91%. That is the percentage of successful cyber attacks world wide that began with a phishing attack.
74%. That is the percentage of British companies that detected an attempted or successful phishing attack in 2018.
The numbers do not lie, and for all the talk of advanced attack vectors and trends across the cyber security industry, it is phishing emails that overwhelmingly remains the biggest problem faced by companies day-to-day.
Simply put, because all organisations are now technology dependent, nobody can afford to ignore the risks posed by cyber attacks and phishing campaigns. The best place to begin is with awareness, and to seek answers to three fundamental questions: how does phishing work? What are the consequences? And how can it be stopped?
How does phishing work?
A phishing email is by definition fraudulent. The National Cyber Security Centre (NCSC) defines it as “Untargeted, mass emails sent to many people asking for sensitive information (such as bank details) or encouraging them to visit a fake website.”
The sender will masquerade as a legitimate sender, using social engineering techniques to dupe the reader into performing an action. These actions can range from responding to invoice fraud, clicking on a link to a site containing malicious content, or opening a malicious attachment.
The heart of phishing lies however in the email itself, and how it exploits the email system itself to pose as a legitimate sender. To an everyday user this may sound complicated, when it really is not. Almost everybody in the UK has received a scam email pretending to be from the TV Licence body in 2018, others may have received emails that look like they are from large companies like Amazon, Apple, or even delivery couriers such as UPS and DHL.
The criminals use tricks including the repurposing of email templates to mimic corporate branding, looking incredibly alike to genuine emails, but they are in fact being sent from elsewhere. This visual mimicry is then often combined with domain spoofing, which is where an organisation’s legitimate domain name is spoofed to appear as if they are sending messages from that site, organisation, or person.
If this is not possible the criminals will opt to create a new domain entirely where the wording is eerily close, but still different, to the real domain. All of this is trickery designed to convince the reader that they are engaging with a real company or person, when they are in fact being deceived by a criminal. Regardless of the method used, readers will know a common word to describe this technical malice: forgery.
These methods are all designed to achieve one thing, to get the reader to bite, to click on the phish and initiate the first phase of a cyber attack against that individual/organisation. Unlike some more exotic attack methods, phishing is so successful because it does not target a clever technical aspect or vulnerability per se, instead it targets the human reader. The onus, once a phishing email reachers an individual’s inbox, is whether or not the reader makes a mistake or detects the criminal ruse. Phishing ultimately relies on human error, which is why it has such an incredibly high success rate globally.
What are the consequences of phishing?
There are catalogues of case studies that show how bad the consequences can be for falling prey to a phishing email. This article will consider three cases, focusing on large business, small business, and the individual.
For a large business, the best example globally is to look to the 2017 Not-Petya ransomware attack that affected hundreds of businesses worldwide. The best known company to fall victim however was the European shipping giant Maersk, who had the bulk of its global online infrastructure paralysed after activating a phishing email containing the ransomware variant.
Maersk found more than 600 sites across 130 countries affected, causing incredible impact across its container fleet worldwide. The bottom line was that the estimated losses to Maersk were in the region of $300m.
For a small business example, Pembrokeshire-based Brooks Barn fell victim to a hack of its Amazon account. The company, a motorcycle parts seller with a small staff base, found its accounts compromised resulting in financial losses of £22,500 in just two months. Although small in comparison to Maersk’s losses, the loss to this small company resulted in staff redundancies with none of the monies being recovered at all.
Finally, at the individual level, throughout the autumn of 2018 individuals in Britain were sent scam emails purporting to be from TV Licensing en masse. More than 5,000 people complained to Action Fraud in the last three months of 2018 such were the prevalence of the fake emails trying to elicit payment details via a malicious website. One victim, Jerry Tack, as a result of clicking on the TV Licence scam email, lost £9,900 that he was unable to recover.
While the consequences vary from big and small businesses through to individual victims, it is clear that not recognising a phishing email as fraudulent can lead to heavy financial losses, whether through operational losses, redirected funds or duping individuals into carrying out transactions, the result is the same, a successful crime on the part of the fraudster.
How can phishing be stopped?
The solutions are simple but the difficulty, as with all other types of security, lies in diligent practice by staff day-to-day. The process that business leaders can follow to build resilience against phishing is: Training – Testing – Reporting.
Everything begins with awareness, which is where training comes in. Phishing targets human behaviour, seeking to manipulate it into making a mistake. Business leaders must invest in training their staff to be aware of the threat, and the best way of ensuring this is not through bland CBT courses that employees click without absorption. Instead, face-to-face sessions with experienced specialists is a proven way to ensure staff awareness and investment in the problem.
Next, once your staff are armed with awareness, you need to test them to prove if your team carries vulnerabilities. Carrying out regular phishing tests using an independent specialist is not only industry standard, but a necessity in order to ensure that your staff are hardened to the world’s most common attack type.
Finally, a culture of reporting needs to be established at the senior levels of business. Business leaders should hold responsibility for cyber security, taking ownership of regular testing and training data to address any vulnerabilities discovered. Leaders must make their decisions data-informed, which can only come from the regular reportage of test data.
Ultimately, cyber security is a pernicious issue for all businesses that will not go away, not so long as businesses remain dependent on computers. Phishing emails are by far the most common attack type, and in order to be prepared, business leaders must ensure a robust practice of Training – Testing – Reporting is put in place.