Rotem Shemesh, Lead Product Marketing Manager, Security Solutions at Datto, provides SMEs some guidance on how to protect against the numerous phishing attacks businesses face today.
Phishing attacks remain the most common threat vector according to the UK Cyber Security Breaches Survey, published in March this year. Of the 39% of UK businesses that suffered a cyberattack in the last 12 months, 83% were due to a phishing attempt. This is not surprising, given how easy it is to deploy a phishing campaign; and while phishing is not new, it is often used as the first step in larger-scale cyberattacks to trick users into sharing confidential information. No organisation is immune to these attacks, but small and medium-sized enterprises (SMEs) are being targeted at an accelerated rate.
Sophisticated phishing can bypass security detection
Designed to create a sense of urgency or fear, phishing techniques have evolved over the years. They are increasingly sophisticated and more difficult to detect and defend against. Bad actors now operate on multiple channels to obtain user credentials from platforms such as WhatsApp, Slack, Twitter, LinkedIn, etc. Additionally, hackers are using techniques such as web session hijacking, email customisation, link masking, email thread hijacking, and are using nontraditional phishing mediums such as Voice over IP (VoIP), Short Message Service (SMS), and Instant Messaging (IM), which are making attacks more difficult to spot, as well as allowing them to bypass security systems.
Given the new techniques being used and the increased level of sophistication, circumventing detection hurdles is becoming easier – even for inexperienced hackers. In addition, today’s technology provides cybercriminals with the ability to automate email and webpage customisation, making it easy to launch highly tailored attacks even on small businesses.
One of the techniques hackers are using to gain access to sensitive information is spear phishing. The bad actor researches an intended target or small target group to obtain information they then include in a customised email to add credibility. Another more sophisticated phishing technique, called man-in-the-middle, relies on the interception of emails between two people. Once this is accomplished, the bad actor corresponds with the victims to acquire compromising information.
A more recent tactic involved a threat disguised as a communication hosted on a trusted domain, which enabled the attacker to remain below the detection radar. This attack leveraged Adobe InDesign’s hosting reputation to conceal a malicious link in an inframe. Sent via email, the goal of the bad actor was to obtain users’ credentials by having them click on a link to access a shared document. The link sent users to a fake webpage uploaded to indd.adobe.com, a legitimate URL. The masking technique – embedding an additional link in an iframe on the indd.adobe.com webpage – bypassed numerous email cybersecurity detection measures.
Fortunately, this attack was discovered before it had a chance to create severe damage, but this example depicts how serious and dangerous phishing attacks have become. As cybercriminals get smarter and bolder, SMEs must take the necessary steps to minimise the risk and impact of becoming a phishing victim.
Take an offensive approach to phishing
With phishing attacks more challenging to spot for the average user, SMEs need to build a strong cyber detection and prevention plan. While there’s no foolproof solution, SMEs need to be on high alert and take an offensive position by incorporating additional security measures.
All SMEs need to have the most up-to-date and advanced security solutions in place to protect email and other collaboration platforms against phishing threats. They need to adopt an assumed breach mentality and create a cyber resilience culture. This ongoing process consists of five functional components – identify, protect, detect, respond, and recover. It starts with an assumed breach mentality and ends with building a cyber resilience foundation.
It’s imperative to assess phishing risks and gaps by conducting phishing simulations frequently. Additionally, by deploying two-factor authentication, SMEs will be able to prevent cybercriminals that have compromised a user’s credentials from gaining access. For additional security, a combination of hardware-based multi-factor authentication (MFA) and biometrics –
instead of a password – should be used. If remote users need to access your network, make sure they connect over Virtual Private Networks (VPNs).
The SME’s IT department or their managed service provider (MSP) needs to keep abreast of current and new phishing strategies, as well as security policies and protection solutions. Also, cybersecurity frameworks such as the National Institute of Standards and Technology (NIST) Cybersecurity Framework and the Center for Internet Security (CIS) Controls should be leveraged to reduce risk, gain cyber maturity, and achieve desired security objectives.
Since end-users are key to spotting phishing attempts, conduct ongoing user training and education frequently. To determine if an email is authentic, the user needs to pay attention to the sender’s address – does it look legitimate? Are there grammar mistakes or odd language being used? If there’s a link, train users to hover the mouse over the link to see where it leads before clicking it. And finally, be sure that it’s easy for users to report a potential phishing attack quickly.
Given today’s ever-changing digital environment and malicious actors’ relentless aim of staying one step ahead of their targets, cyber security can no longer be an afterthought. SMEs need to be on the offensive and put security protection, processes, and training in place to minimise phishing risks.