The business of phishing scams: how to defend your data
Regular businesses, their leaders and their people are feeling the effects of increasingly sophisticated cyber attacks every day — and now it’s getting personal. Highly targeted spear phishing attacks and business email compromise (BEC) scams are manipulating unsuspecting employees and accessing sensitive data at an alarmingly rapid rate.
As these personalised attacks become more widespread, antivirus and internet security company ESET believes it has never been more important for business leaders to manage their vulnerabilities and arm their people to fight against the ever-evolving strategies of cybercrime. To help with that, ESET’s experts are here to advise…
From spotting a phishing scam to coordinating your security strategy with stakeholders, find out how to implement security best practices to protect you and your business from the latest in phishing and other email attacks.
What are BEC scams and how do they work?
According to Mimecast’s State of Email Security Report 2019, email is the largest single attack vector on the planet. Email impersonation attacks and BEC scams are one of the fastest-growing threats facing businesses today.
BEC is a type of ‘social engineering’ cyber attack that, like basic phishing tactics, takes advantage of common human traits and compulsions — things like politeness, responsiveness and a fear of authority. Cybercriminals are taking advantage of these types of traits in a big way — but their attacks often start out small.
BEC scams use cunningly friendly, personalised email messages to target and trick unwitting employees into giving up confidential information, or even redirecting direct deposit funds into a scammer’s account.
Many of these attacks target key employees and C-level leaders, as well as individuals working in HR and finance — and the aftermath can be extremely stressful, embarrassing or even career-damaging for the victims.
When the business of hacking gets personal
Phishing and BEC campaigns are becoming increasingly widespread and ambitious. According to Mimecast, 67% of organisations have seen the volume of impersonation attacks increase, and 73% of impersonation attack victims experienced a direct loss as a result — and that was just in the last 12 months.
A recent report by Agari Data revealed how multinational gang London Blue imitated the company email address of a CEO in order to add urgency and authenticity to their email attack messages. The group was even able to obtain the names and email addresses of targets from legitimate sources, such as companies typically paid to provide contact information for regular marketing operations.
Such sophisticated tactics have seen email attacks make their way to the top of command chains around the world — even senior White House advisors have been fooled. So how can you defend your data against this increasingly sophisticated and common threat?
Protecting yourself and your business
With increasingly sophisticated cyber attacks coming from all angles, ESET says it’s crucial for people to maintain a strong defence — especially if you’re a business leader. You need to be able to protect not just your personal data and finances, but also those of your business, employees and, where applicable, customers.
So how can you keep your business, your people and your finances safe?
1. Know what to look for
If you’re an executive, or work with sensitive company information such as human resource or financial data, you need to be prepared for the possibility of a targeted attack. Educate yourself on the latest cybercrime trends, and know what to look out for. Seeing where your biggest threats are coming from is critical to preventing a breach.
Always check an email sender’s ‘from’ address to validate legitimacy. Email attackers often use poplar public email services, such as Gmail, mail.com, AOL or Hotmail, as the source of their spearphishing messages — so if you’re getting an unexpected email from what is claimed to be your CEO’s personal account, think twice. Look-alike domain names are also commonly used, with one popular tactic being to use Columbian domains that end .co in the place of legitimate .com domains. And be careful: hackers will even include details like a ‘Sent from my iPad’ note in their emails — making you think your boss is simply working from home. These kinds of tricks can lower your guard.
Report suspicious incidents to your team, security partner or local officials immediately — and if something doesn’t seem right, think before you click, pay or respond.
2. Minimise human error
No matter how sharp your employees are, they will often be your biggest cybersecurity risk. Internal threats — mostly accidental — can be even more dangerous than software flaws and vulnerabilities. To protect your company from an attack, it’s important to train your employees on the latest strategies being used by cybercriminals and ensure they know what to look for to avoid being manipulated.
Organise company-wide training in cybersecurity, or an online lesson or video, to help raise awareness. Hand out a printed list of safety tips, or leave helpful notes around the office.
3. Have a cyber resilience plan
Ensure you have a clear cybersecurity policy and response plan set out — and be sure to coordinate with any partners, suppliers or stakeholders that share the same networks as you.
Having additional cybersecurity in place, such as email-filtering software, will help protect you and your business against email cyber-breaches. If you’re unsure what kind of solution is best for you, consider getting professional security advice or trialling some cybersecurity solutions.
If you’re serious about the strength of your cybersecurity, you need antivirus software that will protect your devices, network and systems from the ever-evolving tactics of cybercrime.
Make sure your chosen software not only offers protection, but also flexibility. For all-in-one security, check out ESET Business Solutions today and rest easy knowing your defence is rock solid.
EKA CyberLock explores the importance of managing site access and how CyberKey can streamline the...
Find out what secondary targeting is, how you can detect it and what steps you can take to...
Two Microsoft OSes' Extended Support periods ended this year. ESET's Nick FitzGerald...