Story image

Phishing emails only going to get smarter, warns security firm

09 Jan 2019

Email security threats are both cheap and easy for cyber attackers to conduct, so it’s little wonder that a new study from Barracuda Networks has found that 87% of companies have faced those threats in the past year.

The study, conducted with 634 executives, individual contributors and team managers across Asia Pacific, Europe, and the Americas, found that one click is all it takes to bring trouble.

Phishing emails typically mimic the look and feel of an email written by someone in authority, such as a bank, or even a colleague.  The emails create a sense of urgency, so recipients think they don’t have much time to respond.

“The most sophisticated attackers steal the credentials of a key employee (e.g., CEO or CFO), and use them to launch a Business Email Compromise attack from the real employee's email address,” the company explains.

“Phishing is one the cheapest and easiest strategy used by hackers to target companies as it takes advantage of the weakest link in an organisation’s security chain, its employees,” adds Barracuda vice president of APAC sales, James Forbes-May.

Some emails are highly targeted, but generic ones containing words like ‘invoice’ can also catch people out. ‘Invoice’ appeared in six of the 10 most effective phishing campaigns in 2018.

“Most malicious emails attempted to steal login and system information from users in order to take over their account to launch attacks to a company via an internal account. All they need to do is lure one untrained user with a clickbait link and they have access to any company’s data.”

Those links can also look genuine. They can be spoofed sites that request login credentials, or they could initiate malware downloads. Information stealers, backdoors, and ransomware are common forms of malware. Over a third of global organisations Barracuda Networks interviewed for its Email Security Trends 2018 Study said they’d experienced such an attack.

Barracuda warns that phishing attacks are becoming more difficult to spot. Criminals may also switch to AI technologies to make their emails look more genuine.

“No company is too small or free from being a target. Once an account has been compromised or infected with ransomware, the company and its data can be held for a high ransom. In the month of May alone, Barracuda blocked over 1.5 million phishing emails and saw over 10,000 unique phishing attempts (the same email content, potentially sent to hundreds or even thousands of people),” explains Forbes-May.

He says that multi-factor authentication is an effective way to prevent attackers accessing accounts with only passwords as security credentials. He also believes training sessions are necessary.

Barracuda states that companies should run phishing tests in short sessions using real-world scenarios and collect feedback on each user. 

They should be looking for things like unusual senders, attachments and hyperlinks in unsolicited mail. All level of employees including part timers and interns must undergo training as all it takes is one click to cause great damage. It doesn’t matter who clicks on that phishing link, it will be equally damaging.  

“Companies must look into investing in the best email security tools that can scan for malicious URLs and attachments and block the email before it even reaches the user. Behavioural and sandboxing features can help to spot more advanced zero-day threats.

Your reputation, company data and the potential loss of money is at constant risk and must be safeguarded,” adds Forbes-May.

Here are a few quick tips to help avoid phishing scams like the ones highlighted above:

•    Don’t click on attachments or URLs from unknown sources. Sometimes even sources that you think are safe—could have been compromised or impersonated by criminals. Call them if you feel the email is suspicious

•    Never share or reveal your password or login to an unidentified site you accessed via an email link. Always go to the site directly via your browser

•    Money scams are notorious for displaying poor grammar, and in many cases the language used could appear to be coming from someone who may be writing English as a secondary language. Just remember, if something sounds too good to be true—it probably is.

“Email threats will continue to be a large problem for companies and unless they employ multi layered approaches and train their employees, they are at risk of being held for ransom by hackers,” concludes Forbes-May.

Survey: IT pros nostalgic over on-prem data centre visibility
There are significant security and monitoring challenges faced by IT staff responsible for managing public and private cloud deployments.
61% of CIOs believe employees leak data maliciously
Egress conducted a survey to examine the root causes of employee-driven data breaches, their frequency, and impact.
Opinion: BYOD can be secure with the right measures
Companies that embrace BYOD are giving employees more freedom to work remotely, resulting in increased productivity, cost savings, and talent retention.
Sonatype and HackerOne partner on open source vulnerability reporting
Without a standard for responsible disclosure, even those who want to disclose vulnerabilities responsibly can get frustrated with the process.
OutSystems and Boncode team up for better code analysis
The Boncode and OutSystems alliance aims to help organisations to build fast and feel comfortable that the work they're delivering is at peak quality levels.
Nuance biometrics fight back against fraud
Nuance Communications has crunched the numbers and discovered that it has prevented more than US$1 billion worth of fraud from being passed on to users of its Nuance Security Suite.
SIS announces a partnership with Platform 4
“We are looking forward to a strong future in the New Zealand security industry with this global giant as our strategic partner."
Attacks targeting Cisco Webex extension explode in popularity - WatchGuard
WatchGuard's Internet Security Report for Q4 2018 also finds growing use of a new sextortion phishing malware customised to individual victims.