Published in Business NH Magazine (September 2019)
Phishing is the most prevalent cyber-attack. Why? Simply put, it works really well. While it is important that individuals learn how to avoid taking the bait, businesses also must implement techno-logical safeguards against phishing.
There are many phishing scams, but the most prevalent involve casting the same email to numerous individuals. "Phisher-men" lure recipients into clicking a link in the email or double clicking an attachment by masquerading as legitimate business actors communicating in an expected manner. This type of phishing is appetizing because it appeals to people's inherent curiosity, desire to quickly resolve a problem and lack of time to pay sufficient attention to all the email one receives on a daily basis.
When someone bites, the phisherman uses the link or attachment to download ransomware or malware to the individual's device as well as other devices and networks connected to it. Ransomware encrypts data on those devices and networks, disabling the company's ability to conduct business, and the attacker demands a ransom payment to decrypt the data and resume operations.
Malware usually permits the phisher-man to covertly access the compromised devices, computers and networks to steal information or funds. This type of phish also can trick recipients into providing in-formation, such as credentials to access an email or financial account, facilitating theft of information or funds.
A different type of phishing sets the hook into particular individuals at a business, such as an executive officer, controller, employee in finance or accounting, IT employee, HR professional, or other man-ager responsible for decision making. Due to its pointed nature, this type of attack is called spear-phishing.
Spear-fishermen usually already have access to a business manager's email or the company's network through ordinary phishing to monitor communications and select an instant to strike when the business is most exposed.
For example, spear-phishermen wait for the moment funds are about to be transferred for a large transaction, then take control of an executive's email and send instructions directing payment of the funds to the phisherman's account. Another example is a spear-phisherman who knows when a CFO is meeting with the company's accountants to complete tax returns, then takes control of the CFO's email and instructs a staff accountant to send copies of W-2s for all employees. Still other spear-phishing involves spoofing or hiding a sender's real email address and making it appear as if the email originated from another person's account (such as a colleague or vendor) to lure a recipient into transferring information or funds to the spoofer.
Individuals need to develop instincts and defenses for phishing. For example, if an employee receives an email with a link or attachment from a person unknown to them or from a person they did not expect to receive an email from, the employee should call the person to determine if he or she actually sent the email. Likewise, if an employee receives an email from a colleague or a vendor directing them to send sensitive information or funds, he or she should call to verify the need for the information.
Educating employees to recognize and avoid phishing is imperative. However, no matter how much training, testing, and re-training a business provides, its employees will remain fallible. Other technological safeguards, including the following, are vital to protect against phishing.
Sandboxing: Businesses should add an application to their email systems that tags all emails containing a link or attachment. If an employee clicks on the link or attachment, the application launches it in a safe digital environment, called a sandbox, pre-venting any malicious application from infecting the employee's device or any others connected to it.
Spoofing Recognition: Businesses should incorporate an application into their email systems that recognizes emails originating outside the business' email domain and they should add a header to those emails alerting employee-recipients to that fact. The application also would recognize whenever the sender's email address differs from the one displayed to the employee-recipient. It then quarantines the email for further review.
Active Threat Prevention: There are applications that use advanced technology to detect certain activity that is unusual or threatening, disable the activity before it can cause further harm and sequester or, in some instances, reverse the damage.
Dual Authorization: Businesses should develop formal processes and implement technological safeguards that require dual authorization for certain financial transactions and transfers of large amounts of sensitive information.
Phishermen undoubtedly will continue to develop increasingly sophisticated tac-tics to net a catch and phishing is only one of many cyber risks to businesses. The best defense for businesses is to conduct a comprehensive risk assessment with an information security attorney and IT consultant and remedy the company's vulnerabilities, including implementing phishing prevention techniques.