At a glance
  • Phishing attacks result in victims being tricked into clicking on a fraudulent email link or attachment
  • While companies are investing heavily in technology to fight these attacks, human error makes all businesses vulnerable to phishing
Phishing attacks in particular require a combination of an effective human response and a technological solution.

Here, we examine why phishing can be a huge problem and the strategies that can be deployed to fight off phishing attacks.

phishingThe scale of the phishing threat
Successful phishing attacks can give hackers access to a treasure trove of data, which they can use for financial gain.

There have been numerous high-profile attacks in the UK, including one that led to the theft of £1.2 million from hundreds of students, and the recent £20 million Dridex Trojan attacks, which targeted British banks and government agencies.

Phishing attacks work because they target human vulnerabilities that exist in every business.
Janet Roberts, Zurich’s Head of Security Awareness, Group Information Security, says: “Cyber criminals rely on the possibility of human error when planning a phishing attack. Perhaps the person is in a hurry while reviewing emails and does not check before clicking on a link. Or perhaps they have not been educated about phishing and the risks it poses.

“Criminals may try to infiltrate a firewall or other system, but a company with robust technology can often prevent these types of attacks. Companies are investing heavily in preventative technology, which is good, but they need to remember that without educating their people, employees remain a weak and obvious target.”

Fighting off phishing attacks requires a three-pronged approach: detection, reporting and technology.

1. How to detect a phishing email
Many fraudulent emails share common characteristics, such as:

A generic greeting, e.g. “Dear customer” – in most organisations where people interact via email, they would be addressed by their name
  • A threat to take action – banks, credit card companies or internet service providers wouldn’t notify somebody that their account was in danger via an email threat, but cyber criminals might
  • Requests for personal information – e.g. passwords, PINs or log-in details
  • Spelling/grammatical errors – cyber attacks originate from all over the world and English is often not the attackers’ first language. Although some criminals are now employing proof-readers to check for spelling errors. Other grammatical or syntactical errors may give cause for suspicion
  • Addresses that don’t match up – one of the most basic, but important, phishing defences is to hover the mouse over a link (without clicking). The website URL will then appear on screen. Comparing this URL with the typed address will give a good indication as to whether the link is genuine.
2. Importance of reporting phishing attacks
Companies should establish clear mechanisms for staff to report suspicious emails to their IT department straightaway.

If an employee has clicked on a link they suspect contains malware (unwanted/hostile software), prompt reporting will help the company to stop it from spreading. Even if the employee has not clicked on the suspicious link or attachment, reporting the incident will allow the company to investigate whether any other employees may have done so. The time it takes to detect and respond to an attack is critical.

Verizon’s 2015 Data Breach Investigations Report highlights how, in a majority of cases (60%), attackers are able to compromise an organisation within minutes of a successful data breach.
One study found that while 80% of companies have a process for employees to report phishing, more than half (52%) of companies say their staff report fewer than a quarter of the suspicious emails they receive.

It is therefore vital that companies foster an environment in which employees understand their role in preventing phishing, and that employees are updated regularly on the latest phishing lures being used.

3. Importance of regular updating of technology
Cyber criminals are continually adapting their methods to make their phishing lures harder to spot. Therefore, while a human line of defence can complement a technological solution, it cannot replace it.

As cyber security company Proofpoint observes in The Human Factor 2015 report on phishing: “While an important tool, user education cannot be the last line of defence: organisations should deploy automated defences capable of detecting and blocking threats that do not look or behave like previously known threats.”

Proofpoint’s research highlights that on average, one in 25 malicious messages is clicked on, and that this ratio remains almost exactly the same regardless of an organisation’s size or how many malicious messages it receives.

Cyber criminals realise if they keep attacking, they will find a soft target sooner or later. However, companies that have built a human line of defence to back up their IT solutions will be best placed to minimise the risk of becoming the criminals’ next victim.