The Rise of Phishing and the Procedures Involved in Safeguarding Your Company
by Mashum Mollah Business Security Systems 20 November 2017
Hackers and cyber thieves can siphon valuable information from enterprises in a variety of different ways. The ability to obtain the information that is needed to enter a system and compromise its data has become a major contributor to big data fraud. One of the most common ways cyber thieves get their hands on personal data is through phishing scams. Phishing attacks are carried out against both big and small enterprises around the world. The increase in these attacks poses a growing problem that needs to be looked at in further detail in order to prepare companies for the threat that phishing presents.
It is essential to have the right technology in place for detecting threats and unusual activity. The data that is collected from everyday activities and processes can play a big role in preventing fraud by creating a baseline to measure all activity against. A system that uses big data for security information and event management has a good chance of catching any threat before it is able to breach a system.
The Three Common Phishing Tactics All Enterprises Need to Prepare For
Link embedding is the most common form of phishing. Hackers will send what looks like legitimate emails to their victims. The emails may be disguised as security warnings that ask recipients to change their passwords or supply account information. The links can also look like news articles, event invites, charity appeals or shopping deals. However, the links actually contain harmful malware that enables a hacker to worm their way into a system once a link is clicked.
DNS cache poisoning is another prevalent form of phishing that is catching enterprises by surprise. This form of attack is also commonly referred to as DNS spoofing. By exploiting vulnerabilities in the domain name system (DNS) internet traffic is diverted away from legitimate servers and steered toward phony ones. These phony landing addresses can contain malicious phishing viruses. The truly troubling thing about this type of attack is that it can spread. If a single employee has a compromised computer or network connection they can eventually compromise an entire network.
Business email compromise (BEC) is another threat that no enterprise can afford to ignore. In fact, the FBI credits this form of attack with billions of dollars in losses around the world. While this form of scam relies on the timeless art of deception, it is executed in a way that demonstrates an unprecedented level of sophistication. In fact, the transnational organizations that perpetrate this type of crime are usually comprised of hackers, lawyers, linguists, and savvy social engineers. What does BEC usually look like? Hackers will hijack the email addresses of high-level employees or CEOs by setting up mirrored accounts that appear to be legitimate. They will then send emails to employees with financial control requesting large wire transfers. They will set things up so that it looks as though the transfer is going to a trusted vendor or client. However, that money will actually be going to account for the criminal enterprise that is responsible for the attack. The criminal enterprises behind these attacks will often spend weeks or months studying the interior workings of an enterprise to learn about its billing systems, a chain of command, and vendors.
How Enterprises Can Fight Against Popular Phishing Tactics
Employees can often be the weakest link when it comes to securing an enterprise against phishing attacks. Any employee who clicks on an infected link can put an entire organization at risk. In addition, any employee who shares the wrong type of information with the wrong person can also create a huge point of vulnerability for an organization. This is why employee training is the first step in preventing phishing attacks. Employees should be taught about good digital hygiene. This includes avoiding emails that look suspicious, forwarding all suspicious emails to the IT security department, and abstaining from using work email for personal reasons.