Mike Brett of Consult MB Ltd was asked to write an article for the Somerset Chamber of Commerce’s magazine, Somerset Voice. The article is reproduced below. Phishing is a relatively old topic but it remains very relevant, and should feature at, or near, the top of any list of topics for staff awareness training.
I sometimes come
across customers who have a security policy for absolutely everything. They
spend significant sums of money on advanced technical controls and are
supported by dedicated IT professionals. Yet, somehow, these organisations
still get hacked, and invariably it starts with an indiscriminate, untargeted
Phishing used to be
defined as an attempt to trick someone into giving information away over the
Internet or by email. That still holds true, but these days phishing emails
frequently contain attachments or website links that are intended to lure the
recipient into inadvertently installing malware onto their computer. Typically,
that initial malware is just a foot in the door, and more advanced malware will
The lure of phishing
emails deliberately exploits both the best and worst features of human nature.
People can be trusting, willing to help others and inquisitive. They can also
be greedy, lazy, intimidated or coerced into making rash decisions. Phishing
may exploit any of those characteristics to achieve the desired aim, to get your
employee to open the attachment or click on the link.
may, for example, send an email to 100,000 random recipients demanding
immediate payment of the invoice attached. If only 1 in 100,000 recipients is
pressurised into opening the attachment, the phisher may have succeeded. If
that recipient works in your company, let’s hope your technical controls are
good enough to counter what happens next.
Often the greatest
illegal gains are achieved via targeted phishing, known as ‘spear-phishing’.
This is when a mail is cleverly crafted to bamboozle a specific individual. If
that person is very senior in the organisation, this is known as ‘whale-phishing’.
You can buy software
to analyse incoming email, but it may not provide perfect phishing detection. Instead,
I suggest the focus should be on the potential victims, i.e. your staff. As
such, I recommend that you conduct frequent and interesting staff awareness
training. In April 2019 the National Cyber Security Centre introduced ‘Exercise
in a Box’ a free online awareness training tool that includes a phishing attack
exercise. Please check it out…but not if it arrives as a link in an email from
Mike Brett CISSP,
works as a Cyber Security Consultant for Consult MB Ltd.