Today’s cyber security landscape continues to reveal new and unfortunate malicious agents that threaten reputations and compromise globally.
This growing socio-technical problem is driven by attackers who are well resourced, well-funded, and who understand the weakest link of any cyber security strategy: Human error. It makes sense then, that our daily mode of communication, the email, is far from immune from online attack, or what is known as ‘Phishing’.
What is Phishing?
Phishing is a social engineering activity that tricks users into giving out sensitive information to cyber criminals via email. It is an elaborate method of preying digitally on people’s emotions: greed, curiosity, or fear. They will be pushy or make threats or promises so you will respond immediately without thinking.
Sophisticated phishing emails often look like they come from a trustworthy individual or credible organisation, this is why it’s so tough to identify. Phishing is a common attack technique used:
- As a Means to Gather Information for a Larger Attack
- Or the Phish Itself Could be the Whole Attack
The consequences of Phishing?
- 91% of cyber attacks start with a phishing email. (PhishMe)
- There has been a 136% increase in identified global exposed losses relating to email account compromise scams between December 2016 and May 2018 (Internet Crime Complaint Center (IC3))
- Cybercrime may now cost the world almost $600 billion, or 0.8% of global GDP, according to McAfee
Why do we fall for Phishing?
Today’s phishing campaign has evolved from the wildly obvious malware links and suspect sender addresses.
Phishing emails are more commonly highly personalised, researched and targeted at the individual, contextual awareness of names, colleagues names, routines (month end invoicing etc.), role within organisation, and personal interests.
Double barrel emails use multiple emails as a lure to build a credibility email chain before sending the hook, the link that will compromise your data by opening the floodgates to whatever fresh hell awaits in the incoming malware.
And, while crucial red flag include careless spelling and names, today’s phishing emails are carefully written with appropriate grammar, and now many incorporate relaxed writing style in context of the imitated sender.
In fact, future AI will soon automatically determine writing style, slang, and replay.
Mitigating security attacks starts by building controls around people, process and technology.
Phishing targets your people, which means user awareness training is essential along with a mix of protocol processes and technologies solutions. Here are a few places to start to begin building your defense against Phishing:
- Email signing certificates from trusted certificate authorities
- Trusted SPAM/Phishing email prevention software
- Kill chain controls: URL Filtering, C2 detection, malware detection
- Multi Factor Authentication may help but is not always a guarantee, location awareness is important
- User Awareness Training
It will always come down to the weakest links in your line of defence: human error. So on top of user awareness training, ensure your users change their perspective on emails and:
- Always verify – think before you click
- Never download strange/unsolicited attachments
- Update software frequently
- Use caution while surfing the web and checking your inbox
- Keep your emotions in check
- Report immediately to IT if you think you’ve taken the bait
About the SOC:
Cyber security has become such a key requirement for our clients. We deliver a full Managed Security Services with 24/7 Security Operations Centre which provides full monitoring of our client’s environments. Evros also gained the much sought-after ISO/IEC 27001 accreditation for its Managed Services department, following eight months of in-depth preparation and a successful audit.
Achieving the ISO/IEC 27001 accreditation further demonstrates that we take our customers, and their data extremely seriously, best practices are followed here at Evros to manage our and our client’s security posture work.
Evros is one of the only Cloud providers in Ireland to be awarded ISO27001 for Information Security and Managed Services, and ISO20000-1 for Service Management.