<div dir="ltr"><div dir="ltr"><div><div dir="ltr" class="gmail_signature"><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><a href="https://www.itproportal.com/features/reducing-the-risk-of-targeted-phishing-attacks/">https://www.itproportal.com/features/reducing-the-risk-of-targeted-phishing-attacks/</a></div><div dir="ltr"><br></div><div dir="ltr"><div><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><b><span style="font-size:10pt"></span></b><span style="font-size:10pt"></span><span style="font-family:arial,helvetica,sans-serif"></span><p style="margin:0px 0px 1em;padding:0px;border:0px;font-variant-numeric:inherit;font-variant-east-asian:inherit;font-stretch:inherit;line-height:1.5;font-family:"Open Sans",Arial,sans-serif;font-size:16px;vertical-align:baseline;width:602px;color:rgb(51,51,51)">It’s no secret that email inboxes are under siege. According to the 2018 Verizon Data Breach Report, phishing attacks are at the heart of 93 per cent of data breaches. In fact, the FBI’s 2017 Internet Crime Report indicates that business email compromise (BEC) and phishing drive 48 per cent of ALL internet crime-driven loss — more than all other business-related internet crime combined. And with $12B lost globally, it’s proving extremely effective.</p><p style="margin:0px 0px 1em;padding:0px;border:0px;font-variant-numeric:inherit;font-variant-east-asian:inherit;font-stretch:inherit;line-height:1.5;font-family:"Open Sans",Arial,sans-serif;font-size:16px;vertical-align:baseline;width:602px;color:rgb(51,51,51)">While these facts indicate defending against phishing attacks needs to be a priority for all organisations, many businesses often underestimate their risk level. In fact, in a recent survey by EdgeWave, we asked IT pros how confident they were in their existing email gateways to protect them against advanced, targeted email attacks. The result? 80 per cent said they were confident or very confident in gateways blocking these threats.</p><p style="margin:0px 0px 1em;padding:0px;border:0px;font-variant-numeric:inherit;font-variant-east-asian:inherit;font-stretch:inherit;line-height:1.5;font-family:"Open Sans",Arial,sans-serif;font-size:16px;vertical-align:baseline;width:602px;color:rgb(51,51,51)">Unfortunately, that mindset is creating more risk for all businesses. Email gateways are decades-old technology designed to stop high volume spam and phishing campaigns, not targeted attacks like BEC. As long as businesses keep telling themselves their security is “good enough”, they’ll be open to socially engineered attacks.</p><h3 id="gmail-is-security-awareness-training-the-answer" style="margin:0px 0px 1em;padding:0px;border:0px;font-variant-numeric:inherit;font-variant-east-asian:inherit;font-stretch:inherit;line-height:30px;font-family:"Open Sans",Arial,sans-serif;font-size:24px;vertical-align:baseline;width:602px;background-image:initial;background-position:initial;background-size:initial;background-repeat:initial;background-origin:initial;background-clip:initial;color:rgb(51,51,51)">Is security awareness training the answer?</h3><p style="margin:0px 0px 1em;padding:0px;border:0px;font-variant-numeric:inherit;font-variant-east-asian:inherit;font-stretch:inherit;line-height:1.5;font-family:"Open Sans",Arial,sans-serif;font-size:16px;vertical-align:baseline;width:602px;color:rgb(51,51,51)">Phishing preys on a combination of human psychology and technological vulnerabilities. Cybercriminals realise it’s easier to fool a distracted worker in an email environment than to hack a server or bull rush a domain URL. Today’s workforce is used to working at warp speed, and not paying much attention to email addresses or the “from” fields. They are also used to being asked for Personally Identifiable Information (PII) and may not think twice about responding to a personal request. Over 1.5 million “spoof” web sites are now created every month to fool unsuspecting users.</p><p style="margin:0px 0px 1em;padding:0px;border:0px;font-variant-numeric:inherit;font-variant-east-asian:inherit;font-stretch:inherit;line-height:1.5;font-family:"Open Sans",Arial,sans-serif;font-size:16px;vertical-align:baseline;width:602px;color:rgb(51,51,51)">Over the past several years, many organisations have turned to Security Awareness Education to help users become more aware of these cyber threat tactics and become an active part of their defence posture. This training includes lessons on what to look for, and simulated phishing attacks to assess “readiness” of users. However, after training, many firms are now realising that the benefits of this training are fleeting. Despite training, users are still only reporting 17 per cent of phishing attacks (based on Verizon’s Data Breach Report 2018). What’s more, training is expensive and never ending. As new users come on board, training begins again anew.