SecurityBrief New Zealand - Technology news for CISOs & cybersecurity decision-makers
Story image
Phishing emails only going to get smarter, warns security firm
Wed, 9th Jan 2019
FYI, this story is more than a year old

Email security threats are both cheap and easy for cyber attackers to conduct, so it's little wonder that a new study from Barracuda Networks has found that 87% of companies have faced those threats in the past year.

The study, conducted with 634 executives, individual contributors and team managers across Asia Pacific, Europe, and the Americas, found that one click is all it takes to bring trouble.

Phishing emails typically mimic the look and feel of an email written by someone in authority, such as a bank, or even a colleague.  The emails create a sense of urgency, so recipients think they don't have much time to respond.

“The most sophisticated attackers steal the credentials of a key employee (e.g., CEO or CFO), and use them to launch a Business Email Compromise attack from the real employee's email address,” the company explains.

“Phishing is one the cheapest and easiest strategy used by hackers to target companies as it takes advantage of the weakest link in an organisation's security chain, its employees,” adds Barracuda vice president of APAC sales, James Forbes-May.

Some emails are highly targeted, but generic ones containing words like ‘invoice' can also catch people out. ‘Invoice' appeared in six of the 10 most effective phishing campaigns in 2018.

“Most malicious emails attempted to steal login and system information from users in order to take over their account to launch attacks to a company via an internal account. All they need to do is lure one untrained user with a clickbait link and they have access to any company's data.

Those links can also look genuine. They can be spoofed sites that request login credentials, or they could initiate malware downloads. Information stealers, backdoors, and ransomware are common forms of malware. Over a third of global organisations Barracuda Networks interviewed for its Email Security Trends 2018 Study said they'd experienced such an attack.

Barracuda warns that phishing attacks are becoming more difficult to spot. Criminals may also switch to AI technologies to make their emails look more genuine.

“No company is too small or free from being a target. Once an account has been compromised or infected with ransomware, the company and its data can be held for a high ransom. In the month of May alone, Barracuda blocked over 1.5 million phishing emails and saw over 10,000 unique phishing attempts (the same email content, potentially sent to hundreds or even thousands of people),” explains Forbes-May.

He says that multi-factor authentication is an effective way to prevent attackers accessing accounts with only passwords as security credentials. He also believes training sessions are necessary.

Barracuda states that companies should run phishing tests in short sessions using real-world scenarios and collect feedback on each user.

They should be looking for things like unusual senders, attachments and hyperlinks in unsolicited mail. All level of employees including part timers and interns must undergo training as all it takes is one click to cause great damage. It doesn't matter who clicks on that phishing link, it will be equally damaging.

“Companies must look into investing in the best email security tools that can scan for malicious URLs and attachments and block the email before it even reaches the user. Behavioural and sandboxing features can help to spot more advanced zero-day threats.

Your reputation, company data and the potential loss of money is at constant risk and must be safeguarded,” adds Forbes-May.

Here are a few quick tips to help avoid phishing scams like the ones highlighted above:

•    Don't click on attachments or URLs from unknown sources. Sometimes even sources that you think are safe—could have been compromised or impersonated by criminals. Call them if you feel the email is suspicious

•    Never share or reveal your password or login to an unidentified site you accessed via an email link. Always go to the site directly via your browser

•    Money scams are notorious for displaying poor grammar, and in many cases the language used could appear to be coming from someone who may be writing English as a secondary language. Just remember, if something sounds too good to be true—it probably is.

“Email threats will continue to be a large problem for companies and unless they employ multi layered approaches and train their employees, they are at risk of being held for ransom by hackers,” concludes Forbes-May.