The rise of phishing attacks

A recent study by Tripwire has found that more than half of all security professionals surveyed had noticed a rise in phishing attacks at their organisation in the past 12 months. Alarmingly, the survey also uncovered that these professionals believed that their company was ill-equipped to protect themselves against these scams.

It comes as no surprise that the increase of phishing attacks is one of the most significant cyber security threats to organisations today. Therefore it’s imperative to arm all staff and board members with the knowledge to identify these scams in order to protect our company data.

The following list outlines 6 common phishing attacks:

1. Deceptive Phishing

This is the most popular phishing scam used. It occurs when cyber criminals pretend to be a legitimate company with the aim of stealing an individual’s personal information. These emails often use threats to get what they want. Be wary of generic greetings or requests for information that the sender should already have. Errors in syntax and spelling are often a giveaway that you’ve been targeted in a deceptive phishing attack.

2. Spear Phishing

Spear fishing is a more personalised version of deceptive phishing. For example criminals will customise their scam email with the recipient’s name, position, organisation or even phone number, in the attempt to hoodwink the target into believing that they have an established relationship. In much the same way as deceptive phishing, the aim of this scam is to trick the recipient into clicking onto a malicious link, thus exposing their personal data.

3. CEO Fraud

In this scenario, the criminals will impersonate an executive’s email address and use it to request payments and transfers from others within the organisation.

4. Pharming

This new type of phishing scam involves exploiting the internet’s naming system server (DNS) which converts website names to IP addresses. In this type of attack the criminal targets a DNS server and alters the IP address in order to redirect victims to a malicious website, even if the victims entered in the correct website name originally.

5. Dropbox Phishing

Some phishers customise their scam emails to mimic a company or service such as Dropbox. In this scenario a victim is sent a realistic looking email claiming it has come from Dropbox requesting the user to click onto a link which then installs malware onto their computer.

6. Google Docs Phishing

Just like Dropbox phishing, the criminals use the Google brand to lull victims into a false sense of security in order to harvest their personal details. A message is sent to a user to view a document on Google docs, and whilst the landing page is on Google drive, when the victim’s personal credentials are entered they go straight to the criminal.

Smaller companies now more vulnerable to cyber attack

When we hear about cyber hacking crimes, the target of the attack is usually a large corporation or household name; however hackers are increasingly targeting smaller corporations, particularly those of less than $1 billion in revenue.

A recent survey by companies Nationwide and Advisen uncovered that since 2012 the average target company size had decreased by 28%, and alarmingly figures uncovered by the same survey indicate that malicious data breaches had risen by 40% between 2015-2016.

According to a subsequent survey by Beazley Breach Response (BBR) Services, financial organisations of less than $35 million in revenue were targeted more aggressively by hackers when compared to larger institutions. BBR cites the reason smaller companies are targeted is because they are simply more vulnerable. BBR says, “hackers are increasingly targeting smaller financial institutions with less robust data security systems and personnel than larger banks.”

Such is the breadth of cyber hacking proportions globally, its even garnered the attention of the G20. In a statement obtained by Reuters, the world’s largest economies vowed to collaborate in their fight against cyber attacks on the banking industry saying, “we will promote the resilience of financial services and institutions in G20 jurisdictions against malicious use of information and communication technologies, including from countries outside the G20.”

The light shone on cyber attacks by the G20 highlights the changing nature of businesses vulnerable to cyber attack and consequently, that the industry is ill-prepared to deal with such attacks. In order to protect themselves financial institutions should be aware that cyber threats are often indiscriminate and inherent in various sources including unencrypted data, new and unsecured technologies, and unsecured mobile banking.

To ascertain your vulnerability, take our survey or give us a call for a confidential discussion.

Cyber Security – It’s Easier Than You Think

Nowadays, a common problem that most businesses will face is understanding how they can protect themselves from cyber attack and whose responsibility this is.

“Don’t make the mistake of thinking of [cybersecurity] as a technology thing. It’s not,” says Adam Moseley, MD of Schwab Business Consulting and Education at Charles Schwab. Moseley follows by warning, “it is no longer a matter of if, but when, you’re going to be compromised.”

Much of the best advice points out that organisations should adopt the same defence practices as consumers in order to protect themselves against attack.

Mosely explains that these practices should spring from smarter cyber behaviour and better education, “I don’t think there’s a single greater threat to your organizations outside of email…we don’t hesitate to click a link, to open an attachment,” he said; especially when we consider that most malicious links and ransomware are generated via scam emails.

Moseley says that the most prudent organisations will engage a provider to test staff behaviour and provide education around safer cyber practices. He goes on to say that it’s beneficial to rethink behaviour around the simple things like passwords and emails and that cyber security must start with the individual.

Common cyber-security openings, weaknesses and behavioural issues can be resolved with better education. There are many easy and accessible habits that we can all engage in to help protect ourselves.