</p><p style="margin:0px 0px 1em;padding:0px;border:0px;font-variant-numeric:inherit;font-variant-east-asian:inherit;font-stretch:inherit;line-height:1.5;font-family:"Open Sans",Arial,sans-serif;font-size:16px;vertical-align:baseline;width:602px;color:rgb(51,51,51)">Security Awareness Training is a good step to creating awareness of the problem, but it is not the silver bullet everyone thought it could be. If you think about it, you are asking everyday users to become expert at recognising cyberattacks. IT pros themselves have stated they don’t trust users to do this. So why give users that responsibility?</p><h3 id="gmail-so-what-can-you-do-to-stop-phishing" style="margin:0px 0px 1em;padding:0px;border:0px;font-variant-numeric:inherit;font-variant-east-asian:inherit;font-stretch:inherit;line-height:30px;font-family:"Open Sans",Arial,sans-serif;font-size:24px;vertical-align:baseline;width:602px;background-image:initial;background-position:initial;background-size:initial;background-repeat:initial;background-origin:initial;background-clip:initial;color:rgb(51,51,51)">So what can you do to stop phishing?</h3><p style="margin:0px 0px 1em;padding:0px;border:0px;font-variant-numeric:inherit;font-variant-east-asian:inherit;font-stretch:inherit;line-height:1.5;font-family:"Open Sans",Arial,sans-serif;font-size:16px;vertical-align:baseline;width:602px;color:rgb(51,51,51)">Organisations don’t need large budgets to effectively defend against phishing attacks. However, they need to change their mindset and recognise that it’s no longer if you will be attacked, but when. </p><p style="margin:0px 0px 1em;padding:0px;border:0px;font-variant-numeric:inherit;font-variant-east-asian:inherit;font-stretch:inherit;line-height:1.5;font-family:"Open Sans",Arial,sans-serif;font-size:16px;vertical-align:baseline;width:602px;color:rgb(51,51,51)">A good starting point is 1) understanding the threat landscape, 2) knowing where your sensitive data resides and 3) what could likely cause your business harm. Most successful phishing campaigns tend to be very targeted (Spear Phishing and BEC), going after specific job functions in the organisation that have access to or manage critical data and finances – C-level, HR, IT, Accounting and Finance. This is where cybercriminals pull emotional levers like trust and fear to get employees to take the bait. Focus on securing those areas of the business as an initial priority, yet don’t stop there. Successful anti-phishing programs need to touch all employees.</p><h3 id="gmail-start-by-understanding-the-nature-of-phishing-emails" style="margin:0px 0px 1em;padding:0px;border:0px;font-variant-numeric:inherit;font-variant-east-asian:inherit;font-stretch:inherit;line-height:30px;font-family:"Open Sans",Arial,sans-serif;font-size:24px;vertical-align:baseline;width:602px;background-image:initial;background-position:initial;background-size:initial;background-repeat:initial;background-origin:initial;background-clip:initial;color:rgb(51,51,51)">Start by understanding the nature of phishing emails</h3><div class="gmail-mid__article" style="margin:0px;padding:0px;border:0px;font-variant-numeric:inherit;font-variant-east-asian:inherit;font-stretch:inherit;line-height:inherit;font-family:"Open Sans",Arial,sans-serif;font-size:16px;vertical-align:baseline;color:rgb(51,51,51)"></div><ul style="margin:0px 0px 1em;padding:0px;border:0px;font-variant-numeric:inherit;font-variant-east-asian:inherit;font-stretch:inherit;line-height:inherit;font-family:"Open Sans",Arial,sans-serif;font-size:16px;vertical-align:baseline;list-style:none;color:rgb(51,51,51)"><li style="margin:0px;padding:0px;border:0px;font-style:inherit;font-variant:inherit;font-weight:inherit;font-stretch:inherit;line-height:1.5;font-family:inherit;vertical-align:baseline;list-style:disc inside none">Always be on guard. While obvious issues like grammatical errors and spelling mistakes still exist, modern phishing emails look very legitimate. Treat anything from the internet as suspicious.   </li><li style="margin:0px;padding:0px;border:0px;font-style:inherit;font-variant:inherit;font-weight:inherit;font-stretch:inherit;line-height:1.5;font-family:inherit;vertical-align:baseline;list-style:disc inside none">Be cautious of individuals or organisations that ask for personal information or transferring of funds. Don’t click on any links -- verify directly with the company itself to avoid any potential issues.