Fighting phishing over the festive season
This festive season, phishing is once again likely to be a popular pastime for cyber criminals, and it is crucial for businesses to protect their employees from taking the bait. Phishing mails promising Christmas sales, special offers, funny holiday memes and even mails tugging at the heart strings and encouraging people to donate to a worthy cause in this time of giving are rife, and are carefully crafted to evade all but the closest scrutiny.
Jessica Kruger, Product Marketing Manager at Tarsus On Demand, says other popular lures employed by phishers, are current news and events. “For example, messages claiming to be news from the Presidency with updates on lockdown regulations or travel bans are practically irresistible to most of us.”
According to her, phishers cast their nets widely, using a “mud against the wall” approach in the hopes that something will stick, and will use any tricks at their disposal. “And it works. In fact, the vast majority of cyber attacks begin with a phishing e-mail. Moreover, following a nearly two-year period in which many employees have transitioned to working from home environments which make them potentially even more vulnerable to cyber-attacks, the festive season is likely to see these threats reach a new level.
"At a glance, the dangers of phishing seem apparent. Losing money, data or proprietary intellectual property is something that organisations can ill-afford at any time. At the same time, over and above those initial impacts, lie a host of reputational risks as both employees and customers won’t trust businesses who are unable to keep their information secure, not to mention hefty fines faced should they be found to have breached data regulations such as POPIA or GDPR.”
However, that’s not all, she adds. “Phishing is also used to spread malware, such as credential stealing Trojans, or ransomware, which can see a company’s systems and data being locked down in exchange for a large ransom, usually in Bitcoin.”
One way to prevent phishing is to make sure staff members are properly equipped and aware of the dangers they face, so they can identify a phishing scam and avoid being reeled in. “Many may think business e-mail accounts are less vulnerable to phishing, as companies tend to have better security solutions in place, but this isn’t the case. In fact, as the lines between the personal and business use of devices blur, phishing becomes an even greater danger. For hackers, infiltrating a business device is infinitely more rewarding and valuable than a personal one, so no one should be complacent.”
Kruger says when it comes to phishing, attacks aren’t necessarily complex or sophisticated, but rather depend heavily on user error. “Businesses should encourage their users to carefully check e-mail addresses, and be cautious if the address isn’t the usual one the sender uses. Similarly, they should look for misspelled words in e-mail signatures, as well as in the links that claim to be from legitimate organisations. Spoofed domains and subtly adjusted e-mail addresses slip through the security nets more often than one might think, so everyone need to be vigilant.”
This, she says, is why training and education should be a priority for all companies. “Instilling strong and robust line of defence among employees will go a long way towards mitigating human fallibility. In addition, always backup and restore from the cloud to ensure no important data is permanently lost.” Businesses should also ensure they have the right security tools and solutions in place, says Kruger. These include identity and access management to control access and identity particularly in a time where so many employees are logging in remotely. “For example, should the company be aware an employee is based in Joburg, yet a mail is coming from an IP address in Cape Town, this IP address can be blocked.”
In addition, she recommends implementing multi-factor authentication (MFA) as another layer of security. “With MFA, when logging into a PC, the user might have to authorise through another device, or be sent a token to do the same.”
However, as security solutions evolve, attackers do too, adapting their tools and tricks to remain undetected. Attacks that are carefully crafted to evade traditional security solutions are rife, so businesses need to focus on more integrated security solutions. “They need to prioritise the right risks, and employ tools such as artificial intelligence (AI) and automation to root out threats as quickly as possible. Safeguarding data needs to cover applications, endpoints and environments, both on-premise and in the cloud.”
She says the standards-based or known signature and reputation-based solutions are no longer effective, and organisations need solutions that feature rich detonation capabilities for files and URLs in order to prevent attacks. “Advanced solutions that feature AI and machine learning capabilities that scrutinise the content and headers of e-mails as well as send patterns and communication graphs are critical when it comes to preventing a wide range of attack vectors such as business e-mail compromise. Solutions that have the ability to learn and adapt to shifting attack strategies are key in an ever-changing threat landscape.”
Tarsus on Demand has the ability to provide the best-in-breed security software solutions.