This Time It’s Personal

1671 0

We’ve all received emails from our “banks” or “family members” asking us to transfer money or click on a ‘funny’ video. Hackers are truly outsmarting a lot of individuals by not only knowing their name, but also being able to impersonate email mannerisms, nicknames, and other private details. So how do we everyday folk look to protect ourselves against such familiarities? 

Emails are one of the few technologies that almost everyone – young and old, technical and non-technical – is familiar with. There are even some employees whose entire job is to review and respond to routine invoices and general queries that they receive in an email. Even the most secure organisations, who airgap their more sensitive workloads from the Internet, are usually fairly relaxed about email. This has played right into the hand of attackers, as emails have been their weapon of choice.  

Spear phishing attacks which look to steal data and information from individuals for malicious purposes are on the rise. Individuals are simply tricked into giving up their information as they believe they are talking to a trusted source such as a family member. The need for people and organisations to recognise the tell-tale signs of a spear phishing email and understand the next steps are vital to ensure they aren’t targeted again. 

Friend or foe? 

Attackers are now spending considerate amounts of time gathering specific information about their victims, including their name, contact information and the person’s tone to try and get their data, or to extort them for money. Compared to regular phishing campaigns, it requires special knowledge about an organisation or individual. In particular, they are looking at social media credentials and sending personalised emails based on what they find. 

This should raise alarm bells for everyone. Individuals must be educated to what phishing emails look like and organisations have the ability to facilitate this. However, it’s important that we don’t just rely on technology to solve our problems. With scare tactics being used to get into systems, we need a mix of training and technology to support individuals worldwide.

Has your data gone phishing? 

With 65% of attacker groups using spear phishing as the primary infection vector, companies need to take a more methodical approach to solve the problem. They need to focus on building a security model that is fast in detecting a compromised machine or account in its attempt to abuse enterprise data and resources. It then must quickly, and automatically, close the loop and prevent further access to sensitive enterprise data. Businesses might be able to train 99% of people to detect false emails but ultimately when it does happen, they need to be able to react to the problem and solve it quickly. 

A method which companies can adopt, which isn’t widely used at the moment, is pushing alerts directly through to mobile phones instead of using emails. This will accustom individuals to make a direct link between the real alerts (those on your phone) and those on email (which might be from a hacker). This is a long-term solution which can help employers avoid hackers taking advantage of their organisations and has the ability to both train employees and employers on online safety. 

Responsibility needs to fall on each individual. People need to be held accountable for what they read and click. Just think of it like this, when you receive a physical letter in the post, it’s up to you whether you open it or not – the same goes for opening the link. It’s easy to get caught out but it’s also easy to mitigate your risks. 

Bear in mind these simple steps. Setting up two-factor authentication will be the most effective method for countering phishing attacks, as it adds an extra verification layer when logging in to sensitive applications. 2FA relies on users having two things: something they know, such as a password and username, and something they have, such as their smartphones. Even when employees are compromised, 2FA prevents the use of their compromised credentials, since these alone are insufficient to gain entry.

Simultaneously, organisations should enforce strict password management policies. For example, employees should be required to frequently change their passwords and to not be allowed to reuse a password for multiple applications. Simple password such as ‘Password123’ shouldn’t be used in normal day-to-day life, let alone in a work environment where sensitive information might be compromised. 

Casting the net

Education on phishing and cyber threats more broadly are of course vital but, at the end of the day, infection will be inevitable. People will click on links, download attachments, for the simple reason that people do it as part of their everyday life. Therefore, when it comes to building a security program, focusing only on technology and processes puts us in a weak and unbalanced position. Businesses will need four steps in place. First, start at the top and get leadership support, second, conduct awareness training to ensure employees know what needs protecting, third, test the security posture such as through internal phishing campaigns, and fourth, ensure transparency and continual communication. Only then will everyone, on a personal and business level, be able to mitigate the risks that spear phishing attacks can cause.

Kunal Anand
Kunal Anand, Chief Technology Officer at Imperva

Kunal Anand Web Site

In this article