While employees have, in the main, adapted to working from home, the rapid move to a remote workforce as a result of Coronavirus has left many organisations highly susceptible to cyberattacks. Andrew Morris, Managing Consultant at Turnkey Consulting, explains how companies can protect themselves against phishing.
One of the most common threats is phishing, a form of social engineering whereby criminals manipulate individuals into performing actions before they have a chance to stop and think critically and rationally about the emails.
Typically, phishing attempts to obtain an individual’s username and passwords so the attacker can log on as that (legitimate) person to steal data or money, or cause disruption to the business. These attacks can also be used to install malicious software on computers and mobile devices in order to cripple them, to ransom the organisation into handing over money or to use them to cause further damage.
With most employees working remotely, the number of phishing attacks against organisations has increased. People are naturally anxious, and they are not in their normal working environment. It could be assumed that this would lead to them being more on their guard for such attempts but experience shows quite the reverse, meaning they are more likely to become a victim of social engineering attacks.
Communications that appear to come from the organisation they work for are far more likely to be believed if the employee is not in the office (when they would be able to verify it) or are distracted by events happening at home. With business processes such as payroll (only ever intended to be run from the office) being executed remotely, the controls that ensure nothing untoward is taking place are stretched. And as attention is more likely to be focused on the execution of business critical events, it is easy for some of the smaller controls or processes to run without any monitoring until long after the damage has been done.
False identities
Criminals are taking advantage of this anxiety and distraction. This has seen an increase in business email compromise attacks, whereby a criminal poses as a senior manager in the organisation and asks an employee to transfer funds to a (typically) untraceable account. The transfer is implied to be critical and the employee is asked to keep it a secret due to relating to a sensitive nature such as a merger or acquisition. Current scenarios used by criminals include transferring money to ‘virus relief funds’ or to help colleagues who have been made redundant.
False login pages
Another common attack involves criminals sending links to organisation-branded pages where they are asked to log in as part of new working from home processes. The username and passwords of the individuals are then stolen and subsequently used to attempt to access company information and applications.
False alerts
Fake pandemic alerts are also sent out with the aim of getting employees to click on them so malicious software can be installed on their computers. From there criminals can use that software to remotely access networks, or launch ransomware to lock away all the data on the network and only return access to it once a fee has been paid (which is never guaranteed).
Criminals will often target certain individuals in these attacks and with enough planning can tailor the contents of the email to almost guarantee that the person will click on them and provide information. Individuals performing critical jobs including senior managers, finance, HR and vendor management are often the main targets due to the amount of sensitive information they have or their access to critical processes such as payroll. Members of the IT team are often additional targets due to the wide range of administrative access they have to the organisation’s network.
Prevention through training
An educated employee is the first line of defence against phishing attacks, so training is a key method to tackle the issue. It is critical to ensure that training covers both how to identify and how to report attempts. If attempts are reported then it can be identified whether other individuals within the organisation are being targeted in a similar way and action taken to respond and safeguard others. Using real examples where possible, such as false news bulletins or tailored, branded communications, helps to increase the effectiveness of these exercises.
Training the entire organisation might not be feasible, in which case it is important to focus on individuals who might be high risks. These people can be identified through threat intelligence activities or by job. Users with access to sensitive data (HR, finance) and individuals with privileged system access (application support teams, network administrators) are common targets. Internal phishing campaigns can help to pinpoint individuals who are commonly vulnerable for more intensive training.
Mitigation tools and techniques
Should employees fall for the always-evolving phishing attacks, then the organisation needs to be able to detect when someone has been compromised.
• Employee devices (mobiles, laptops, etc.) need to be sufficiently protected; anti-malware and end-point protection software are key in identifying if an individual’s computer or mobile device has been compromised after clicking on a link from a malicious email. Quickly resolving incidents at the source can prevent the spread of malware or an attacker from reaching into other parts of the network.
• The IT network and the applications within it need to be monitored. Security Information and Event Management (SIEM) tools collate logs so that unexpected (and therefore suspicious) behaviour, such as an employee accessing data they would not normally look at, is identified and stopped before any damage is done.
• Data Loss Prevention Software or information classification tools protect unstructured data from being exported from applications or being created by the business. Knowing what information is confidential or sensitive allows the cybersecurity team to monitor unexpected transfer of data outside the organisation’s controls.
• IT security and business teams need to work together to ensure adequate controls are in place, for example, preventing unauthorised payments or transfers of money, unless they go through sufficient levels or approval, regardless of who appears to have made the request.
• Other checks include the teams responsible for disseminating company-wide updates about the pandemic being clear about the format and channels they will use to communicate. This is in order to minimise the risk of a criminal taking advantage of the confusion and publishing false information to encourage employees to perform an action that will damage the organisation.
The global pandemic has caused a rise both in phishing attacks and the number of organisations that are susceptible to them, but it is by no means a new phenomenon. It won’t disappear as more people start to return to work in offices; equally, with one of the lasting effects of lockdown likely to be a significant rise in the number of employees choosing to work from home at least some of the time, it will remain an ongoing risk.
Understanding why phishing happens and how to prevent it, while being prepared with mitigation strategies should bad actors succeed in their attempts is therefore good business practice – regardless of COVID-19.
Click below to share this article
