There’s justifiably a lot of noise right now from the security industry about the increasing sophistication of the latest cybercrime threats to businesses – particularly those from well-funded organised criminal operations or other shadowy sources.
While it’s essential to understand and protect against these new stealthier threats it’s easy for IT security chiefs to be distracted from some of the types of attack that have been with us for some time now. Familiarity can breed complacency and these old types of threat can still be still a remarkably simple, cheap and effective way for cybercriminals to gain access to corporate systems and data.
Many phishing emails are so bad it’s obvious what they are, but we have seen a trend of some becoming very convincing. These smarter phishing campaigns are personalised and targeted at employees in specific companies and translated into the appropriate country language for the target victims.
Getting hit by a successful phishing attack can be costly. Research by the Ponemon Institute puts the average annual cost to businesses to recover from a successful phishing attack at $300,000. That figure incorporates lost productivity and incident response costs.
Or take the example of a successful phishing attack that leads to ransomware encrypting valuable corporate data. The ransoms are often not more than a few hundred dollars but the real costs are far higher. Between April 2014 and June 2015, the FBI received 992 Crypto-Wall related complaints, with victims reporting losses totalling over $18m. Those additional costs include network mitigation, network countermeasures, loss of productivity, legal fees, IT services and the purchase of credit monitoring services for employees or customers. You can also throw in potential bad publicity and reputational damage for good measure too.
How can IT organisations keep up their defences against this ongoing but evolving phishing threat? Here are a few reminders and recommendations, mainly around how to educate user behaviour – that vital first line of defence for any organisation.
One of the first key defences is to access any suspicious phishing emails on a mobile device. Why? Because you’re then safe from almost every drive-by attack or website exploit. It’s also much harder to hide the source of the email or the destination URL it is directing you to.
The best way of illustrating this is through a real example. Let’s look at this by examining a recent example of a phishing email purporting to come from NatWest that landed in my inbox, and applying some simple tests:
- The neighbour test
Is there anything that makes this email not applicable to the person sitting next to me? Does it contain any account information, anything specific to you and not your neighbour? If not, then be suspicious. This example email could be applicable to anyone sitting next to me, so that’s a red flag straight away.
- Check the source
Check the source of both the ‘from’ and ‘to’ addresses in the email. Also check the URL the email wants to send you to – that is still often a big giveaway that it’s not genuine even if the content of the email looks authentic. Here the ‘from’ address at first glance appears plausible. When I clicked on it, however, the ‘NatWest Online’ address is actually firstname.lastname@example.org. A quick browse of on.com (from my smartphone of course) tells me it’s a website about meeting people through photos. It doesn’t take a huge leap to assume it’s not a legitimate NatWest email address. Also note the strange ‘to’ address.
- Is it out of the ordinary?
Have you received genuine messages similar to this before from this organisation? Is it urging you to do something quickly and does your bank, for example, normally send messages like that? All these are warning signs. Surprise, surprise… in this example the email implies I need to fix this issue quickly because ‘the transaction cannot be completed’. This clearly isn’t normal – my bank has never sent me anything like this before.
Have a look at the language, the spelling and the grammar too. There is a weird use of the word ‘slated’ in this email, not a term my bank has ever used in communications to me before. There’s some odd punctuation going on around ‘Regards .’ and no name is given in the signature. Hopefully, you are waving many red flags by this stage.
- What information is the email asking for?
A genuine email from your bank should never ask you to supply all of your security information at once – full PIN, memorable question/answer, password, card number and CVV code. An email asking you to give all this information is almost certainly a phishing email. I clicked on the link to the URL that the email wants to take me to (from my mobile device, remember). The site looks a bit like NatWest but the URL is ‘balajitransportfindia.com’. Really? And the page is prompting me to enter my full PIN, password, mobile number, mother’s maiden name, debit card number, expiry date, CVV code and ATM pin – pretty much the full house of information your bank would never ask you to enter via an email.
When it comes to phishing emails, use instinct not emotion. If it looks suspicious but you are being lured in by a warning that your account will be suspended or a transaction won’t be completed, just stop and follow the checks above. Try it yourself – have a quick look through your Junk mail folder, pick out an obvious phishing email and go through the steps above.