How to Respond to Increasingly Targeted Phishing Attacks
This article first appeared on Hedgeweek as part of their 'Cybersecurity in Europe 2017' Special Report.
According to the PhishMe 2016 Q3 Malware Review, the proportion of phishing emails containing ransomware grew to 97.25 per cent in Q3 last year. This is a threat that is becoming more sophisticated, and more targeted. Not only that, but the frequency of attacks is at an all-time high.
"As people become better aware of what a phishing attack is, so the sophistication of attacks targeting individuals and organisations becomes greater," says Dean Hill, Executive Director, Eze Castle Integration.
This is also being driven by continued investments in technology, making it harder for hackers to breach organisations. There is, in effect, an arms race between organisations and hackers, each trying to stay one step ahead of the other.
Stephen Banda is Senior Product Manager at Eze Castle Integration. Discussing the more targeted nature of phishing attacks, he says: "They are doing a really good job of mimicking an email that might genuinely have come from the CEO. It's difficult for the recipient to discern this unless they really take care to look at the email signature – is there a 1 being used instead of an I, for example, in the person's email name?"
To help firms deal with the ongoing phishing threat, Eze Castle Integration provides an effective solution which it refers to as Eze Managed Phishing & Training. These are basically phishing simulations designed to test employees' susceptibility to phishing.
"We will send emails to clients that look very similar to their day-to-day works emails. We have a huge library of phishing campaigns and we have the ability to customise them based on input from our clients," confirms Banda.
In those emails, Eze Castle Integration will ask the recipient to click a link, download an attachment, or fill out log in credentials. Whatever the prompt might be, the aim is to trick them into falling for it. The minute they click on a link, for example, they've failed the exercise.
"At that point they are presented with a learning page, which tells them it was a simulated phishing test and advises them on things to look out for in future, depending on the nature of the email," says Banda.
This managed phishing service is proving invaluable to organisations as they look to develop internal best practices. The better trained staff are, the more likely they will respond to a phishing attack the right way, escalating it to their COO, or to their outsourced IT vendor.
"For each of the Eze Managed Phishing reports we produce, executives get a firm-wide view on how their employees are doing, what the overall level of awareness is, and the extent to which they are improving over time.
"We also have an online training service that goes through some of the key concepts from a cybersecurity awareness standpoint, with an assessment at the end. This too can be tracked by the client," explains Banda.
Ultimately, concludes Hill, every incident response plan should have clear instructions on how to report a phishing email:
"What does it look? When did it happen? What were the contents of the email? Then, there needs to be a proper notification process within the firm – who do you go to when you've identified one of these emails? There has to be a verification path to determine what a potential phishing attack looks like."