Addressing the Increasingly Risky Online Fraud in Malaysia
Barracuda Networks, Inc. a leading provider of cloud-connected security and storage solutions; said email security threats have affected 87 percent of companies in the past year according to its Email Security Trends 2018 Study.
The study includes responses from 634 executives, individual contributors and team managers serving in IT-security roles in the Americas, EMEA and APAC. Companies surveyed include small, mid-sized and enterprise businesses in technology, financial services, education, healthcare, manufacturing, government, telecommunication, retail and other industries.
James Forbes-May, the Vice President of APAC Sales for Barracuda says, “Phishing is one the cheapest and easiest strategy used by hackers to target companies as it takes advantage of the weakest link in an organisations security chain, its employees.”
“Most malicious emails attempted to steal login and system information from users in order to takeover their account to launch attacks to a company via an internal account. All they need to do is lure one untrained user with a click bait link and they have access to any company’s data,” adds Forbes-May.
Account takeover attacks have multiple objectives. Some attackers try to use the hacked email account to launch phishing campaigns that will go undetected, some attackers steal credentials of other employees and sell them in the black market, and others use the account to conduct reconnaissance to launch personalized attacks. The most sophisticated attackers steal the credentials of a key employee (e.g., CEO or CFO), and use them to launch a Business Email Compromise attack from the real employee’s email address.
One click is all it takes
Phishing typically works by spoofing an authoritative sender, think a bank or even a colleague, and often creating a sense of urgency — so the user feels they have little time to think before clicking. Some are highly targeted, but even the mass-mailed generic ones may contain relevant info. “Invoice” apparently appeared in six of the 10 most effective phishing campaigns in 2018. Clicking might take the user to a spoofed site requesting the all-important account credentials. Or it could initiate a covert malware download.
These emails could contain info-stealers, backdoors or even ransomware. Over a third of global organisations Barracuda Networks interviewed for its Email Security Trends 2018 Study said they’d experienced such an attack. With phished credentials, hackers can also go after large stores of customer data containing even more credentials and personal data — highly monetisable on the cybercrime underground.
The bad news is that phishing attacks will get increasingly difficult to spot. There’s a strong possibility that cyber-criminals will turn to AI technologies to “learn” the writing style and messaging behaviour of employees so that they can then insert fake emails that look highly convincing,” he cautions.
“No company is too small or free from being a target. Once an account has been compromised or infected with ransomware, the company and its data can be held for a high ransom. In the month of May alone, Barracuda blocked over 1.5 million phishing emails and saw over 10,000 unique phishing attempts (the same email content, potentially sent to hundreds or even thousands of people),” explains Forbes-May.
Given the risks mentioned and the continuous high profile of phishing in the media, a percentage of global employees with internet access were still unaware of what or how phishing happens.
What can be done?
“For starters, Multi-factor authentication (MFA) is an effective method to stop hackers from accessing accounts with just passwords. A customised training programme that is relevant to different departments needs to be done to train employees to identify possible phishing attempts in their work scenario,” advises Forbes-May.
Run phishing tests in short sessions using real-world scenarios and collect feedback on each user. They should be looking for things like unusual senders, attachments and hyperlinks in unsolicited mail. All level of employees including part timers and interns must undergo training as all it takes is one click to cause great damage. It doesn’t matter who clicks on that phishing link, it will be equally damaging.
Here are a few quick tips to help avoid phishing scams like the ones highlighted above:
- Don’t click on attachments or URLs from unknown sources. Sometimes even sources that you think are safe—could have been compromised or impersonated by criminals. Call them if you feel the email is suspicious
- Never share or reveal your password or login to an unidentified site you accessed via an email link. Always go to the site directly via your browser
- Money scams are notorious for displaying poor grammar, and in many cases the language used could appear to be coming from someone who may be writing English as a secondary language. Just remember, if something sounds too good to be true—it probably is.
“Companies must look into investing in the best email security tools that can scan for malicious URLs and attachments and block the email before it even reaches the user. Behavioural and sandboxing features can help to spot more advanced zero-day threats. Your reputation, company data and the potential lost of money is at constant risk and must be safeguarded,” he adds.
Although there’s the possibility that the cyber-criminals may turn to AI to make their phishing emails more convincing, the white hats are already using capabilities to automate the detection of spear-phishing. These systems learn your organisation’s unique communications patterns to better spot in real-time when something doesn’t look quite right.
“Email threats will continue to be a large problem for companies and unless they employ multi layered approaches and train their employees, they are at risk of being held for ransom by hackers,” ends Forbes-May.