Mike Brett of Consult MB Ltd was asked to write an article for the Somerset Chamber of Commerce’s magazine, Somerset Voice. The article is reproduced below. Phishing is a relatively old topic but it remains very relevant, and should feature at, or near, the top of any list of topics for staff awareness training.
I sometimes come across customers who have a security policy for absolutely everything. They spend significant sums of money on advanced technical controls and are supported by dedicated IT professionals. Yet, somehow, these organisations still get hacked, and invariably it starts with an indiscriminate, untargeted phishing attack.
Phishing used to be defined as an attempt to trick someone into giving information away over the Internet or by email. That still holds true, but these days phishing emails frequently contain attachments or website links that are intended to lure the recipient into inadvertently installing malware onto their computer. Typically, that initial malware is just a foot in the door, and more advanced malware will follow.
The lure of phishing emails deliberately exploits both the best and worst features of human nature. People can be trusting, willing to help others and inquisitive. They can also be greedy, lazy, intimidated or coerced into making rash decisions. Phishing may exploit any of those characteristics to achieve the desired aim, to get your employee to open the attachment or click on the link.
Indiscriminate phishing may, for example, send an email to 100,000 random recipients demanding immediate payment of the invoice attached. If only 1 in 100,000 recipients is pressurised into opening the attachment, the phisher may have succeeded. If that recipient works in your company, let’s hope your technical controls are good enough to counter what happens next.
Often the greatest illegal gains are achieved via targeted phishing, known as ‘spear-phishing’. This is when a mail is cleverly crafted to bamboozle a specific individual. If that person is very senior in the organisation, this is known as ‘whale-phishing’.
You can buy software to analyse incoming email, but it may not provide perfect phishing detection. Instead, I suggest the focus should be on the potential victims, i.e. your staff. As such, I recommend that you conduct frequent and interesting staff awareness training. In April 2019 the National Cyber Security Centre introduced ‘Exercise in a Box’ a free online awareness training tool that includes a phishing attack exercise. Please check it out…but not if it arrives as a link in an email from a stranger.
Mike Brett CISSP, works as a Cyber Security Consultant for Consult MB Ltd.