You must not underestimate the capabilities of phishing attacks.
It can at times seem as though we are all at the mercy of the mysterious, sometimes hooded, hacker figure that has us all under control before we have even tried to protect ourselves. Because of this it may still be surprising to some that the kind of cyber attack causing the world’s the greatest problems are also the most primitive.
Bewildered by the idea of the cyber grim-reaper using code and algorithms like black magic, we may have lost track of the truth that we can protect ourselves by remembering to alter and improve passwords, use multi-factor authentication, and not to click on suspicious links.
This is not only the case for individuals, but it is also the case for major organisations, with the recent Verizon Data Breach Investigation Report being a case in point. John Grim, Senior Security Specialist and RISK Team Leader at Verizon, told CBR that the results of the report show a lack of awareness due to the effectiveness of basic attacks such as phishing.
The report included 1,935 data breaches spanning 84 countries, with a stand out finding being that humans are still enabling low tech attacks to wreak havoc within organisations.
“First and foremost, taking advantage of the human element is big with threat actors; taking advantage of people’s gullibility when it comes to sending phishing emails, taking advantage of people not paying attention,” said Mr Grim.
“Phishing is very big, the social engineering aspect of it, and you see that as a continued trend this year as well as we have seen over the previous years. So 43% of the data breaches involved phishing, and that was definitely a precursor for the financially motivated attacks, as well as the cyber espionage.”
The message of changing and adding complexity to passwords was also one that was shared by the Senior Investigative Response Consultant. Mr Grim said, “Credentials are still a big problem, 81% of the data breaches that we looked at this year in terms of data sets, the threat actors are leveraging those default passwords, those weak passwords, or those passwords that have been stolen.”
While it could be assumed that all organisations would have processes, procedures and standards for simple things like passwords and employees, these areas are continuing to be neglected, resulting in an influx of cyber attack instances and breaches.
On an even more simple level than phishing, financial pretexting was also found to be effective in gaining access to critical data by exploiting the low awareness and laziness of users who are vulnerable to cyber attack.
John Grim explained how this works and how prevalent it is, he said: “Financial pretexting is tricking somebody, like sending them a fake invoice, and having an executive sign off on it, and basically stealing money that way.”
“In terms of pretexting the top communication vector email, we’re seeing 88% there, and then we are seeing pretexting 10% of the time in telephonic or phone communications.”
With close to 90% of this most basic form of attack being sent in via email, it begins to raise the possible question as to whether email is still a suitable platform for transferring sensitive information. CBR recently spoke to a startup called Pushfor that is tackling the space, aiming to provide a secure solution for sending important information.
It must also be realised that once a hacker has utilised your own lack of preparation and awareness against you, it is only the beginning, as your network can then be infiltrated by malicious software, and held to ransom.