The recent announcement of British Airways’ record-breaking £183 million GDPR fine has put phishing scams back in the spotlight, as this was an integral part of the company’s data breach. Unlike many other forms of cyberattack, phishing scams go after your customer or employee data, including credentials like passwords, financial details or sensitive personal information. This data can then be used or sold on for malicious intent, from identity theft or false transactions, to brute force or insidious attacks against your company.
Regulatory boards like GDPR encourage organisations to improve their security posture, with massive fines levied against those who are non-compliant. If your company suffers a data breach, you could be fined up to €20 million, or 4% of your worldwide annual revenue, whichever is higher. For many SMBs and even large enterprises, this kind of fine alongside the loss of customer trust and brand reputation could be enough to close their doors for good.
Education is key if you want your employees and customers to recognise the signs of a phishing scam. Attacks are becoming increasingly sophisticated and realistic. Set up regular workshops or cyber-awareness training that discuss the latest risks, and send out bulletins to customers, offering the latest guidance. These could include:
- Awareness of display name spoofing: this is where attackers use a false name as the email sender, hiding a false email address. These are having a higher success rate as more people access emails from mobile accounts where the email address is not always visible.
- Secure doesn’t mean safe: HTTPS might mean that a website is secure, but it could still be malicious. It’s not enough to look for the padlock sign in the website address bar, or expect your internet browser to warn you ahead of time.
- Phishing scam links could be sent by attachments: links inside documents may not always be picked up by virus scanners or sandbox technology that is built to find malware itself. Once opened, these links could then aim to steal sensitive information or launch attacks on your datacenter.
Remember that your Board of Directors and managers need this training just as much as, if not more than, your customer-facing employees. These will be the stakeholders who need to sign off for incident response, and need an accurate understanding of the current risk landscape. Here are some helpful tips:
Modernise your systems
Legacy architecture is one of the most dangerous attack vectors through which hackers can access critical assets. While historically, on-premises servers were only accessed by a few other applications, today most datacenters work in a hybrid environment. This means that these legacy servers (likely to contain business-critical or highly sensitive assets) are now communicating with cloud applications on both public and private infrastructure. These communication flows can be open doors for attackers looking to steal sensitive information.
Stranger emails: rethinking anti-phishing solutions in the enterprise
Modernising the way that your data is handled can provide a lot more security than keeping it on-premises, where security is not dynamic or automated, and policy is more difficult to enforce. Consider moving your data to AWS or Azure, or choosing a third-party vendor to handle data security and encryption on the cloud.
Improve your processes
Think about the processes you could put in place which reduce the risk of phishing scams. Two-factor authentication is one example of good practice that helps to protect customer data even if a user does fall victim to a phishing scam, although users should be aware that this could be bypassed by a sophisticated enough attack.
Internally, you could also install browser add-ons or extensions that automatically block malicious websites or alert to unsafe links. Phishing simulations or drills can help to uncover the blind spots or gaps in your company procedure, and be a more effective tool for phishing education than the standard.
Cyber security scores: a new standard in mitigating risk?
Plan incident response
Communication and response could be the difference between a quickly managed situation and a catastrophe. Make sure you have established who is responsible for phishing scams in the company. This should be the person alerted immediately if an employee or a customer falls victim to a scam, or uncovers a false website or suspicious link. This person will be able to set into motion an incident response plan which should be tried and tested. This should include:
- Recording Indicators of Compromise (IOC)
- Investigating whether this attack is part of a known campaign
- Alerting customers and employees (British Airways were criticised for not going public about their recent attack quickly enough)
- Blocking emails on the SMTP server and flagging the email as spam
- Starting automated procedure such as blackholing DNS, blocking download URLs or alerting your antivirus company to the specific malware sample
If you think that your customer’s data may be in jeopardy, you need the processes and tools in place to mitigate the damage, and the knowledge that every member of your company is ready to think fast. If not, the next company hitting the headlines could be yours.
Written by Elad Schulman, CEO, Segasec