Story image

Phishing emails only going to get smarter, warns security firm

09 Jan 2019

Email security threats are both cheap and easy for cyber attackers to conduct, so it’s little wonder that a new study from Barracuda Networks has found that 87% of companies have faced those threats in the past year.

The study, conducted with 634 executives, individual contributors and team managers across Asia Pacific, Europe, and the Americas, found that one click is all it takes to bring trouble.

Phishing emails typically mimic the look and feel of an email written by someone in authority, such as a bank, or even a colleague.  The emails create a sense of urgency, so recipients think they don’t have much time to respond.

“The most sophisticated attackers steal the credentials of a key employee (e.g., CEO or CFO), and use them to launch a Business Email Compromise attack from the real employee's email address,” the company explains.

“Phishing is one the cheapest and easiest strategy used by hackers to target companies as it takes advantage of the weakest link in an organisation’s security chain, its employees,” adds Barracuda vice president of APAC sales, James Forbes-May.

Some emails are highly targeted, but generic ones containing words like ‘invoice’ can also catch people out. ‘Invoice’ appeared in six of the 10 most effective phishing campaigns in 2018.

“Most malicious emails attempted to steal login and system information from users in order to take over their account to launch attacks to a company via an internal account. All they need to do is lure one untrained user with a clickbait link and they have access to any company’s data.”

Those links can also look genuine. They can be spoofed sites that request login credentials, or they could initiate malware downloads. Information stealers, backdoors, and ransomware are common forms of malware. Over a third of global organisations Barracuda Networks interviewed for its Email Security Trends 2018 Study said they’d experienced such an attack.

Barracuda warns that phishing attacks are becoming more difficult to spot. Criminals may also switch to AI technologies to make their emails look more genuine.

“No company is too small or free from being a target. Once an account has been compromised or infected with ransomware, the company and its data can be held for a high ransom. In the month of May alone, Barracuda blocked over 1.5 million phishing emails and saw over 10,000 unique phishing attempts (the same email content, potentially sent to hundreds or even thousands of people),” explains Forbes-May.

He says that multi-factor authentication is an effective way to prevent attackers accessing accounts with only passwords as security credentials. He also believes training sessions are necessary.

Barracuda states that companies should run phishing tests in short sessions using real-world scenarios and collect feedback on each user. 

They should be looking for things like unusual senders, attachments and hyperlinks in unsolicited mail. All level of employees including part timers and interns must undergo training as all it takes is one click to cause great damage. It doesn’t matter who clicks on that phishing link, it will be equally damaging.  

“Companies must look into investing in the best email security tools that can scan for malicious URLs and attachments and block the email before it even reaches the user. Behavioural and sandboxing features can help to spot more advanced zero-day threats.

Your reputation, company data and the potential loss of money is at constant risk and must be safeguarded,” adds Forbes-May.

Here are a few quick tips to help avoid phishing scams like the ones highlighted above:

•    Don’t click on attachments or URLs from unknown sources. Sometimes even sources that you think are safe—could have been compromised or impersonated by criminals. Call them if you feel the email is suspicious

•    Never share or reveal your password or login to an unidentified site you accessed via an email link. Always go to the site directly via your browser

•    Money scams are notorious for displaying poor grammar, and in many cases the language used could appear to be coming from someone who may be writing English as a secondary language. Just remember, if something sounds too good to be true—it probably is.

“Email threats will continue to be a large problem for companies and unless they employ multi layered approaches and train their employees, they are at risk of being held for ransom by hackers,” concludes Forbes-May.

Apple's AirPods now come with 'Hey Siri' functionality
The new AirPods come with a standard case or a Wireless Charging Case that holds additional charges for more than 24 hours of listening time.
NZ investment funds throw weight against social media giants
A consortium of NZ funds managing assets worth more than $90m are appealing against Facebook, Twitter, and Google following the Christchurch terror attacks.
Poly appoints new A/NZ managing director, Andy Hurt
“We’re excited to be bringing together two established pioneers in audio and video technology to be moving forward and one business – Poly."
Unity and NVIDIA announce real-time ray tracing across industries
For situations that demand maximum photorealism and the highest visual fidelity, ray tracing provides reflections and accurate dynamic computations for global lighting.
NVIDIA announces Jetson Nano: A US$99 tiny, yet mighty AI computer 
“Jetson Nano makes AI more accessible to everyone, and is supported by the same underlying architecture and software that powers the world's supercomputers.”
Slack doubles down on enterprise key management
EKM adds an extra layer of protection so customers can share conversations, files, and data while still meeting their own risk mitigation requirements.
NVIDIA introduces a new breed of high-performance workstations
“Data science is one of the fastest growing fields of computer science and impacts every industry."
Apple says its new iMacs are "pretty freaking powerful"
The company has chosen the tagline “Pretty. Freaking powerful” as the tagline – and it’s not too hard to see why.