Phishing: Season is Open All Year Long

September 26, 2016 KISHAN KUKKADAPU

Employees are one of the weakest links in any business’ security defenses, especially if there is a lack of awareness about criminal attacks that are designed to obtain sensitive information from organizations.

Phishing, a social engineering technique, is one type of attack that is intended to obtain sensitive personal and professional information such as bank account information, network credentials, etc.  Obtaining this confidential business information opens gates to further penetrate into the organization and perform malicious activities.  Phishing is carried out through email spoofing, instant / text messaging or telephone calls.  Victims are tricked into opening attachments or to click links in emails and from other types of communication that places the victim on a rogue web site or installs malware on the victim’s machines.  Phishing attacks can also be carried out over multiple communications, which can build trust and make it easier to steal information.  The rogue website often looks like legitimate ones, frequently clones of a legitimate site, and persuade the victim to reveal sensitive information.

Spear Phishing

Spear Phishing is a type of phishing that is targeted at specific employees, which may include high profile business people.  These emails are crafted to make an employee believe it comes from a colleague or external entity such as a vendor or business partner.  Since the email appears to be coming from a known entity, the employee places a level of trust on the email and is fooled into opening links or attachments in the emails or perform a task as directed in the email. In recent years, criminals made a shift from phishing to spear phishing, as this proved highly successful.  Criminals use professional and social media outlets, such as LinkedIn, Glassdoor, and Facebook, to gather information about a potential victim and create a sophisticated attack using this knowledge.  The objective of spear phishing can be a financial gain or long term access to an organization’s data and resources.  To cite a recent example, an employee at an investment firm in Michigan was tricked into sending $500,000 to a bank in Hong Kong after receiving a series of emails that are supposedly from a company executive.  Also, the recent tax season proved to be an active time for criminals to steal sensitive personal information.  An employee at a university was tricked via a spear phishing email that appeared to be from an administrator and requested to send employees’ W2 forms.  Believing the email was from a trustworthy source, the employee sent the information to the fraudster, thus losing personal information.

Defending Against Phishing Attacks

Recent reports indicate a rapid increase in spear phishing attacks targeted at small and medium businesses.  The phishing attack may target a specific person, but it is an organizational problem.  Businesses have to implement an enterprise wide strategy to reduce an organization’s exposure to fraud.  The strategy should include implementing solid internal controls, promoting employee awareness, and training and behavioral practices.  Organizations have to implement a security system that could effectively identify and filter malicious attacks.  Though implementing sound technical controls addresses one part of the problem, promoting proper awareness among the employees is highly important as the human vulnerabilities ever exist.  Organizations should implement an employee awareness program that includes the following:

  • Anti-fraud training to help employees identify suspicious emails, phone calls or any other activity, and report to management immediately
  • Periodic updates to all employees on threat trends
  • Implement policies and procedures to guide employees in handling confidential information and performing financial transactions
  • Annual security awareness trainings for all employees and access to all information security policies
  • Exercise behavioral practices such as not sharing company information on social media, not releasing confidential information unless approved by management, not reacting to email that has sense of urgency or high pressure, being proactive in reporting security events,

Additionally, organizations should consider deploying technical solutions to flag suspicious inbound communication and monitor outbound communication to suspicious domains. 

As deception fraud is likely to increase in frequency and sophistication, companies need to invest time and resources to maintain an effective security system and promote proper employee awareness.  As the threat trends show increase in spear phishing towards small and medium businesses, there is no excuse in implementing strong controls to defend against phishing attacks.

Previous Article
Best Practices When Implementing Web Application Scanning into an SDLC
Best Practices When Implementing Web Application Scanning into an SDLC

Web application scanning, a type of dynamic application security testing (DAST), is an important...

Next Article
Don’t Forget Your Internal Pen Tests
Don’t Forget Your Internal Pen Tests

Many of the requests that we receive are limited in scope to Internet facing assets.  A true und...