In the current climate we live in with many of us working remotely or from home, the importance of security awareness has increased drastically. It is known and has been publicised that much of cyber risk can be associated with a potential lack of a security aware culture. An Irish Times newspaper article in September 2020 described how human error is a major driver of cyber incidents and the financial losses around them – which accounts for 95% of all breaches.
By Louise O’Sullivan, ICT Security Services Manager at HEAnet
One key technique used in creating cyber incidents is to engineer humans by phishing. Phishing can be defined as an electronic mail (e-mail) attack that attempts to convince a user that the originator is genuine, but with the intention of obtaining information for use in social engineering (ISACA).
How can Phishing affect us?
Phishing is becoming more sophisticated and the examples below will outline how this happening
- Gift card scams are on the increase across several sectors. This normally occurs when a senior member within an organisation has their email spoofed. The scammer then usually sends an email to someone else. Typically, either someone new within the organisation or a junior staff member. It may occur when the person spoofing the email states that they can’t be contacted as they are in a meeting and could the victim help them discreetly. The email may go on to say it is a family members birthday, could the victim buy the gift card and they will be reimbursed.
- Information scrapping. Searching and scrapping for a company’s information online through the company website, employee’s LinkedIn pages and extracting key uniquely identifiable information assists the scammers. The scammers will then use that information, incorporate this into phishing emails and potentially use this unique information when trying to de-fraud a company
- Invoice re-direct is another element that is on the increase. In August 2020 the Bank of Ireland reported to the Garda National Economic Crime Bureau (GNECB) that a business customer of theirs had been the victim of an invoice re-direct fraud and had lost just over €2.1m. An Garda Siochana (policing body in Ireland) state that criminals send emails to businesses purporting to be one of their legitimate suppliers. These emails usually would contain an instruction to change the bank account details that the business has for a legitimate supplier, to bank account details that ultimately benefit the criminals. These requests have also come by way of letter or phone call so caution should be attached to any request of this nature.
- Sense of Urgency / very pushy type emails can cause or create a sense of embarrassment on the user receiving the email. We have come across some phishing emails that are threatening the victim by using information from previous breaches to add a sense of reality about an email. For example, one case is where passwords that were breached in previous incidents appear in the email which give the user the feeling that the email Is legitimate.
- Covid-19 specific phishing campaigns conducted by malicious actors who are using a variety of techniques including phishing and SMS messaging to exploit the pandemic for financial gain. For example, one type of text that has been prominent is a message pertaining to be from contact tracings, it attempts to lure the user into clicking the link and asking them to make a payment to get a covid-19 test done.
Ways in which we can help our organisations with phishing
- Phishing simulation or testing is where deceptive emails are sent by an organisation to their staff to determine the response to such phishing attacks. It is a way in which a company can create awareness to phishing emails in a controlled manner. It is imperative that when creating a campaign, it is believable but also that it is a positive learning experience
- A ‘No blame’ culture also needs to be emphasised and implemented. Users need to feel comfortable should they inadvertently click on a link or feel that they may have fallen victim to a phishing campaign
- We also encourage people to report any potential email they think is suspicious. Several organisations use a phishing mailbox which focuses directly on battling against phishing emails
- At HEAnet we provide this phishing simulation service and our aim is to upskill staff and learn from these phishing simulations. A key learning objective is that if members of staff do succumb to a phishing email as part of the campaign is that there is training available to them to ensure that they would know what to look out for in the future.
Phishing attempts are becoming more sophisticated as the examples have outlined above. By highlighting these attempts together with creating awareness around the trends we can try to reduce the occurrence of phishing attacks.
About the author
Louise O’Sullivan is the ICT Security Services Manager at HEAnet; Ireland’s National Education and Research Network. She holds both a degree and Masters from NUI, Galway and is a certified CISA auditor and Lead ISMS Implementer. Her background is primarily in IT Audit, Security consulting and Cyber Security working in companies including Deloitte, AON and PwC.
Read more on the GÉANT Cyber Security Month 2020: https://connect.geant.org/csm2020