Helping people understand a cyber crook's thinking is your first defence against phishing


Johannesburg, 29 Mar 2019
Read time 5min 20sec

Ransomware attacks worldwide rose by 350% from 2016 to 2017 (1), says a recent special report by SC Magazine, sponsored by Cofense, a provider of intelligent phishing defence solutions.

"Security professionals constantly invent better mousetraps, but the mice never stop evolving," is Josh Bartolomie's first statement in the report. The director of research at Cofense goes on to ask: "If the 'mice' keep evolving, how exactly can organisations stop attacks?" (2)

Anton Jacobsz, CEO at value-added distributor Networks Unlimited Africa, a distribution partner with Cofense in sub-Saharan Africa, says phishing attacks rely on a single moment of inattention or ignorance. "A link is presented and, if it's followed, can become front-page news," he says. "Even for savvy technology users, a moment of inattention can result in horrendous consequences. We know that if a business's IT infrastructure is able to stop employees from receiving the bait in the first place, no one can bite.

"But what about the phishing messages that make it through? Yes, cyber crooks are continually evolving their approaches, but ongoing user education will ensure that even the people least comfortable with computers understand how to identify, report and avoid the threat, and that has got to be a good thing."

People have been receiving requests for assistance from Nigerian princes for as long as one can remember, says Jacobsz. They are the source of many jokes and memes to those in the know, yet these attempts still find (and fool) everyday people. The approach survives because it relies on human flaws instead of flaws in computer software or hardware, and phishers are experts at the art of confusion.

The report clarifies: "[They] confuse people into inputting passwords or other credentials the attackers want ... it's all about and around social engineering; getting or tracking somebody into getting or giving you something you normally would not want to do." (3)

Why do people still fall for phishing?

How is it that people are still falling for the phishing, vishing (telephonic), smishing (SMS fishing), pharming (Web site interception and redirection) and whaling scams?

According to the report (4), phishing e-mails and Web sites are often extremely convincing. Usually, the only way to tell if a message is legitimate is to hover over the links in the message with a mouse. But even then, the link might be so familiar that most message recipients wouldn't flag the message as fake.

"Defeating these cyber crooks often means understanding them, and while we all think hackers are evil geniuses, thanks in part to Hollywood movies, learnings thus far show that they're usually just a person apparently standing in front of another person asking for help," says Jacobsz. "Usually, this request is for the delivery of money, and perhaps less usually, it's delivered hand-in-hand with a threat of some kind."

The most recent example of mass spear phishing is one that saw an attacker e-mail ordinary people, mentioning a comprised social media password. The message claimed the user's e-mail password was the same as the compromised password, but offered to leave the e-mail account alone in return for ransom.

"Because most humans still use the same password for everything, the attack has probably scared at least a few people into paying up," says Jacobsz.

Phighting the phishing phenomena

He advises that the secret is to reduce vulnerabilities within the organisation as much as possible.

"Two-factor authentication and strong password security are musts, but these steps are only the beginning," says Jacobsz. "The best defence is combining security awareness training with good technology."

The report says by making it technologically more difficult to execute attacks, we give IT defenders a wider window to prevent the attack running through the network, minimising damage (5).

However, Cofense's Bartolomie says when it comes to humans, and threatening e-mails do slip through the cracks, attackers seem to target lower-ranking employees with mock demands, perhaps in the form of a message supposedly from a senior business executive. This method has proven very successful.

"Executives are also major targets in and of themselves in that they might have more in-depth access than other employees."

Another contributor to the report, Matthew Verhout, vice-chairperson of the Email Experience Council, says that are four ways to fight phishing and they are as follows (6):

1. Get educated. Consider investing in phishing awareness training for employees.
2. Improve business processes. When dealing with large monetary transfers, build a secondary verification into the process.
3. Invest in solid technology. A good anti-spam product is the first line of defence and will help catch many fraudulent emails before they reach the inbox.
4. Craft a response plan. Mistakes happen. Knowing a plan is in place in the event of a successful phishing attempt will rally an organised approach to minimising the attacker's access.

"It is a shared statement throughout the paper: the best defence is making employees see the benefits of joining the company's protection efforts," says Jacobsz. "Transparency and ongoing communication and education can help. Another idea would be to publicly acknowledge employees who have spotted suspicious messages and share examples of what these attacks look like via the company newsletter, so people know what types of communication to avoid."

"As Bartolomie says in the report, and I paraphrase, the mice might keep evolving and companies can get better at not leaving cheese out, but we must all keep working on better traps," he concludes.

To learn more about Cofense's phishing incident solutions, please visit: https://networksunlimited.africa/products/security/cofense

1 https://cofense.com/whitepaper/phishing-think-like-cybercrook/ (published by SC Magazine)
2 Cofense all rights reserved
3 SC Magazine all rights reserved
4 SC Magazine all rights reserved
5 SC Magazine all rights reserved
6 SC Magazine all rights reserved

Cofense

Cofense, formerly PhishMe, is the leading provider of intelligent phishing defence solutions worldwide. Cofense delivers a collaborative approach to cyber security by enabling organisation-wide engagement regarding active email threats. Our collective defence suite combines timely attack intelligence, sourced from employees with best-in-class incident response technologies, to stop attacks faster and stay ahead of breaches.

Cofense customers include Global 1000 organisations in defence, energy, financial services, healthcare and manufacturing sectors that understand how changing user behaviour will improve security, aid incident response and reduce the risk of compromise. To learn more, visit https://cofense.com/.

Networks Unlimited Africa

Networks Unlimited Africa is a value-added distributor, offering the best and latest solutions within the converged technology, data centre, networking and security landscapes. The company distributes best-of-breed products, including Attivo Networks, Cofense, Carbon Black, Fortinet, F5, Hypergrid, Mellanox Technologies, NETSCOUT, NETSCOUT ARBOR, ProLabs, RSA, Rubrik, SevOne, Silver Peak, Thales and Uplogix.

The product portfolio provides solutions from the edge to the data centre, and addresses key areas such as cloud networking and integration, WAN optimisation, application performance management, application delivery networking, WiFi, mobile and networking security, load balancing, data centre in a box, and storage for virtual machines.

Since its formation in 1994, Networks Unlimited Africa has continually adapted to today's progressively competitive and evolving marketplace, and has reaped the benefits by being a leading value-added distributor (VAD) within the sub-Saharan Africa market.

Editorial contacts
icomm Vivienne Fouche (+27) 082 602 1635 vivienne@pr.co.za
Networks Unlimited David Wilson (+27) 011 202 8400 david.wilson@nu.co.za