As Russia welcomed the warmth of spring last March 2018, dozens of banks experienced a phishing attack from a hacker group called Silence. The sender of the email was disguised as FinCERT, Russian Central Bank’s security arm. The emails had attachments that claimed to help standardize digital communication across all banks. In reality, the files contained Silence’ downloader to exfiltrate important data.
Phishing, among other hacking tactics, has plagued individuals and companies since the 1990s. Because the act requires both artistry and technical know-how, vulnerable institutions are more prone to giving away information because of their lack of error-checking. Fighting against a different level of skill requires both cybersecurity awareness and a fortified system.
Phishing is a fraudulent method of trying to obtain sensitive information through impersonation and sending deceptive messages. A malicious actor reaches out to the victim through email or call that appears to come from a reputable source aimed at stealing information or installing a malware. The Phishing attacks have been at the root of some of the biggest, headline-grabbing breaches in recent years including a wide-spread attack against Gmail in 2017, the Ukrainian power grid attack in 2015, and the Target scam in 2013.
Because the ‘phisher’ looks trustworthy, the victim is more likely to give out confidential information or download a file that compromises company’s security.
This is the most common type of phishing, where the attacker will try to obtain sensitive information through call or email, asking the victim to provide details or verify information.
This tactic targets specific individuals; through social engineering, the attacker customizes the information in the email or call, making the message extremely authentic to the target. Spear phishing is often used to infiltrate a company by obtaining access through company’s employees.
This is a specialized type of spear phishing that targets individuals from the executive level of the corporation. Because CEOs or managers have access to highly sensitive information including trade secrets, hackers are more likely to obtain valuable information if they are successful. Therefore, this process takes a considerable amount of time to profile the “big” victim and find the correct time to conduct the attack.
This is another advanced level of phishing, where attackers infect a website’s DNS server or a person’s computer. Once a user tries to access the website, they are sent to a fraudulent one instead.
Before diving into the different ways, a company can fortify its systems and network to prevent phishing, it is important for everyone in the business to stay vigilant. Be alert for suspicious errors and inconsistencies in emails or calls. This could save the company from possible data breaches or data loss. Therefore, it is imperative to be more alert and try to identify:
To keep a company, secure from phishing scams, here are three steps:
Have a list of all the equipment and software owned by the company and properly monitor each of these. Infected computers or laptops can compromise overall security, so it is important to check that all devices are compliant with the company’s current cybersecurity standards. This means installing the most up-to-date firewall protection, antivirus, and anti-spyware software.
Once the right tools have been installed, keep important files and data backed up on an external hard drive or a secured cloud storage service. Organizations should develop a yearly or quarterly back-up routine as a preventive measure.
Be sure to encrypt important information stored online to keep it safe from outsiders. Incorporate Data Loss Prevention (DLP) tools to further secure data. When receiving emails, employees should also apply spam filters that help detect suspicious senders or viruses. All of this will discourage phishers from infiltrating the network because there will be no weak links or faulty devices.
Companies cannot predict when security breaches will occur. But it is possible to develop a plan that serves as a guideline in the event of a security breach and helps mitigate the impact. This written management document should include instructions, recommendations, and considerations for a company on how to recover after an attack or disruption.
No matter how sophisticated IT security defenses are, one weak link will endanger company’s information and information systems. Efforts should be made to help employees understand their roles and responsibilities in safeguarding sensitive information and protecting organization’s resources. This will involve providing security awareness training coupled with periodic workshops aimed at increasing employees’ ability to identify and avoid risks.
While phishing is becoming a common threat to financial institutions, staying vigilant and secure will prevent great crises for the company. This is not only for the company’s security but also for the customers who rely on these businesses.
Wilson Consulting Group is a cyber security firm that aims to provide companies the solutions to keep their systems secure. Our Risk Management and Assessment Services identifies, evaluates, and responds to your network’s risks.