Skip to main content

SC Magazine: How organisations can thrive in the time of phishing attacks

Phishing, smishing and other types of malware are not going anywhere and the risks are only going to rise as mobile becomes a primary device for employees. Companies need to get ahead of the issue rather than responding. There will be over 22.5 billion IoT devices by 2021, up from 6.6 billion in 2016 according to BI Intelligence’s The Internet of Things Report.

For many businesses, the proliferation of mobile and connected devices is transforming how teams interact and work together, making business processes efficient. However, for IT teams this development brings many complexities around security and managing these devices as businesses are dealing with more malware threats than ever before. Based on research from PhishingLabs, financial services is the number one industry that receives most attacks, which makes sense if you think about what is at risk. While the overall phishing attack
volume grew 41 percent between the first and second quarters of this year, the financial industry was the largest target, making up 33 percent of all phishing threats between April and June of 2017. However, by the end of 2017 cloud storage services are expected to take financial services place become the number one targeted sector for Phishing attacks.

A move away from email Phishing to mobile
No one can deny that we use our mobile device very differently from any other type of technology. Mobile phones feel more personal in nature than computers or even tablets do, whether they are personal or corporate owned. As a result, phones are better trusted, which makes them a natural breeding ground for phishing attacks. Additionally, alongside the changes in how people use their devices, mobile web traffic has increased in volume in comparison to web traffic to desktops. It is not surprising that mobile phishing attacks are
the biggest security risk to organisations going into 2018. As indicated by a report from Wandera, 85 percent of organisations have suffered phishing attacks, whether they were aware of it or not, with increased mobile access to social media accounts being one of the major factors.

Organisations have been caught somewhat blind due to the focus on preventing traditional computer email phishing, and are leaving their company open to mobile phishing, which is often much harder to detect. Another stat by Wandera has 81 percent of phishing attacks that occur on a mobile taking place outside of email. While email phishing attacks are still very common, it is not the primary phishing technique used for mobile. In early November, there was an attack campaign targeting Android users in Austria using three different techniques: a web page, app overlay and credit card phishing screen. As well as social media, gaming, direct text messages and missed call scams are also prevalent and growing. Research from Proofpoint has shown over a 500 percent increase in social media phishing attacks in 2016, but the majority (more than 25 percent) still stem from gaming domains.

Prevention is better than cure: getting ahead of the phishers
Phishing, smishing and other types of malware are not going anywhere and the risks are only going to rise as mobile becomes a primary device for employees. Therefore, companies need to get ahead of the issue rather than responding to the threat once it is inside their network. To avoid these types of attacks, the first step IT teams need to take is to identify the types of threats they could be faced with. This is a difficult exercise as scammers are constantly changing their approaches to reduce the chance of detection. Providing up to date training, not only for security teams but also for the broader workforce on the latest phishing techniques is the best way for
preventing an infection, once the threats are known. Although no one can prevent the attacks, all organisations can put training in place to prevent a successful breach. For example, end-users should only access accounts directly from the source site and never from a text message, whether that message looks legitimate or not. Accounts should also be checked on a regular basis. Stagnant accounts are a key tool for phishing legitimacy. If you or your end-users are not keeping accounts up to date, there is a good chance someone else is using them to reach out to your company’s contact list.

It is important that any training also provides an easy feedback loop. By training employees in what to look out for, they can also become your first line of defence by reporting on any suspicious emails, texts, links and contacts. One of the key identifiers is still the generic introduction: “Dear Customer.” Train your employees to report back on these communications and you will be well on your way to preventing an attack.

Contributed by Craig Riegelhaupt, director, mobile solutions at Tangoe

Article appeared here.