</li><li style="margin:0px;padding:0px;border:0px;font-style:inherit;font-variant:inherit;font-weight:inherit;font-stretch:inherit;line-height:1.5;font-family:inherit;vertical-align:baseline;list-style:disc inside none">Take a close look at the sender’s email address (not the display name – this can be easily spoofed) when checking the legitimacy of an email. Would your CEO truly send you an email from their “personal” account asking you to transfer money?</li><li style="margin:0px;padding:0px;border:0px;font-style:inherit;font-variant:inherit;font-weight:inherit;font-stretch:inherit;line-height:1.5;font-family:inherit;vertical-align:baseline;list-style:disc inside none">Don’t be frightened or intimidated by messages that have an alarmist or urgent tone.  Contact the company or individual directly if they are uncertain about the status of their accounts or the request.</li></ul><h3 id="gmail-build-a-cyber-aware-corporate-culture-xa0" style="margin:0px 0px 1em;padding:0px;border:0px;font-variant-numeric:inherit;font-variant-east-asian:inherit;font-stretch:inherit;line-height:30px;font-family:"Open Sans",Arial,sans-serif;font-size:24px;vertical-align:baseline;width:602px;background-image:initial;background-position:initial;background-size:initial;background-repeat:initial;background-origin:initial;background-clip:initial;color:rgb(51,51,51)">Build a cyber aware corporate culture </h3><ul style="margin:0px 0px 1em;padding:0px;border:0px;font-variant-numeric:inherit;font-variant-east-asian:inherit;font-stretch:inherit;line-height:inherit;font-family:"Open Sans",Arial,sans-serif;font-size:16px;vertical-align:baseline;list-style:none;color:rgb(51,51,51)"><li style="margin:0px;padding:0px;border:0px;font-style:inherit;font-variant:inherit;font-weight:inherit;font-stretch:inherit;line-height:1.5;font-family:inherit;vertical-align:baseline;list-style:disc inside none">Make cybersecurity a priority for all employees, not just the IT team, and provide a written cybersecurity policy that all employees must read and acknowledge</li><li style="margin:0px;padding:0px;border:0px;font-style:inherit;font-variant:inherit;font-weight:inherit;font-stretch:inherit;line-height:1.5;font-family:inherit;vertical-align:baseline;list-style:disc inside none">If your business works with third parties and systems are integrated (e.g. retail POS), make it a policy to ensure their applications are secure – ask them about their security policies before deploying.</li><li style="margin:0px;padding:0px;border:0px;font-style:inherit;font-variant:inherit;font-weight:inherit;font-stretch:inherit;line-height:1.5;font-family:inherit;vertical-align:baseline;list-style:disc inside none">Set formal, explicit security policies to stop BEC or CEO Fraud.  For example, all wire transfers or movement of company funds requires verbal and written approval. </li></ul><h3 id="gmail-deploy-relevant-technologies-and-tools" style="margin:0px 0px 1em;padding:0px;border:0px;font-variant-numeric:inherit;font-variant-east-asian:inherit;font-stretch:inherit;line-height:30px;font-family:"Open Sans",Arial,sans-serif;font-size:24px;vertical-align:baseline;width:602px;background-image:initial;background-position:initial;background-size:initial;background-repeat:initial;background-origin:initial;background-clip:initial;color:rgb(51,51,51)">Deploy relevant technologies and tools</h3><p style="margin:0px 0px 1em;padding:0px;border:0px;font-variant-numeric:inherit;font-variant-east-asian:inherit;font-stretch:inherit;line-height:1.5;font-family:"Open Sans",Arial,sans-serif;font-size:16px;vertical-align:baseline;width:602px;color:rgb(51,51,51)">Deploy a multi-layered email security posture including email gateway, anti-phishing postdelivery detection and incident response technologies. Adding Postdelivery Detection and Incident Response solutions to your existing email gateway not only greatly reduces your risk, they also dramatically reduce dwell time for threats that get into inboxes. The faster these threats can be deleted across the organisation, the less costly the attack. Our company, EdgeWave, currently offers a platform with all these solutions to provide a modern email security platform.</p><p style="margin:0px 0px 1em;padding:0px;border:0px;font-variant-numeric:inherit;font-variant-east-asian:inherit;font-stretch:inherit;line-height:1.5;font-family:"Open Sans",Arial,sans-serif;font-size:16px;vertical-align:baseline;width:602px;color:rgb(51,51,51)">Because phishing criminals continue to innovate, you need to enhance your security approach as well to stay ahead of these attacks.  Although there is no silver bullet, a combination of employee education to increase awareness, formal cybersecurity policies, and specific, anti-phishing technologies can drastically reduce the risk of successful phishing attacks.</p></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div>