Phishing – is your organisation safe?

  • In the UK, there were more than 3,500 unique phishing attacks last year
  • Public sector organisations are frequent targets of phishing attacks according to Verizon’s 2015 Data Breach Investigations Report
  • Organisations should educate employees on how to detect a phishing attack, and emphasise the importance of reporting fraudulent emails

Cyber crime is a growing challenge for public sector organisations, with latest police figures revealing there were 2.5 million cyber crimes in England and Wales over the past year.

Cyber crime cannot be countered by technology alone. Phishing attacks in particular require a combination of an effective human response and a technological solution.

Organisations need to remember that without education, their employees remain a weak and obvious target.”
Janet Roberts, Zurich’s Head of Security Awareness, Group Information Security

Here, we examine why phishing is such a problem for public sector organisations, and the strategies that can be deployed to fight off phishing attacks.

The scale of the phishing threat

Verizon’s 2015 Data Breach Investigations Report reveals public sector organisations are particularly vulnerable to cyber attacks, with more than 300 incidents last year in which data was stolen from public sector organisations across the globe.

Successful phishing attacks can give hackers access to sensitive, personal data, which can be used for financial gain.

There have been numerous high-profile attacks in the UK, including one that led to the theft of £1.2 million from hundreds of students, and the recent £20 million Dridex Trojan attacks, which targeted British banks and government agencies.

In the UK, there were more than 3,500 unique phishing attacks last year.

Phishing attacks work because they target human vulnerabilities that exist in every organisation.

Janet Roberts, Zurich’s Head of Security Awareness, Group Information Security, says: “Cyber criminals rely on the possibility of human error when planning a phishing attack. Perhaps the person is in a hurry while reviewing emails and does not check before clicking on a link. Or perhaps they have not been educated about phishing and the risks it poses.

“Criminals may try to infiltrate a firewall or other system, but an organisation with robust technology can often prevent these types of attack. Organisations are investing heavily in preventative technology, which is good, but they need to remember that without education, their employees remain a weak and obvious target.”

The most common phishing attack is a deceptive email, but phishing can take many other forms.

Some other examples include tricking users into downloading malicious software from a website, which will then run on the users’ computer and collect personal data.

A tool called a web trojan is designed to pop up invisibly when a user is logging into a website, so the details can be collected by the hacker. They may even create a “look alike” webpage to trick the user into believing they are entering their details into a trusted site.

Search engines can also be used to attract victims with enticing offers. As people find these sites via a normal course of searching they trust they are legitimate.

Organisations need to be mindful of all of these methods and others, that could be used to obtain their data. In this article we focus on the threat of email phishing and provide ways in which you can protect your organisation.

Fighting off phishing attacks requires a three-pronged approach: detection, reporting and technology.

1. How to detect a phishing email attack

Many fraudulent emails share common characteristics, such as:

  • A generic greeting – most organisations now have the ability to personalise emails with the recipient’s name
  • A threat to take action – banks, credit card companies or internet service providers wouldn’t notify somebody that their account was in danger via an email threat, but cyber criminals might
  • Requests for personal information – e.g. passwords, PINs or log-in details
  • Spelling/grammatical errors – grammatical or syntactical errors may give cause for suspicion as well as errors in the email address such as the replacing of a letter with a number
  • Website and email addresses that don’t match up – one of the most basic, but important, phishing defences is to hover the mouse over a link (without clicking). The website URL will then appear on screen. Comparing this URL with the typed address will give a good indication as to whether the link is genuine

2. Importance of reporting phishing attacks

Organisations should establish clear mechanisms for staff to report suspicious emails to their IT department straightaway.

If an employee has clicked on a link they suspect contains malware (unwanted/hostile software), prompt reporting will help the organisation to stop it from spreading. Even if the employee has not clicked on the suspicious link or attachment, reporting the incident will allow the organisation to investigate whether any other employees may have done so. The time it takes to detect and respond to an attack is critical.

Verizon’s 2015 Data Breach Investigations Report highlights how, in a majority of cases (60%), attackers are able to compromise an organisation within minutes of a successful data breach.

One study found that while 80% of organisations have a process for employees to report phishing, more than half (52%) of organisations say their staff report fewer than a quarter of the suspicious emails they receive.

It is therefore vital that organisations foster an environment in which employees understand their role in preventing phishing, and that employees are updated regularly on the latest phishing lures being used.

3. Importance of regular technology updates

Cyber criminals are continually adapting their methods to make their phishing lures harder to spot. Therefore, while a human line of defence can complement a technological solution, it cannot replace it.

As cyber security organisation Proofpoint observes in The Human Factor 2015 report on phishing: “While user education is an important tool, it cannot be the last line of defence: organisations should deploy automated defences capable of detecting and blocking threats that do not look or behave like previously known threats.”

Proofpoint’s research highlights that on average, one in 25 malicious messages is clicked on, and that this ratio remains almost exactly the same regardless of an organisation’s size or how many malicious messages it receives.

Cyber criminals realise if they are persistent in attacks they are more likely to eventually find a soft target. Organisations that have built a human line of defence to back up their IT solutions will be best placed to minimise the risk of becoming the criminals’ next victim.