Story image

Phishing emails only going to get smarter, warns security firm

09 Jan 2019

Email security threats are both cheap and easy for cyber attackers to conduct, so it’s little wonder that a new study from Barracuda Networks has found that 87% of companies have faced those threats in the past year.

The study, conducted with 634 executives, individual contributors and team managers across Asia Pacific, Europe, and the Americas, found that one click is all it takes to bring trouble.

Phishing emails typically mimic the look and feel of an email written by someone in authority, such as a bank, or even a colleague.  The emails create a sense of urgency, so recipients think they don’t have much time to respond.

“The most sophisticated attackers steal the credentials of a key employee (e.g., CEO or CFO), and use them to launch a Business Email Compromise attack from the real employee's email address,” the company explains.

“Phishing is one the cheapest and easiest strategy used by hackers to target companies as it takes advantage of the weakest link in an organisation’s security chain, its employees,” adds Barracuda vice president of APAC sales, James Forbes-May.

Some emails are highly targeted, but generic ones containing words like ‘invoice’ can also catch people out. ‘Invoice’ appeared in six of the 10 most effective phishing campaigns in 2018.

“Most malicious emails attempted to steal login and system information from users in order to take over their account to launch attacks to a company via an internal account. All they need to do is lure one untrained user with a clickbait link and they have access to any company’s data.”

Those links can also look genuine. They can be spoofed sites that request login credentials, or they could initiate malware downloads. Information stealers, backdoors, and ransomware are common forms of malware. Over a third of global organisations Barracuda Networks interviewed for its Email Security Trends 2018 Study said they’d experienced such an attack.

Barracuda warns that phishing attacks are becoming more difficult to spot. Criminals may also switch to AI technologies to make their emails look more genuine.

“No company is too small or free from being a target. Once an account has been compromised or infected with ransomware, the company and its data can be held for a high ransom. In the month of May alone, Barracuda blocked over 1.5 million phishing emails and saw over 10,000 unique phishing attempts (the same email content, potentially sent to hundreds or even thousands of people),” explains Forbes-May.

He says that multi-factor authentication is an effective way to prevent attackers accessing accounts with only passwords as security credentials. He also believes training sessions are necessary.

Barracuda states that companies should run phishing tests in short sessions using real-world scenarios and collect feedback on each user. 

They should be looking for things like unusual senders, attachments and hyperlinks in unsolicited mail. All level of employees including part timers and interns must undergo training as all it takes is one click to cause great damage. It doesn’t matter who clicks on that phishing link, it will be equally damaging.  

“Companies must look into investing in the best email security tools that can scan for malicious URLs and attachments and block the email before it even reaches the user. Behavioural and sandboxing features can help to spot more advanced zero-day threats.

Your reputation, company data and the potential loss of money is at constant risk and must be safeguarded,” adds Forbes-May.

Here are a few quick tips to help avoid phishing scams like the ones highlighted above:

•    Don’t click on attachments or URLs from unknown sources. Sometimes even sources that you think are safe—could have been compromised or impersonated by criminals. Call them if you feel the email is suspicious

•    Never share or reveal your password or login to an unidentified site you accessed via an email link. Always go to the site directly via your browser

•    Money scams are notorious for displaying poor grammar, and in many cases the language used could appear to be coming from someone who may be writing English as a secondary language. Just remember, if something sounds too good to be true—it probably is.

“Email threats will continue to be a large problem for companies and unless they employ multi layered approaches and train their employees, they are at risk of being held for ransom by hackers,” concludes Forbes-May.

Chch crypto exchange Cryptopia facing liquidation
It seems that Christchurch-based cryptocurrency exchange Cryptopia has been unable to recover after malicious cyber attackers stole around $20 million worth of cryptocurrency.
Adobe & Amazon: Making merchants' stores a lot more powerful
Magento Commerce branded stores for Amazon sellers features native integration with Amazon merchant tools including Amazon Pay and Fulfillment by Amazon. These provide the convenience of secure payments and speedy shipping services for buyers.
Four NZ projects shortlisted in IDC's APAC Smart Cities Awards
The annual awards highlight and acknowledge outstanding smart city initiatives in the Asia Pacific region and this year attracted over 180 entries.
How Chorus aims to reshape service company maintenance contracts
“These contracts are the first step in moving Chorus beyond the major UFB network build."
Mind Lab at MOTAT hosting event to promote young women in tech
Gender diversity in the tech industry is a hot topic around the world, but it’s one that New Zealand is looking to tackle head on.
SOLD: Infratil & partner snap up Vodafone NZ
Brookfield Asset Management and Infratil will hand over NZ$3.4 billion to acquire Vodafone New Zealand.
Noise pollution is the new second-hand smoke
ow loud is our phone call? Can you hear your co-worker’s music through their headphones? Do you need to have that meeting in a public area of the office?
Infratil throws its hat into the buyer's market for Vodafone NZ
Vodafone has been through a turbulent time lately, after the threat of staff redundancies, constant fines from the Commerce Commission, and the addition of Vodafone CEO Jason Paris late last year.