How to avoid the risk of taking phishing bait

PHISHING is so-called for good reason. Cyber criminals spend their time and ingenuity fishing for an organisation's confidential information, and a disturbing number are successful - so much so that phishing has become a principal security concern for technology and business managers.

A recent survey of 400 cyber security professionals participating in the Information Security Community on LinkedIn shows that 42 per cent of respondents were only moderately confident in their organisation's security posture. A resounding 48 per cent ranked phishing attacks as their primary concern.

The survey found users' biggest issue to be the challenge of actually detecting threats (62 per cent of respondents), even though over 90 per cent had invested in a cyberthreat intelligence platform.

IT security professionals cited their biggest issues: lack of budget (51 per cent), lack of skilled personnel (49 per cent), and lack of security awareness (49 per cent).

The dangers come from both phishing and spear phishing. There are parallels here with fishing. A hopeful fisherman will dangle a bait and hope to catch any fish foolish enough to bite, while a spear fisherman hunts stealthily and takes careful aim at a fat target.

In technical terms, spear phishing is an e-mail-spoofing attack that targets a specific organisation or individual, seeking unauthorised access to sensitive information.

Spear phishing attempts are usually made by cyber criminals looking for financial gain or other proprietary information from a company.

Generally, they include true information in an e-mail to create a sense of familiarity and appear to be sent by a known organisation or contact. They will coerce the target into installing malware or navigate to a malicious site designed to trick the target into yielding sensitive information.

A cyber criminal gathers information about the target and uses this to personalise the spear phishing attack. The attacker zeroes in on a select group or individual.

By limiting the targets, it is easier to include personal information such as the target's first name or job title, to make the malicious e-mails seem more trustworthy.

The messages often contain urgent reasons why they need sensitive information. Victims are asked to open an attachment or click on a link that takes them to a spoofed website where they are asked to provide passwords, account numbers, PINs and access codes.

Once criminals have gathered enough sensitive information, they can access bank accounts or even create a new identity using their victim's information. Spear phishing can also trick people into downloading malware or malicious codes after people click on links or open attachments provided in messages.

In contrast, ordinary phishing attacks are sent to many people indiscriminately and come from a random or non-personal entity. They include no personal information and are easier to identify.

Spear phishing attacks are proliferating as software and users learn how to easily identify regular phishing attacks. Employees are becoming more suspicious of unusual or out of character requests for confidential information and will double-check sources before offering sensitive information.

HOW TO PREVENT SPEAR PHISHING

Because of spear phishing's personal customisation, standard security options are seldom enough to stop attacks.

A mistake by a single employee can open the door for hackers to steal data, plant malware or commit other malicious acts. Even high-ranking executives may find themselves opening e-mails that they previously thought were safe.

Such attacks can be difficult to deter, but not impossible with the right security in place. Education about the risks of spear phishing and spear phishing prevention is clearly an important step. Everyone with access to sensitive company information should be instructed never to commit to any confidential transaction on the basis of e-mail alone.

E-mail clients like Gmail must never be used to pass sensitive information between two people. Instead, secure channels should be set up to share this type of information.

To reinforce employee education, e-mail security technology should also be employed to help deter these kinds of scams.

The Barracuda Web Security Gateway, Barracuda Email Security Service, and Barracuda Spam Firewall, which complement each other, are designed to provide protection against spam, malware and attacks like phishing and spear phishing.

Advanced solutions for real-time spear phishing and cyberfraud defence include Barracuda Sentinel's machine learning and artificial intelligence (AI) components for detecting Web service impersonations and targeted phishing attacks.

AI can stop such attacks by understanding that the e-mail is impersonating a widely used Web service, but is not sending the e-mail from an address associated with the Web service, while links in the e-mail have nothing to do with the domain of the Web service.

This capability has also greatly expanded the volume of attacks that AI can detect in different languages. Attackers use the recipient's native language to try to trick them into clicking on a link.

Advanced AI solutions stop attacks in all languages and can effectively support customers across the globe.

In order to stop these types of impersonation attacks, AI does not need to rely on any text-specific characteristics of the e-mail, which allows it to work with any language.

As hackers become more sophisticated and prevalent, users need to be aware of the threats and be trained to easily recognise malicious e-mails.

Barracuda PhishLine can turn users from being part of the attack surface to part of the solution. This comprehensive user awareness training helps to counter sophisticated phishing and socially engineered spear phishing attacks by putting the focus on employee awareness with computer-based security training and simulation.

Users can sharpen their anti-phishing skills with advanced phishing simulations along with end-user testing, reporting and comprehensive metrics that let them take prompt and meaningful action against threats.

Organisations using solutions with such cutting-edge techniques are far less likely to rise to either of the phishing techniques.

• The writer is vice-president, Asia-Pacific, Barracuda.