Phishing attacks are one of the biggest threats to both individual and organisational privacy and security. A 2019 Cyber Breaches Survey published by the UK Government notes that 80% of cyber breaches are a result of a phishing attack. User training is often a key component of minimising the effectiveness of such attacks. There is also evidence to suggest that focusing on the user’s role and the often unintentional creation of a blame culture through the use of sanctions can do more harm than good to organisations.
The UK National Cyber Security Centre has developed phishing guidance with the aim of providing a layered defence to improving the organisations’ resilience against phishing attacks.
What is phishing?
Phishing is a practice by which an attacker will try to gain access to information or systems by sending an individual a communication (e.g. email, SMS or instant message) with the aim of inducing the individual to click on a link that will attempt to compromise their security.
Why is phishing hard to spot?
Phishing attacks can be hard to spot because the attacker is often masquerading as an individual or organisation that the recipient should trust. This can be achieved in several ways – for example, an attacker may fake an email address or use a similar domain name of an organisation. Phishing attacks are a type of social engineering attack and will often use carefully constructed language to convince the receiver of the veracity of the message and the trustworthiness of the sender. As we’ve seen from the Cyber Breaches Survey, with 80% of cyber breaches stemming from a phishing attack, it is a highly effective means of breaching the security of an organisation.
What are the different types of phishing?
All phishing attacks are not equal – some may be sent specifically to target certain individuals, some may be for a wider audience, sent with the hope of anyone taking the bait. The following are common types of phishing attacks:
- Email Phishing – usually involves messages sent to many people with the aim of encouraging recipients to click on a link;
- Spear Phishing – this is when a message is sent to a specific individual, usually based on their role, with the intent of leveraging that particular individuals’ abilities or access to information. Useful details can often be found on the organisation’s website or an individuals LinkedIn profile;
- Whaling – a whaling attack is a form of spear phishing, focusing on high-level senior executives such as CEOs, CFOs, and COOs. These are highly targeted attacks looking to leverage the executives authority and access within an organisation. These attacks are often more successful than you might expect as senior executives often don’t follow organisational procedures expected of operational staff ;
- Smishing and Vishing – smishing refers to using SMS messaging as the form of delivery for the phishing attack. It is often a successful technique as SMS can be a notoriously difficult method to determine the trustworthiness of the sender. Banks for example often use many different SMS numbers for communication with customers. Vishing is when an attacker uses voice messaging (e.g. telephone), to execute a phishing attack. Automated calling and masking of telephone numbers are common techniques that are used with this tactic.
How to protect your organisation against phishing attacks?
It is unlikely that you will be able to successfully defend against all phishing attacks. Organisations should put in place a multi-layered approach to protect and defend against attacks, and respond robustly should defences be breached. The following are some measures to consider:
Consider the human factor
Help staff avoid situations where they could be put in a position to compromise security. Consider preparing a policy governing the information that the company makes public relating to its staff, for example – attackers may use information such as org-charts on corporate websites and information on social media to build a profile of individuals that could be targeted. Help your staff understand the importance of such information and how it can be used to compromise security. Provide periodic awareness training on phishing techniques to ensure staff have a current understanding of the evolving threats. Trilateral offers bespoke training sessions to raise employee awareness and foster a culture of data protection in your organisation.
Be mindful that there are many reasons why relying on staff to protect against all phishing attacks will not work. Creating a culture of blame is counter-productive and will not contribute to achieving complete protection. Implement verification checks in standard procedures and have senior management communicate the importance of such measures by demonstrating compliance.
Implement Domain-Based Message Authentication (DMARC)
DMARC is an email authentication protocol designed to enable email domain owners to protect their domain from email spoofing. The IT department can configure the organisation’s domain to use this protocol. Other protocols that are recommended to configure as part of a multi-layered defence include Sender Policy Framework (SPF) and Domain Keys Identified Mail (DKIM). Trilateral’s gap analysis and audit and assessment services can identify security gaps and advise on best practices for securing your organisation’s domain.
Protect your organisation’s devices and IT assets
Ensure that up-to-date device protection is installed on organisational assets (desktops, laptops and mobile devices) to protect from phishing attacks. Additionally, protections can be configured at the organisational level to catch phishing attempts before they reach the user. Configure secure methods of authentication such as Multi-Factor Authentication (MFA) and ensure that there are appropriate password policies in place. Basic security measures implemented correctly can be very effective. Trilateral offers vulnerability scanning and penetration testing services to identify weaknesses in networks and applications to mitigate your organisation’s risk if you are targeted by malicious actors.
Having an effective response plan in place will ensure that your organisation can move quickly to react to an attack in progress or one that has already breached the organisation’s security measures. Key to a successful response plan is having a defined process for staff to report incidents. Consideration should also be given to providing guidance for situations where usual methods of communication may be compromised. Effective systems logging and analytics can also contribute to an early indication of compromise, alerting an organisation to the need to initiate a response. Trilateral’s compliance support service can help your organisation develop secure processes and procedures, as well as an effective response plan in the case of a cybersecurity breach.
In this article, we’ve covered some of the primary considerations needed to protect against phishing attacks. More guidance can be found from the UK NCSC. For more information about how Trilateral can enhance data governance in your organisation please refer to our list of services or get in touch with one of our advisors for support on your compliance journey.