as internal and external scanning. If accreditation is not feasible then a vulnerability scan should be considered as a regular addition as many exploits or breaches lie undetected for up to 6 months. Know the vulnerabilities within your business so you can work to bolster them. Understanding your systems, how they are connected, and the associated risk management, all play a vital role. Depending on your size, you may even want to consider walking through your ‘playbook’ – does everyone in your business know what to do if a breach/hack/disaster happens? This includes understanding how to approach the ICO in the worst-case scenario.

During these challenging times, we are experiencing a spike in cyber-attacks with many themed around coronavirus and the associated government/HMRC advice. As our workforces continue to adapt to remote working and a ‘new normal’, it has never been more important to be vigilant and ensure some of the simple precautions and best practices outlined above are implemented across your organisation.