Don’t Take the Bait – Phishing is big business

Phishing DNA IT solutions

In recent times phishing attacks have become more prevalent and sophisticated.

Cyber criminals are learning more refined ways to prey upon people which is resulting in quite a few successful attacks.  In particular, they’ve taken advantage of the malware-as-a-service offerings on the dark web in order to increase the efficiency and volume of attacks. In fact, 91% of cyber attacks and their resulting data breaches now begin with a spear phishing email message.  Now, more than ever there is a need for a multi-layered defence against phishing attacks which combines advanced security technologies with educated, phishing-aware employees.

Sophos shared a white paper recently on this subject and we wanted to share some of their findings with you.  For the full report click here.

What is Phishing?

It’s that email you receive that looks like a request from your bank but when you click on it and enter your login details you are actually handing them over to criminals.  It has even become more than that now.

In 2016, the volume of attacks increased dramatically, fuelled by dark web services such as free phishing kits and phishing-as-a-service. It’s become increasingly simple for even the least technically inclined attacker to leverage advanced malware that’s been produced by someone far more savvy than they are. As such, 2016 has been dubbed the “year of ransomware”.

Improving efficiency and productivity

For the most part, cyber criminals will try extort money from you using ransomware or social engineering, or they’ll steal data and credentials that can be sold via dark web markets.

There has been a rise to more efficient attack distribution methods, with on-demand phishing services, off-the-shelf phishing kits, and new waves of attack types such as Business Email Compromise (BEC) that look to target higher value assets via  social engineering.

Phishing kits are now widely available for download from dark web forums and marketplaces, and give attackers all the tools they need to create profitable phishing attacks: emails, web page code, images, and more.

Attacks-as-a-service

In fact, attackers don’t even need to know how to create malware or send emails anymore. Ransomware-as-a-service allow a user to create an online account and fill out a quick web form, including the starting ransom price and a late payment price for victims. The provider of the service then takes a cut of each ransom paid, with discounts offered if the user is able to translate the malware code into new languages or if the volume of the attack exceeds a certain level

Phishing-as-a-service allows users to pay for phishing attacks to be sent for them, using global botnets to avoid known dodgy IP ranges. Guarantees are even made to only bill users for delivered email messages, much like any legitimate email marketing service.

Spear phishing  is where emails impersonating a specific sender or trusted source are sent to targeted individuals within organisations to try to get them to take certain actions, like sending money to spurious accounts.

Business Email Compromise attacks are so-named because they’re associated with employee email accounts being compromised rather than the sender address being spoofed. This makes attacks much harder to spot by end user.

The fight against phishing

Phishing emails come in all shapes and sizes, and unfortunately, no single product will fully protect your business from phishing attacks. A multi-layered defence against phishing attacks, combining advanced security technologies and educated employees is the only answer

Stop threats at the door

Your first opportunity to defend against phishing attacks and other email-borne threats is strong email and web filtering. Email protection is your watch guard, blocking 99% of unwanted email at the gateway, including malicious attachments, content, and URLs – long before an end user ever sees them. Web filtering is another must-have as a front-line defence, filtering and blocking infected URLs should your users click an email link.

Appropriate education is critical for ensuring that employees know how to spot and deal with these types of email messages. Look for solutions with editable campaign simulations that can be made relevant to your organisation.

Secure your last line of defence

If your click-happy end users inadvertently unleash potent, powerful malware onto your systems, there’s still ample opportunity to stop the damage – and even reverse its effects. Next-generation exploit prevention solutions will identify, analyse, and neutralize the effects of even the most advanced, unseen malware out there, and automatically clean up all trace of infection so you can get on with your day.

Know your business

Make sure your company processes are understood, that you encourage employees to question requests that seem out of character from other employees and senior managers and perhaps most important of all, ensure you have a two-stage approval process for all significant fund transfer requests. All the defences in the world aren’t going to stop an employee from unknowingly sending large payments to a thief without some proper checks and balances in place.

Sophos has powerful technologies that can protect you at each stage of an attack.  For more information visit Sophos or talk to the expert team at DNA IT Solutions, we work with Sophos to help protect clients from cyber attacks.