Every business, from startup to enterprise, fears ransomware with good reason. We have heard about the ransomware attack on Colonial Pipeline in the USA which caused fuel scarcity, and Costa Rica declared a national emergency following a ransomware attack which affected 27 government institutions. What could be worse than a cyberthreat that has the potential to be classified as a national security event? Phishing, the mechanism through which ransomware and many other cyberattacks are often delivered.
What is Phishing?
Phishing is a form of social engineering that is carried out through persuasive messages that convince an individual to perform an action that is against the best interests of the individual or the organisation they work for. A common example of phishing is an email that appears to be from a vendor with an infected attachment disguised as an invoice that needs to be paid; opening the attached file will launch a cyberattack such as ransomware.
Why is Phishing a More Serious Threat than Ransomware?
It is estimated that 91% of cyberattacks begin with a phishing email, and no business can afford to ignore such a prevalent threat. But phishing is a particularly dangerous cyberattack because it is difficult to defend against. Phishing may be used to deliver malware, like ransomware, but it may not involve any malware at all. A major wireless product vendor lost $46.7 million when fraudsters impersonated the CEO and a lawyer via email to convince the Chief Accounting Officer to transfer large sums of money under the belief the transfers would be used to fund an acquisition. No malware was involved which implies that technology solutions may be insufficient to protect against such an attack. The user, and not the device, is attacked and therefore device defences provide limited protection.
The victim organisation, in this instance, was warned by the FBI that they were transferring funds to an account under FBI scrutiny; further transfers were halted and some of the lost money was recovered through litigation. Not all victims are this fortunate.
Phishing attacks against a business need not involve official communication channels. An employee may be approached online through their personal use of social media on their personal device and persuaded to reveal information about their employer that could be used to launch a cyberattack. A fake job interview is an example of this approach.
Types of Phishing
Phishing is not limited to any technology or platform; phishing attacks may involve email, SMS, voice messages, phone calls, or may even occur through WhatsApp. Phishing has several variants. Attacks against business leaders or VIPs are called Whaling because the target has a great deal of power and influence. Attackers could also utilise Spear Phishing, where the attack is tailored to appeal to a specific individual based on their interests and characteristics. Threat actors do not restrict their attacks to the C-suite; the man-on-the-street can and is targeted by phishing as evidenced by the recent spate of attacks where the victim receives a call informing them of disconnection of residential electricity unless an overdue amount is paid to a specific bank account.
Building Enterprise Defences Against Phishing
Phishing is a highly effective cyberthreat which can be adapted to deliver different types of cyberattacks, which is why it is widely used by threat actors, and therefore deserves greater attention from businesses when building cyber defences. As phishing targets users, building effective defences against phishing requires understanding an individual’s threat exposure and developing appropriate countermeasures by combining strategy, technology, training, and culture.
Strategy
Organisational cybersecurity strategy is required to ensure strategic utilisation of resources towards deployment of cyber defences, and every organisation must have a cybersecurity strategy. Ad hoc measures will not be sufficient to stop resourceful adversaries. A cybersecurity policy should also be framed based on the strategy to ensure organisational alignment with respect to objectives, standards, and expectations. Ensuring that all stakeholders adhere to the policy is critical in defending against a threat that targets users rather than devices.
Technology
Phishing may not always involve malware or malicious websites, but many phishing campaigns do rely on email to deliver malicious attachments and links. Technology solutions must be in place at the network level (such as K7 Unified Threat Management) and at the device level (such as K7 Endpoint Security) to protect the organisation against any form of threat activity. Both malware and malicious links are frequently updated by threat actors; AV-TEST registers over 450,000 new malicious programs and potentially unwanted applications every day and therefore the security solutions used should also receive frequent definition updates from their vendors to be able to combat the latest threats. When deploying such cybersecurity solutions, it is critical to ensure that every device and network within the organisation is protected. It takes just one user opening a malicious attachment on an unprotected computer for malware to initialise and spread through the organisation.
The use of IT systems should also include the maintenance of IT systems. A phishing message could be used to distribute malware that exploits an unpatched vulnerability; installing patches and security updates as soon as they become available prevents such phishing campaigns from succeeding.
Training
As phishing campaigns may involve the personal devices of employees, or may not involve devices at all, the organisation’s staff must receive training (such as the training provided by K7 Academy) on how phishing attacks work and spotting phishing messages to evade social engineering attacks in both their personal and professional lives. The increasing popularity of remote/hybrid work should also be considered and training should be provided on cyber hygiene for individuals, securing personal devices through antivirus software, and configuring personal networks to maintain security.
Culture
The culture of a business also plays a role in defeating phishing. If the organisation has a dictatorial culture where the CEO’s instructions are to be obeyed immediately without question, threat actors can impersonate the CEO to issue malicious instructions that have devastating consequences for the business. Organisations that avoid concentrating power and responsibility in the hands of a few and implement a system of checks and balances to govern business operations will display greater resilience against phishing attacks.
Cyberspace is an ecosystem of not just technologies and products, but also organisations and individuals. Organisations will find it easier to remain cybersecure when they bolster the security of their corner of cyberspace by sharing knowledge and encouraging their vendors and even customers to follow cybersecurity best practices to prevent the business being compromised by an attack that originates from a third party that has access to any of the organisation’s IT resources. We are stronger together and cooperation reduces the need to worry about any form of cyberattack.
K7 Security has over 30 years’ expertise in providing protection against a wide range of cyberattacks including phishing. Contact Us for more information on how we can help you secure your IT infrastructure and staff against cyberthreats.
