Are you the weakest link? How scammers break businesses’ defences
Most people are familiar with phishing, but it has now spawned the equally evil vishing and smishing. Illustration: iStock
It starts with a click. An employee idly trawling through their emails clicks on something they shouldn’t. This sets off a chain reaction that culminates in a major data breach or a ransom demand with payment in untraceable cryptocurrency.
In this scenario employees can be an organisation’s strongest or weakest link. Keeping an organisation safe is something that should matter to all staff, not just those with access to sensitive information. One of the easiest ways hackers get access is by conning a vulnerable employee or one who doesn’t know any better into divulging sensitive information. This can then be built on and manipulated by the hacker to move sideways and upwards through an organisation potentially causing chaos along on the way.
Favourite targets for hackers? Utility companies followed by financial institutions. Favourite target within them? HR departments because of the constant influx of job applications and CVs.
The crux of the matter with cybersecurity training is that it can’t be a one-off. It has to be ongoing because, as fast as the hackers get closed down on one front, they find another.
Most people are familiar with “phishing” (the fraudulent attempt to acquire sensitive information) but it has now spawned the equally evil vishing and smishing. Vishing is where the scam is perpetrated by voice and smishing is by text message.
A classic example is the SMS that pops up on your phone supposedly from your bank. It tells you it has detected unauthorised activity on your account and invites you to “Click here” to authenticate. If you do, you’re in deep trouble.
Another trap set for the unwary is “angler phishing”. This is a relatively new phenomenon that has been the channel for an exponential rise in attempts over the past 12 months, according to Richard Lambe, senior security awareness consultant with Dublin-based BSI Cybersecurity and Information Resilience.
“The jump year on year is over 400 per cent and people haven’t a clue that they have been targeted.
Angler phishing involves a legitimate conversation being hijacked by a malicious individual. An example would be where a customer buys something, is unhappy with it and uses the company’s Twitter account to complain. In the background, however, the account is being monitored by a so-called “malicious actor” who spots the complaint, reproduces a Twitter page to look authentic and invites the customer to click a link to sort out the problem. Once again you’re in trouble if you do.
One possible way of spotting this kind of fake activity is to look at the time the reply was sent. Most businesses respond within office hours. If the reply is at an odd time, alarm bells should ring. “These malicious actors are relentlessly registering new domain names and indeed their activity outstrips legitimate registering by about 20:1,” Lambe says.
Social engineering is the psychological manipulation of people to perform certain actions or to divulge confidential information such as passwords or bank details.
“Social engineering is becoming much more targeted,” says Lambe. “In particular, we are seeing an increase in the targeting of VAPs (very attacked people) rather than VIPs (top tier management). VAPs are the most vulnerable within an organisation and most valuable as a result. They typically have access to information, whether financial or data-driven. HR departments, personal assistants to senior executives and those working in finance departments are all potentially particularly vulnerable.”
Lambe says many organisations fail to take even the most basic safety precautions. This includes making sure employees aware of the importance of not giving out information or to click on links, replacing simple passwords with something more robust, warning people not to open anything on a USB key unless they know its provenance and reminding employees not to close down their computers if they think they have been reeled in by a phish.
“If you think you’ve got a problem, bring it straight to the attention of the IT department,” he says. “If the device is shut down, you lose the forensic trail that might have enabled someone to track the origin of the hack and how it may have spread within the business.
Introducing two-step authentication is also key but Lambe says more than 60 per cent of cloud service users don’t utilise it.
“We also advise people to review passwords. It’s hard to believe, but even with all the high-profile data breaches we’ve seen, the most common password is still 12345.
“If people are at work and suspect a breach, talk to the service desk. If you’re at home, disconnect from the wifi straight away. If you’re backed up, wipe the device.”
Lambe says most organisations don’t realise how vulnerable they are until his company does a little phishing of its own. It agrees a content strategy with the client and a phishing mail is sent to a cohort of employees. This quickly shows up how savvy people are.
With one client, simulated phishing emails were sent to 12,000 employees. More than 1,200 people clicked on them, giving away company credentials.
“By equipping employees with the relevant knowledge companies can reduce organisational risk,” Lambe says. “This includes identifying the importance of password hygiene and the risks associated with having the same ones for work and for personnel accounts.”
Previously published in The Irish Times.
Check out Ireland's leading job here