Last year saw several high profile security breaches including US firm Target and one of the biggest corporate hacking scandals the world has ever seen with the attack on global mega corporation Sony Entertainment.
Phishing emails play a huge role in the attacks launched against brands and organisations all over the world.
The initial spark that causes some of these huge calamities can start with something as innocent and ubiquitous as a fake email. Verizon’s 2014 breach report stated that phishing emails account for the entry point of up to 67 per cent of the most audacious security attacks of our time.
The critical aspect of all social engineering scams is that the intended victim is lulled into a false sense of security and believes the communication to be genuine.
Researchers at the University of Buffalo conducted a study using ‘information rich’ phishing emails; these emails are equipped with logos and graphics from a well know brand or group that is recognisable to the recipient as well as carefully crafted text to sound both personal and scare mongering.
Most importantly, they contain a call to action encouraging you to click or register and thereby unleash the destructive force of the would be hackers. The quote below describes the nature of the University study:
The phishing email was made to look like it came from the University's IT department, and said that there was an error in their student email account settings. They were asked to follow an enclosed link to access their account settings in order to solve the problem, and were instructed to do it fast, as access to their account would be permanently blocked shortly.
The study found that 68 per cent of the 125 students tested fell for the ruse. Considering these tactics have led to some of the biggest security breaches of our time, this isn’t surprising.
Awareness and proper training are key in combating these issues. There are many technologies available that help to screen files and suspect code hidden within emails.
A strategy that allows you to map out the infrastructure associated with phishing campaigns, block likely entry points, track URLs that are typically used, and host exploits or spurious web forms designed to gather user credentials is the best approach to take to combat would be attackers.
The fact is that phishing is still a preferred way to steal users’ data. A phishing scam will look like it was sent by someone inside your organisation and it will request a reasonable action.
However, this also leaves a signature that can be successfully detected, for brands and organisation to effectively combat phishing constant vigilance and greater awareness and a drive to educate staff is needed.
This threat can be beaten through a combination of human efforts and employing superior technology to outsmart would be attackers
Ben Harkett, VP EMEA, RiskIQ.