Phishing scams are on the rise posing a real threat to firms worldwide. Therefore, it is imperative that firms and their associates are well equipped to protect sensitive information.
In a recent webinar, Eze Castle Integration’s Senior Product Manager Steve Banda and Product Manager Evelyn Villemaire shared insights around the threat landscape affecting firms. They also let listeners in on some top tips to combat phishing and social engineering. Below is a summary of the content covered as well as the full webinar replay.
Cyber Threat Landscape
It is important that firms identify the different forms of intruder attacks that could affect them, and the unique measures used to combat each type effectively. Threats include:
Physical security attacks
External hacking and denial-of-service (DoS) attacks
Insider data leakage and theft
Mobile device theft
Social Engineering and Phishing
Social engineering is when human trust is exploited to obtain sensitive information. Phishing is the most common form, where attacks tend to stem from email, telephone or text messages.
73% of breaches are financially motivated
66% of malware is installed via malicious email attachments
Social engineering methods are used in 43% of all breaches
Other deceptive social engineering methods used to target firms are not limited to, but include:
Pretexting – this could be a phone call where a person lies about their identify to encourage sensitive data to be shared.
Water holing – a strategic attack on a planned group of individuals within a firm, or individuals across organisations that fall under a specific industry, to gain access to specific data.
Tailgating – when an associate with secure access to remote areas within an organisation, or an event, is followed by someone without this access, to obtain access to confidential information.
Vishing – This is voice phishing, and commonly an automated call asking the person at the receiving end to use their phone to select options based on the questions being asked.
Social Engineering Life Cycle
Intruder attacks are most often strategic and well planned, consisting of four phases:
Investigation – this is where the hacker identifies their victim(s), conduct research on them, and select appropriate attack method(s)
Hook – target firms are engaged and deceived
Play – information is obtained over a period and the attack is executed
Exit – the interaction is brought to a natural end and all traces of malware are removed to cover tracks
Phishing Scam Case Study
Target: 31 terabytes of data were stolen from 144 American universities, 36 American companies, 5 American government agencies.
The attack: Nine people were involved in planning and carrying out the attack, using phishing emails spoofing professor names.
Motivation: The data was stolen with financial motivations, and sold to Iranian public universities for $3.4 billion.
Four Proactive Tips
Firms should follow these four tips to protect themselves from social engineering attacks:
Evaluate available security safeguards
Conduct security training
Establish an incident response program
Emphasise a culture of security
It’s always better to be safe than to be sorry.