Is it safer to be untrusting?
To my personal email account, it is shocking the amount of scam/phishing emails received, I would estimate it is around 50 – 60 a day. Most of these are of course substandard and obviously phishing emails and I would like to think would never be successful. They range from ‘Girls In my Area Want to Meet Me’ to ‘My Bank of America account online login needs resetting’ having never had a BoA account I didn’t fall for this. Now, these are very obviously fake, however, occasionally I do get one that looks legitimate. Having assisted numerous companies with breaches and account compromise situations I do tend to err on the side of caution anyway, and always do some inspecting before I am happy.
Fraudsters are now starting to think a little smarter, realising it is more likely Joe public uses Amazon or Apple and I am now being sent ‘Order Updates’, these I suspect are more successful and return better results for them. Still when you look at the sender address, clickable links and wording of the text they are easily detectable, but they are getting better.
It is my opinion, that it is now safer to be untrusting and query most incoming communication in the first instance. Especially if it is out of the blue and wrapped in urgency. In the news recently there have been a few high-profile stories of organisations and people being tricked into paying fake invoices, urgent bank transfers or handing over bank details for refunds or authentication (I have linked a few at the bottom).
With the amount of information online individuals and organisations are putting online, it is not hard for fraudsters to put together a convincing campaign. Richard De Vere of The Antisocial Engineer explains in comment provided for this post:
‘Social engineering attacks can really stand in a unique category of scams. Amongst spam emails that are easy to identify as fraudulent you will find especially well crafted and researched attempts that will make even the most battle hardened CISO shudder in fear.
The importance should always be on detection, technical prevention and education. I this trio we find a greater defence.
De Vere also mentions some of the best defences to phishing are also free - solutions such as DKIM, SPF and DMARC.’ Reduce Risk, Improve Assurance, Increase Performance yorcybersec.co.uk 0113 3720200
With this being the case, it is fairly obvious that everyone should be more cautious when emails are being received asking for immediate transfers for an overdue invoice, notifying a change of bank details or a package for delivery has been delayed. This is usually seen as a culture change requirement, with education seen as the best line of defence in this instance.
Organisations need to ensure staff are being trained properly. It is estimated that 80% of staff are receiving no training in Cyber Security. This is lead to more than £34m lost from April to September in 2018 alone. The average data breach in the UK costs £2.99m according to the annual Cost of a data breach report conducted by the Ponemon Institute and sponsored by IBM Security.
In the ideal world, every organisation would have a formal way to train staff, annually review policies and procedures, annually review incident response plans. All this would be alongside conducting regular security assessments, that could be penetration testing or professional phishing awareness campaigns that provide valuable and useable outputs.
If you don’t have the scope, buy-in or budgets for this completely understandable. But the first stage should be to understand the risks, your capabilities and act accordingly.