CBR sits down with Luis Corrons, Technical Director at PandaLabs, to talk phishing.
Phishing attacks are on the rise, but how can you recognise them? CBR’s Alex Sword talks to Luis Corrons, Technical Director at PandaLabs.
AS: What are some common examples of phishing attacks?
The most common examples of phishing attacks are emails that supposedly come from a bank or payment provider, courier company, or popular shopping site (Amazon, itunes etc.). One way or the other, it will be trying to get our personal information so it can be used to steal further information or empty our accounts.
Phishing attacks take many different forms. What are some common characteristics that people can look out for?
Most times the initial phishing message always says there has been some kind of security incident involving your account, and tells you that in case you do not take action it will be suspended. There will be a link in that message that the user have to click in order to fix the problem, once clicked it takes the user to a web page with the look & feel of the organisation they are trying to fake and will ask the user for their personal information (credentials, security questions, etc.).
AS: What would a good employee training programme in an organisation look like?
The best training programme should start by launching a controlled phishing attack against company’s employees. This can then be used in the follow-up training to show how effective a real attack would have been and teach all employees to be able to recognise these types of attacks. Repeat this periodically to measure the success of previous training.
Special attention should be given to the finance team to ensure they are aware of CEO fraud (aka Spear Phishing or Whaling) which occurs when an email supposedly coming from a C-Level executive requests an urgent and often substantial bank transfer. The FBI estimate $2.3bn has been lost to this type of fraud over the last three years. Having a system in place where the finance team can verify anomalous transactions directly with the C-Level executives or senior members or staff at any time can stop these losses.
AS: What are some basic checks that can be put in place so that suspicious emails can be vetted?
Most phishing messages rely on the user to click on the link that is in the message or just opening an attachment. Not doing it solves the problem.
By learning the typical characteristics (there is a serious security problem, urging us to act as soon as possible threatening us with closing / suspend our account, giving us a link to solve the problem…) the users can spot phishing attempts.
At the end of the day if the user has any doubts and considers it might be a valid message, they can always go to the company website from the browser without clicking on the link. If available report suspicious emails to your IT team or provider.
Never trust attachments from unknown sources, of course.
AS: How are phishing attacks evolving?
Historically the cyber-criminals behind these attacks had problems with the language used as English was not their first language, and it was easy to spot grammar mistakes as well as misspelled words. Nowadays they have improved and in general they do not make these kinds of mistakes.
Phishers are more professional, and it is a continuous battle to realise we are facing a phishing attack, by contacting the originator by phone or directly visiting their website will normally confirm if the email is genuine.
Although phishing has often been linked to the theft of online banking credentials, there are some other kinds, such as those made to steal Facebook or Twitter credentials. In these cases instead of an email you get a message with a link, if you click on it, it takes you to a website with the same look & feel as the social network and asks you for your credentials.
AS: Is it possible to protect our data online to make phishing attacks less successful?
Yes, of course. First tip is not reusing passwords. Using a password manager is the most effective solution for this. On top of that we should enable 2FA (two factor authentication) so even if a phishing attack succeeds and our credentials are stolen, our accounts will be safe