The latest and damaging WannaCry ransomware attack on organisations around the world, will again focus attention on cyber-crime and phishing attacks, which may have played a part in spreading the virus.
Awareness of the threat posed by cyber-crime remains an issue, with the ‘Verizon 2016 Data Breach Investigations Report’ reporting that 30 per cent of phishing messages were opened.
Phishing campaigns are a pre-cursor to more than 90 per cent of hacking attacks, when employees are targeted to gain access to secure systems or infect systems with ransomware included as a toxic attachment.
Security training will undoubtedly be given to every new employee, but it is impossible to know how they will react to a real attack.
Criminals constantly change their approach, but phishing remains an effective, low-risk method for cyber-criminals to steal sensitive information or hold it to ransom. The problem is exacerbated by complacency and the belief it is ‘other people’ that are targeted and stupid enough to fall for an obvious scam!
What to look out for
Phishing uses a personally addressed email that typically requires a little social engineering on the part of the criminals so they can appear as trustworthy as possible.
Personal social media channels or the target organisation’s website will contain most of the information criminals need, like friends and colleagues’ names, birthdays, office locations, etc. This easily found information allows them to create emails that closely imitate communications from sources known to the target.
Phishing emails regularly request the recipient to confirm account details, check an order or delivery instructions, etc., by opening attachments or clicking harmless-looking links that connect to relevant websites.
The websites will look the part, but will in fact be fakes used to steal log-in details, account passwords etc., and they are constantly improving in quality, as spelling, grammar and graphics improve.
Phishing works, so why change?
The appeal of phishing is obvious for criminals and despite all the publicity, 10 per cent of people targeted will fall victim to a phishing attack, and:
- 23 per cent will open the message and 11 per cent will click on the attachments
- 91 per cent of hacking attacks begin with a phishing or spear-phishing email
- 55 per cent increase of spear-phishing campaigns targeting employees
Showing employees what to look out for and training them regularly will undoubtedly cut the risk, but there will always be those whose who ignore the threat.
Now, specialist service providers will conduct simulated phishing attacks to discover how employees will react to the threat. The simulation requires the service provider to create credible emails that appear to come from contacts familiar to employees, like colleagues, customers or clients.
The ‘fake’ phishing attacks replicate those of real criminals, targeting individuals within an organisation, using different emails and toxic attachments, with recipients unaware of the tests.
How each employee responds is recorded, along with their actions; whether they opened any attachment, clicked a link, etc., with those that react inappropriately, warned of the consequences of such actions, by an engaging email.
The comprehensive reports identify individuals who need more support, so organisations can concentrate training on those that need it most.
Worryingly, the failure rate at the start is likely to be around 33 per cent, but after more training this will fall to approximately 5 per cent, although few organisation will ever achieve a zero response because ultimately, we are dealing with humans.
The threat posed by just one employee reacting incorrectly to a phishing email is growing and it is imperative organisations regularly test their defences and improve their security culture.
Matt Rhodes is a commercial services manager at Quiss Technology, and is an expert on subjects as diverse as cyber security, hybrid cloud solutions, new technology and the Code of Connection (CoCo).