[BreachExchange] How 21st century security teams can stop phishing schemes from stealing enterprise data

Audrey McNeil audrey at riskbasedsecurity.com
Wed Apr 18 20:40:21 EDT 2018


https://www.itproportal.com/features/how-21st-century-
security-teams-can-stop-phishing-schemes-from-stealing-enterprise-data/

Letter scams have been around for hundreds of years, but people are still
falling for them in 2018.

Take the Nigerian prince phishing scam. Users receive an email from a
‘Nigerian prince’ in need of immediate financial assistance with the
promise of a handsome monetary reward at the end. All users have to do is
wire this prince money directly into his account or send him their bank
account information.

Of course, there is no Nigerian prince and it’s hard to believe anyone
still falls for the ridiculous scam considering it’s been around since the
French Revolution. In fact, the Nigerian email scam is simply the digital
reinvention of the Spanish Prisoner scam, which dominated the days of snail
mail during the Spanish American War. Nevertheless, phishing scams continue
to launder thousands of dollars out of people’s bank accounts, fetching
thieves millions every year.

Today, hackers have adopted phishing to reel in even bigger catches,
targeting accounts payable teams at Fortune 500 companies to initiate
fraudulent wire transfers and swipe employee credentials. Employees are
presented with seemingly legitimate web pages where they are asked to enter
their user credentials, immediately granting hackers access to entire
servers. Unlike brute force hackers or weathering a distributed
denial-of-service attack, phishing scams are largely avoidable because
employees can be taught to recognize bogus emails before sharing sensitive
information.

If the Nigerian prince email is any indication, phishing schemes are never
going to disappear from the internet. With data leaks top of mind,
corporate security teams need to get a step ahead of email scams and ensure
employee mishaps are not the cause of tomorrow’s latest security breach.

Gone phishing: how employee behaviors are contributing to hackers’ success
rates

All it takes is one employee to take the phishing bait for sensitive
business information to fall into the hands of thieves.

With a business email compromise (BEC) scheme, hackers impersonate a
trusted entity to convince unsuspecting employees to hand over the keys to
the business. Hackers pretending to be an accounting executive might ask
employees to verify their personal information in an email or convince
users to download infected payroll documents to their computer.

While no one wants to admit being the victim of a phishing scheme, a 2016
Verizon study found 30 percent of all phishing emails are opened, so it’s
no wonder phishing remains a popular tool in a hacker’s repertoire. When an
employee falls for a phishing scheme, one of two things can happen:

1. Personal information is handed over to hackers

Hackers pretending to be trusted individuals trick users into revealing
sensitive data, such as payroll information, social security numbers and
employee login credentials. In Kansas, for example, university employees
fell victim to a phishing scheme asking them to re-submit their direct
deposit account numbers. The attackers were then able to access the
victims’ bank accounts directly after the employees gave away their login
credentials.

2. Malware is downloaded and infects the victim’s computer

Instead of sending a webpage link, some hackers ask targets to download a
file attached to the email. The seemingly innocuous zip files and Microsoft
Word documents are actually embedded with malicious code, releasing a virus
onto the victim’s computer. If an attachment contains ransomware, for
example, hackers can lock employees out of their workspace and threaten to
publish any files found on the desktop unless the employer pays the ransom.

Simply sending reminders to not click on suspicious emails is not enough to
deter employees from opening phishing scams. Hackers are growing
increasingly sophisticated, making it harder for employees to distinguish
between what is real and what isn’t. To stop employees from falling for
dangerous phishing schemes, organizations will need to better educate teams
about email security and implement technical controls to reduce the
possibility of a successful phishing attempt.

Combining education and technical controls to mitigate phishing-based leaks

While security teams can’t control hacker activity, they can take steps to
keep spam emails from landing in inboxes and teaching employees to not open
suspicious emails when they do.

Educating teams to recognize and report phishing schemes is the first step
in combating spam emails. Instead of blaming untrained workers for
accidentally clicking malicious links, businesses should help employees
build better emailing habits by:

1. Showing them real phishing examples

>From minor spelling errors to shortened URLs, there are several red flags
employees can watch for to determine the validity of an email. Security
teams can familiarize employees with phishing schemes by showing them past
email scams and helping them identify what is legitimate and what is not.

2. Testing their ability to identify and report scams

After employees learn the ins and outs of phishing, organizations should
regularly test their team’s ability to respond to email scams.
Administrators can send fake phishing emails and monitor who is reporting
them appropriately and who needs additional email training.

In addition to building employee awareness, organizations should adopt a
layered security approach to reduce the risk of phishing-based data leaks
and loss. Proactive measures, like routinely updating software programs and
requiring employees to use an authorized VPN to access servers, can help
network IT teams monitor company-wide security. Businesses can also:

- Enforce stronger user credentials that require more than a username and
password, such as implementing two-factor or biometric authentication
- Set up advanced spam filters to actively stop phishing emails from
breaching security perimeters and reaching their intended target
- Develop a security breach response plan in the case an employee
accidentally opens a fraudulent email to mitigate damage

Phishing schemes are one of the most popular tricks a hacker can use
because they work but enterprises can teach their employees how to avoid
falling for fraudulent emails. Proper education, technical controls and an
overall awareness of the types of scams hackers employ go a long way in
helping enterprises avoid becoming a victim of phishing-based data leaks.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20180418/406292f8/attachment.html>


More information about the BreachExchange mailing list