Cyber criminals are becoming increasingly sophisticated in their phishing expeditions and using social engineering to defraud businesses. How can you protect your business from ‘hacking the human’ attacks?
‘Hacking the human’ is big business for cyber crims – what should you watch out for?
As we collectively get wiser to scams, cyber criminals are getting smarter. The use of social engineering to defraud businesses is evolving with the unscrupulous increasingly using impersonation in phishing attacks, lulling targets into a false sense of security using HTTPS (hypertext transfer protocol secure) for malicious phishing sites and hosting malicious files on trusted, cloud-based, file-sharing sites.
US-based cyber security company FireEye analysed 1.3 billion phishing emails in Q1 2019 and identified these emerging trends.
Central to the emerging trends is the use of social engineering or ‘hacking the human’ to steal information. Many breaches are the result of employees opening phishing emails that have made it past existing defences. According to FireEye, people open 70% of phishing emails and 50% of those who open the emails click on the links.
Opening just one phishing email can enable the cyber crim to infiltrate and compromise the business’ systems – opening the gate to steal information and IP or access financials (enabling bank accounts to be cleared or fake invoices generated).
A business’ best defence against phishing attacks is to educate and train employees about what to look for and avoid.
Trend 1 – impersonation (spoofed phishing attempts)
The rate of impersonation jumped 17% from Q4 2018, with criminals imitating well-known brands. In fact, Microsoft spoofs accounted for almost one-third of the Q1 attacks. PayPal, Apple, Amazon and OneDrive were also regularly impersonated. Perhaps even more insidious, is the growing trend where criminals impersonate CEOs and other senior corporate officers to request changes to bank information.
- Avoid clicking on links to websites from emails. Don’t open email links from sources you don’t recognise. If an email comes from a ‘known’ source that provides a link, type the URL you know into the search engine instead.
- If a link you click on takes you to a log-in page, be especially suspicious and check the source.
- Look out for common phishing language in emails like "Verify your account", warn that your account has been compromised or convey a sense of urgency.
- Be wary of any email that does not address you directly. Most legitimate businesses will use your first and/or last name in all communication.
- Scrutinise any website you are directed to. Carefully read the web address. Also look at the pages: is the right logo used; are the colours correct; is the content correct; does it look right (is the formatting correct); is the language accurate?
- If you receive an email from a colleague requesting account/financial information or transfer etc., verify the request (go see them or pick up the phone – don’t reply to the email; if you have to use email, create a new email or forward to the address in your contacts).
Trend 2 – HTTPS encryption in URL-based attacks
The use of HTTPS for malicious phishing sites surged 26% in Q1 of 2019. Creating an https site can provide a false sense of security for visitors as they assume that the protocol is only used on legitimate, safe sites.
- Web browsers show a padlock icon for HTTPS pages. Look for the padlock icon in the address bar. Google Chrome will actually mark HTTPS sites “not secure”.
- If the log-in page does not have an address starting with https and displaying the padlock, don’t log in.
- If you visit a website with a padlock, click on the padlock – it should show you the name of the organisation that applied for the padlock and if the name does not match the name you know, be very suspicious.
Trend 3 – cloud-based attacks focussed on publically-hosted, file-sharing services
Cloud-based attacks, particularly those leveraging file-sharing services, increased in Q1 of 2019. There was a dramatic increase in links to malicious files posted to popular and trusted file-sharing services such as Dropbox, WeTransfer, Google Drive and OneDrive. Links don’t look suspicious and can get through email filters as the file is hosted outside the business’ perimeter and traditional security solutions such as firewalls or anti-virus don’t have visibility.
- Carefully check the web address for the file-sharing service. Always hover your mouse over the URL of links contained in emails to check their destination address. If they look suspicious, don’t open them. To log in to a service like Dropbox, open a new web browser and type in the URL manually.
- Check the dropdown arrow under the sender’s name to see additional details. You will see a section labelled “signed-by” or “e-mail”. This field can help determine if an email was shared securely from a service. If something is shared through Dropbox, for example, you would see: signed-by dropbox.com or e-mail: firstname.lastname@example.org.
- Even if the email message appears authentic, do not open links if the sender’s email address is unfamiliar and not someone you have shared files with in the past. If you were not expecting such a message or file, contact the sender directly to ask if they actually sent it. Also be wary if the subject line is left blank or is a nonsensical phrase.
While vigilance and training are key weapons to combat cyber-attack, robust security is imperative (implement security protocols and procedures, firewalls, up-to-date anti-virus software, security patches, SPAM filters, anti-phishing toolbars, encryption etc.). Insurance is also a business’ last line of defence. Cyber insurance is designed to protect a business when its IT security, policies and procedures fail to stop an attack. Speak to your EBM account manager about risk mitigation and Cyber insurance.
Share this article: