It’s no secret the goal of any cybercriminal is to make money through an attack. Access can be gained through systems that have not been updated or patched, but frequently these bad actors get into networks through phishing attacks.
James McQuiggan, a security awareness advocate for KnowBe4 USA shared some insights into what drives these attacks and what actions to take after a company has become a victim at the recent Workers’ Compensation Educational Conference in Orlando, Florida.
He said that attacks are definitely on the rise and cybercriminals are accessing targets through email, phone calls and text messages. They frequently pose as a familiar, legitimate organization to lure individuals into providing sensitive data. They’re looking for personally identifiable information such as banking and credit card account details and passwords, and their goal is to get the target to click on the link which will provide access to the information the cybercriminal seeks.
“They can be in your system for 150 days before you realize they’re in it,” said McQuiggan, “and they can create their own accounts within your system without you knowing. You’re basically opening the front door to the organization and letting the cybercriminals in when you click on the link.”
He advised against ever clicking on a link in an email or text message. “Always go to the organization’s website to verify the information.”
The cyber kill chain for a phishing attack follows several steps:
- Reconnaissance – watching the system to figure out how to get into an organization
- Weaponization – using information they access to create “company emails” that allow them to get through an organization’s firewalls
- Delivery – providing the email or text message with the link
- Exploitation – unleashing the virus
- Installation – creating the backdoor access to information
- Command & control – accessing the information
- Acting on the objectives – launching the ransomware attack
A successful phishing attack could take as long as a year or as little as a few weeks.
Common features of phishing emails include:
- Too good to be true – the verbiage is eye-catching such as “You won!”
- They convey a sense of urgency – e.g., do it now!
- They include hyperlinks to a hidden website or a misspelled fake website
- Attachments – Never open an attachment if you’re not expecting it from a known source
- Come from an unusual sender – someone out of the ordinary, unexpected
- Look for typos in the email or rogue email addresses (ones that are similar to well-known addresses but have transposed letters or other misspellings)
Attackers will do anything they can to bypass critical thinking. Their goal is to generate a reflexive click on a link. They will exploit concerns over active shooters on college campuses or spoof a campus-wide security alert — anything to force someone to act quickly and without stopping to assess the possible danger of acting.
Each organization should create an incident response plan that outlines the policies, procedures and methods of communication, utilizes threat modeling and identifies the attack vectors in the event of an incident. The goal following an attack is to contain and eradicate it as quickly as possible.
McQuiggan recommended several steps following an attack.
- Disconnect your computer from the network or internet.
- Scan for malware.
- Change your login credentials.
- Change your credentials if you allow your browser to store them. (He says this is a bad idea.)
- Update your password vault.
- Alert your IT team and monitor for intrusions.
- Reinstall the operating system.
- Reset to the default factory setting.
- Back up your data (preferably before the attack, but definitely after an attack).
Security awareness and training can help reduce the chances that employees will click on phishing links or fall victim to other types of attacks. He stressed that phishing events are teachable moments and not “gotacha” moments because it is everyone’s responsibility to minimize the risk to an organization.
When an email arrives, consider asking these questions: Is it expected? Is this person a stranger? Are they asking me to take immediate action? If verifying the veracity of the sender, use a second connection such as a phone call or text message to confirm the information and originator.
McQuiggan acknowledged that it’s hard to change old habits, but taking a few minutes to read through an email or check the sending address or other links can prevent major headaches later.
Are you aware of these social engineering tactics?
Insurance helps businesses manage their risks
6 cyber risks facing every business
6 common attacks on insurtech and mobile insurance apps