It’s well known that phishing attacks can be quite a heavy financial burden on companies every year. However, determining the exact expense or decrease of stock value isn’t easy, as the aftermath of an attack can be on-going for quite a time after the initial attack.
In order to more truly determine the degree to which the organisation has been affected, it’s necessary to carry out post-attack analysis over a longer period of time.
Data breaches have been a problem for many years, but have recently gained more and more media coverage. The increase in exposure means that they are becoming of greater interest to the general public. Also, with the increased availability of potentially less secure cloud based storage solutions, there is now more information to be breached – particularly as businesses become more dependent on technology.
> See also: The resurgence of data-entry phishing attacks
Like most persistent incidents, phishing attacks have a certain MO and attackers will consider particular factors that can be taken advantage of when a business is targeted.
Here are the top 3 trends that have been seen lately relating to phishing attacks:
Targeting SMEs and individuals
We have noticed an increase in smaller organisations looking to provide their employees with behavioural phishing awareness training and as a result taking their data security a lot more seriously. Whilst it may not be immediately obvious, smaller companies have just as much to lose from successful attacks as much larger ones.
SMBs are less likely to be using the latest high-tech multi million pound detection and prevention systems, so in the result that an attack is successful, they often wouldn’t have the resources necessary to resolve the post-attack fallout.
We have also noted that people often only consider emails when discussing phishing attacks, but websites also need to be taken into consideration as they frequently constitute a large degree of the deception. In 2014, there have been phishing attempts targeted at apple devices, as consumers naturally trust the Apple brand with their money and information. This brand loyalty makes it very easy for criminals to mimic the branding and take advantage of unknowing and trusting customers.
Companies don’t understand risk
It’s been said that an estimated 60% of all companies that suffer a cybersecurity breach go out of business within the six months of the attack. Cyber attacks are frequently used as a means to steal intellectual properly or intelligence during mergers and acquisitions. During this highly vulnerable time, we stress to businesses that proactive defending is always advised.
Although there is a higher dependency on IT for a successful business, we often see that budgets are still being cut – this shows that there is a miscommunication or little understanding between the board room and IT. Bringing in HR and user awareness can be critical here in aiding all parties merge for a single security objective. The shift in department behaviour closes the gap between IT security, human behaviour and executive understanding of risk.
Using ebola as a scam
It’s a natural human trait that in the event of disaster situations we often want to come together, reach out, and help those in need. Although, it is also a human trait that some may want to take advantage of unfortunate situations for their own malicious, personal gain. From our phishing assessments we already know that those who work in a role perceived as being ‘helpful’ – such as PAs and Marketing personnel – are the most susceptible to phishing campaigns due to the nature of their job.
From this, we can deduct that people in the professional position of helping are more likely than others to open an email, open an attachment, or click a link from an unknown sender. They don’t see the sender as untrusted, but simply unknown. The desired target audience to an attacker is someone who is susceptible to an obvious phishing email.
Not all phishing emails will be evident – some will be very sophisticated and appear to be genuine companies or charities, but we recommend always being suspicious of the unknown! To overcome disaster emails, we need to understand the biggest susceptibility areas and work with them to ensure they can identify the genuine from the scam emails.
Building awareness of the problem and providing adequate training is necessary to ultimately change behaviour and avoid falling for these scams.
Sourced from James Moore, senior consultant for Phish’d by MWR InfoSecurity