Home » Topics » Cybersecurity » Businesses still failing to respond to phishing attacks

Businesses still failing to respond to phishing attacks

Avatar photoby Ben Rossi

Most companies do not have efficient security processes in place to respond to phishing emails, which are often the precursor to specific attacks where a company can be seriously hacked.

'Spear-phishing attacks against organisations are nothing new, but they are rising steeply in both frequency and complexity,' said Guillermo Lafuente, a senior security consultant at MWR specialising in social engineering attacks.

'These attacks start with an innocent looking email that appears to come from a trustworthy source but have evolved to the extent that often neither the individual nor the organisation are even aware that an incident has occurred until it is too late and confidential data has been stolen.'

Lafuente added that they are mainly designed to deceive employees, who are still seen as the ‘weakest link.’ 

'We noticed that many companies do not have efficient internal incident response procedures in place to alert their staff about the threat,” he said.

>See also: Dropbox hit by Zeus phishing attack

MWR has identified a number of key processes that should be functional for an organisation to be able to resist these external threats, including the length of time before a phishing email is recorded as an incident and having effective out-bound email filters implemented to prevent the leakage of sensitive data.  

'For example, companies should be able to respond to a phishing attack within fifteen minutes of receiving the malicious email. Efficiency at the early stages is crucial, however, many of them fail to react within the recommended time frame,” said Lafuente.

Worryingly, phishing attacks are also commonly employed as an element of APT (Advanced Persistent Threat) due to their high success and low detection rates, and the ease by which an attacker can target a large estate of users within an organisation. 

>See also: Microsoft and FBI strike blow against $500m cyber crime ring

Employees are then deceived into providing sensitive information or into performing actions such as downloading malware that could give an attacker access to the victim’s computer and even compromise the company’s entire IT network. 

A recent study by security provider RSA reported that in 2012 the UK economy lost over £405 million to phishing attacks; an increase of over 25% of the £304.4 million lost in 2011. The report stated that in 2012 there were on average more than 37,000 unique phishing attacks globally each month, compared with 21,500 per month in 2011. 

Avatar photo

Ben Rossi

Ben was Vitesse Media's editorial director, leading content creation and editorial strategy across all Vitesse products, including its market-leading B2B and consumer magazines, websites, research and...

Related Topics

Data Breach
Malware

Related Stories

Cybersecurity

How AI will shift the security landscape in 2024

The impact of AI within cybersecurity is expected to grow significantly this year, says Alex Holland, senior malware analyst at HP

AI & Machine Learning

NCSC releases guidelines for secure AI development

New guidance from the National Cyber Security Centre (NCSC) aims to help businesses securely innovate with AI and minimise risks

Cybersecurity

3 cybersecurity compliance challenges and how to address them

Earning those trust seals can strengthen relationships with board members and prospective customers, but it sure isn’t easy.

Cybersecurity

70% of UK firms reported cyber insurance changes in past year

According to research from Databarracks, seven in 10 UK businesses have seen changes to their cyber insurance in the past 12 months, as requirements rise