From Amazon’s Prime Day scam to fake websites offering iPhone 11 Pro and tricking people into bogus COVID-19 vaccine sites – the last couple of months have seen a massive spike in phishing attacks. Bad actors have constantly lured users to log onto phishing sites as a way to steal their usernames and passwords. Then there were more targeted and potent phishing attacks, and even seasoned journalists like Nidhi Razdan were not spared of ‘spear-phishing’ as is known in the hacking parlance.
Phishing and fraud campaigns are not new and always existed in the history of cyber threats; but the number of incidents is escalating due to the rapid shift to remote work across the enterprise – thanks to the pandemic. Gartner observes, as organizations are increasingly adopting cloud services and other collaboration tools beyond email, phishing attacks are no longer just an email problem. These attacks have expanded to SMS and instant messaging, social networks, collaboration platforms, videoconferencing, and gaming services.
Parminder Kaur, Associate Director, Digital Transformation Practice, Frost & Sullivan, believes that the low volume-high impact phishing attacks seen in recent months are more sophisticated and targeted. “These are difficult to detect compared to mass phishing campaigns, thereby putting individuals and businesses at higher risk,” says Kaur.
One reason is that hackers are increasingly masquerading as legitimate sources and brands. According to a study by Check Point, the most frequently imitated brands by cybercriminals in their attempts to steal victims’ personal information or payment credentials include Microsoft, LinkedIn, Amazon, Google and PayPal among others. In Razdan’s case it was an equally reputed institution like the Harvard University. In most cases, lured with promises of monetary or career gain or threats of financial or physical danger, people are being dodged out of tens of thousands of dollars. Corporations lose even more — tens of millions of dollars.
But are companies ready to face this onslaught?
GV Anand Bhushan, Partner at Shardul Amarchand Mangaldas & Co notes, “While companies in general are taking measures to safeguard themselves from phishing related cyber-attacks, lack of employee training when it comes to cyber-security, skills shortage in the cyber-security industry, and failure to take timely assistance from the Computer Emergency Response Team (CERT-In) in case there is a cybersecurity incident, are some of the challenges companies continue to face. That being the case, while many companies are giving importance to cyber-security, there is still room for additional measures that organizations can adopt from a cyber-security standpoint.”
It is important to understand that while companies may get smarter, and the anti-phishing tools they use as protection are more accurate than ever; phishers have evolved to stay one step ahead. They have expanded attack payloads to fake login scams, scareware tactics, fraudulent ads, and rogue software downloads.
“The problem is, while there are many email security and anti-phishing solutions in the market for enterprises and most cloud solutions have robust security measurements for consumers, but not all of them detect unknown malware or zero-day threats. The responsibility falls on the individual to secure their personal information by validating emails before responding and inspecting URLs or malicious links. There is a compelling need to be more vigilant and security-aware so that we are not left compromised,” says Kaur.
In fact, cybersecurity company Kaspersky observes that phishing attacks are becoming more targeted in recent months, with some disguised as emails from HR about employee dismissal or changes in the medical leave procedure. Emails about password changes, corporate meetings, vacation policies and remote working policies are also some of the ways CXOs are tricked.
Sonit Jain, CEO of GajShield Infotech gives an example of phishing attacks that targets various departments within the enterprise. “A recently emerging method of spear-phishing attacks is where attackers are targeting HR departments and convincing them to change employees’ payroll setup etc. The mode of communication in these attacks is mostly emailing. Victims are sent emails with malicious attachments and links that take them to a spoofed website containing malware,” he says.
Spear-phishing attacks are targeted attacks to steal critical and valuable information from specific individuals or enterprises. Recently there has been an increase in such an attack during the COVID-19 Pandemic, targeting work from home enterprise employees with a specific intention to extracts critical data and information.
So, how can CXOs mitigate such threats?
Needless to say, it is not enough to just identify and respond to attacks. Organizations must also have a comprehensive mitigation strategy in place to reduce risk and disrupt threats before they cause harm.
While organizations today are becoming aware of the cyber-risks associated in this digital age, and are giving importance to cyber-security and data protection, more advanced form of phishing attacks will continue to lure users through 2021, with bad actors adopting new techniques and scenarios.
Surendra Singh, Senior Director Country Manager at Forcepoint opines, “As people are an organizations’ greatest asset, organizations should educate employees to prevent phishing attacks, particularly how to recognize suspicious emails, links, and attachments. Cyber attackers are always refining their techniques, so continued education is imperative.”
The most common methods to prevent phishing and similar attack vectors in an organization are to implement a cybersecurity team and train employees. Training employees about spear-phishing attacks and preventing them from clicking any links on emails is an excellent method to avoid attacks.
However, experts have often raised doubt about the effectiveness of the training. They reason that as employees play a major role in preventing and handling phishing attacks, a lot of thought needs to go into employee awareness programs.
“Organizations must run interactive Training, Education and Awareness (TEA) programs. It is essential to conduct mock phishing scenarios, identifying employees who fail and thereby providing additional training to those, while ensuring equal involvement of the higher-level management,” says Phanikishore Burre, SVP & Delivery Head – Infrastructure, Network, Cloud & Security Services at CSS Corp.
At the same time, no training can ensure maximum security. Cybersecurity teams can ensure protection from such attacks along with ensuring data security.
At the basic level, deploying trusted antivirus solutions, SPAM filters, configuring firewall policies, scheduling signature updates, ensuring enablement of additional monitoring, and web filter to block malicious websites is equally vital.
Companies should also implement multifactor authentication (MFA) to access the accounts of employees to minimize the chances of an initial compromise. It should also grant network access on a least privilege scale for all new employees. Further, periodically review network access for all employees to reduce the risk of compromise of vulnerable and weak spots on the network.
Burre suggests, “Firms can also protect themselves against phishing by disabling HTML emails to text only and encrypting all sensitive company information. Overall, in these times, it is important to implement a “Zero-Trust Framework” in organizations and proactively monitor and neutralize threat vectors through use of AI-based tools and algorithms.”
The need of the hour is also a Crisis Response Incident Plan that clearly lists down the strategy to be adopted in the event there is a cybersecurity incident, as Bhushan explains, “This strategy should be detailed and clearly chalk out the responsibilities of employees, communication channels and disclosure requirements to be adopted in the event there is a cybersecurity incident. It is important to have mock drills to ensure the effective implementation of the Crisis Response Incident Plan.”
Finally, collective effort plays a vital role in mitigating attacks, as Singh believes that data access and protection are no longer just an IT or cybersecurity problem. “It is a core business issue that every CXO – and not just the CIO and CISO – should embrace to protect their company, their assets, and their customers.”
With phishing and other threat activities are expected to rise steadily in the coming months, organizations stay vigilant in identifying and mitigating threats posed to them. It is critical therefore that every organization builds a robust cyber-security framework preemptively, to avoid becoming the target of cyber attacks in the first place.