For example:

  • Call email senders to test legitimacy of suspicious comms
  • Keep sensitive data out of emails
  • Pick longer passwords (hackers will find these harder to penetrate)
  • Implement two-factor authentication where available

Addressing cyber security in the workplace doesn’t need to be a daunting exercise. There are many more simple and easily adopted behaviours that will help to protect us all from harmful cyber attack.  Call us to find out how we can help you and your business with educational resources or, to set up a meeting for further discussion.

Legal Consequences for Businesses – Cyber Security

The danger of a cyber security breach lies not only in the breach itself but in its significant legal ramifications. It’s just a matter of time before Australian courts are faced with a cyber security class action, especially considering that the number of cyber security attacks is on the rise.

A recent class action in the U.S brought against credit reporting agency Equifax, highlights the legal implications for organisations that do not have the appropriate security controls in place. The action alleges that Equifax was negligent in protecting the individuals whose data it held because they did not maintain adequate safeguards against unlawful access (which they knew could result in a substantial data breach).

The minimum criteria for a class action in Australia is a group of seven complainants who have a related claim that gives rise to a common issue. In a scenario where a number of people have had their data leaked in the same cyber security attack, like that in the Equifax example, these minimum requirements would likely be met. The difference in the amounts lost or circumstances of the transactions is irrelevant.

ASIC has reported that at least 80% or organisations anticipate a rise in cyber threat over the next 12 months, and that risk should also be the responsibility of the individuals and companies who entrust their information to providers. However, with cyber security threats rising, the legal fraternity’s expectation of those tasked with the responsibility of protecting individuals against these risks is also increasing; and no company is immune – the risk of a cyber attack touches every organisation that collects or maintains confidential property.

Essentially, as cyber attacks increase it is expected that momentum will build in favour of financial compensation for individuals that suffer as a result of such attacks. Even with the best intentions, or a belief that your company is secure, outdated security measures may leave your organisation open not only to security breaches but to considerable litigation.

Cyber security risk is now an enterprise wide issue that necessitates strategic execution. Today’s leaders will be expected to justify the security defences they pull together to protect their organisations from liabilities that cyber hacks can expose them to.

Actively manage your cyber security risk by taking our survey to measure your vulnerability.

2017 Australian Cyber Security Centre (ACSC) Threat Report

Last month the Minister Assisting the Prime Minister for Cyber Security, Dan Tehan MP, released the 2017 Australian Cyber Security Centre (ACSC) Threat Report. This report outlines the types of threats and trends now emerging within the Australian cyber landscape.

Mr Tehan says, “…cyber security is not just the business of national security, but something that must become second nature to all Australians. Cyber security is not just the domain of our intelligence agencies or our defence forces [it’s]… as relevant for mums and dads, small business owners and local communities, to keep their data, their money and their identities secure.”

As we know, the nature of cybercrime is fast evolving; but its impact is not only damaging it’s far reaching, Mr Tehan says, “over the past year, we have seen increased targeting of trusted third parties, particularly service providers. These companies are highly attractive targets as they can provide access into a range of primary targets.”

Cyber criminals employ a range of tactics to infiltrate our data, with ransomware being a popular means of extortion. This type of crime enables cyber criminals access to a large amount of data from a broad range of victims. As we can see it’s not only large corporates who are vulnerable.

Mr Tehan says ransomware is used to take advantage of known weaknesses in our cyber defences and that we need to be on the front foot when it comes to cyber security, saying “backing up data and proven data restoration processes are vital to mitigate data being encrypted, corrupted or deleted by ransomware.”

Read the 2017 Australian Cyber Security Centre Threat Report.

AFP traffic infringement scam

A recent email scam targeting road users has highlighted the case for stronger education around what constitutes good e-mail practice in today’s corporate landscape.

This latest email was sent with AFP branding and alerts the recipient that they have been issued with a traffic infringement notice.

Whilst convincing, on closer inspection small nuances serve as clues that this email scam is far from legit. For example the email had not been personally addressed, the fine listed includes cents and the letter A after the dollar sign, and it lacks any detail about your number plate or the actual offence.

Over recent weeks there have been numerous other scams that play on this ‘notice’ theme, all of which are particularly destructive; as these types of scam emails, if downloaded, can infiltrate your computer and steal your credentials.

A scam email such as this should not be viewed in isolation; this is just one of many potentially damaging scenarios in which someone can be attacked through email. More robust education of staff and board members will better equip them to properly identify phishing scams and malware attempts, which is a must for any organisation’s risk mitigation strategy.

Top
Before you go, get a demo of our next-gen security awareness platform and see how we can help reduce your client's human risk.
WAIT!
Thanks, Not Interested
GET STARTED!
Get a demo of our next-gen security awareness platform today. Please fill in the form below and a member of our team will be in touch shortly.
Get a demo of our next-gen security awareness platform today. Please fill in the form below and a member of our team will be in touch shortly.
GET STARTED!
Thanks, Not Interested
GET STARTED!
Get a demo of our next-gen security awareness platform today. Please fill in the form below and a member of our team will be in touch shortly.