There’s Plenty More Phish(ing) in the Sea!

 

Phishing is a homophone of the word ‘fishing’ and is an attempt to entice a person (or persons) into providing sensitive or confidential information. This information can then be used or, in some form, monetised by the cyber criminals operating the scam. In a phishing scam content, in the form of emails or electronic messages, is distributed to a series of potential victims in the hope of ‘hooking’ a careless or naïve user into engaging with the content by way of clicking a link or responding to the email or message. The victim, thinking that the content is real, may then provide the phisher with sensitive or confidential information. This can be a whole range of things such as usernames, passwords and even financial information such as bank details or credit card numbers.

 

Phishing Variants

A particular variant of phishing is known as BEC or business email compromise. This is often called CEO fraud because the attacker sends emails impersonating the CEO or other senior individual in the company. The recipient is likely to be a more junior staff member and the email will use social engineering tactics to convey a sense of urgency and coerce the recipient into performing an action. This action usually involves money transfers to accounts controlled by the attacker; the purchase and transfer of other items with a monetary value, such as electronic gift cards; or a request for sensitive information that can be used for financial gains, such as personnel files.

In the world of phishing, there are two types of phishers: those that use their nets to scour the ocean and capture as many victims as possible, and those that use a single rod and reel to catch the big haul trophy – the corporate executive, government official, celebrity, or other high-profile individuals. This sophisticated and targeted form of phishing – called spear-phishing or whaling when directed at high-level business executives – is on a dramatic upswing.

 

Attacks are increasing

To put this in perspective, BEC attacks have been increasing in number over the last few years, driven by their relative success rate compared to other financially motivated attacks. The most recent FBI Internet Crime Report, published in 2019, stated that BEC attacks reported to the FBI had increased 30% over the prior year, while adjusted losses increased a massive 90%, from $675M to $1.3B. Also, according to survey data from Osterman Research, in 2019, 48% of surveyed organisations reported a successful email phishing related breach. This increased from 44% in 2018 and 30% in 2017.

With phishing increasing exponentially, companies need to think comprehensively about what they can do to protect and defend against phishing attacks, this includes:

• • Password Management – ensuring that users create and regularly update strong and unique passwords for every application or site visited
  • Two-factor authentication – requiring users to use a combination of two different components to log in to applications or sites (e.g., a combination of PIN or password plus their mobile phone to respond to a transmitted access code)
  • Phishing Intelligence – maintaining and updating relevant intelligence on emerging threats from major sources
  • User training – educating and training users, thereby increasing awareness of potential phishing attacks, understanding the seriousness of such attacks, and knowing what to do in the event of an attack
  • User reporting – encouraging the reporting of any suspicious communication or activity and acting upon those reports promptly.

(Above information from the March 2020 Cyberthreat Report by Cyren Ltd – www.cyren.com)

 

Information Security Management

Performance Plus helps you to improve your cybersecurity protection by implementing an Information Security Management System (ISMS). We then help you to achieve certification for your ISMS against the ISO 27001 International Standard (thereby demonstrating publicly your commitment to information security). Contact us for a free initial consultation on:

Tel:                    01284 330400

Email:               info@performanceplus.co.uk

Web:                 www.performanceplus.co.uk

We work with small to medium size businesses across the East Anglia Region covering Norfolk, Suffolk, Cambridgeshire, Essex, Bedfordshire and Hertfordshire.