Sharks and phishers are circling, looking to snag a bite

The most popular Massachusetts summer beach vacation destination, Cape Cod, has seen an unusual spike in shark sightings this summer. Marine biologists aren’t saying that means there are more sharks than usual, but that they are swimming closer to shore.  Thanks to the increasing number of drones and cellphone videos, it seems like Cape Cod is experiencing a Shark Summer. And it’s having an impact on summer activities, as many beaches are closed and swimmers are warned to stay close to the shore. No one wants to slip-up and take the risk of inviting the next shark attack, particularly after a fatal attack last summer.

This summer, the shark threat isn’t just in the water. The kind of shark threats I’m referring to are the cybercriminals and hackers who have successfully lured in high-profile victims for a phishing attack. Here are some of the major attacks we’ve seen this summer:

• Amazon Prime Day shoppers may have been lured in by hackers using a phishing kit that lets anyone design emails mimicking legitimate tech businesses. It’s pretty low-level phishing, as far as attacks go – more like a day of catching minnows rather than deep-sea trophies – but very effective for those looking to grab the best deals.
• Attackers got a little more creative in a scam against American Express Just as a fly fisherman uses inventive lures to attract trout, these phishers used a base HTML element that tricked spam filters into believing it was a legitimate URL and filtered the email into inboxes. Then it relayed a sense of urgency that users needed to take action by clicking this legitimate-looking link or otherwise have their accounts suspended.
• GDPR reeled in its biggest catch in terms of fines (so far) when “weak security allowed user traffic to be diverted from the British Airways website to a fraudulent page,” according to CNN. This allowed hackers to harvest all types of sensitive passenger data, and now BA faces up to $230 million is fines, a GDPR record.
• In Bulgaria, a hacker gained access to a government database and compromised the records of 5 million out of the country’s 7 million residents. A single shark attack can impact an entire beach and its surrounding neighborhood.  In this case, a single hacker can impact an entire country.

No one is immune

No organization is immune from the threat of a phishing attack and its aftermath. We talk a lot about how cybercriminals are becoming more sophisticated in their attempts to stay one step ahead of security systems, but only the American Express hack above could be considered sophisticated, or at least more sneaky than usual.

Instead, phishing attacks target the weakest link in security – humans. Hackers smell the blood and go after it, knowing that someone is going to make a mistake and turn into prey. That’s why CISOs and the security team need to rethink their approach around phishing attacks. There is a tendency to trust our email messages, especially if it appears to be from a known person or a familiar company. Instead, we have to mistrust everything and be hypervigilant when wading into the murky waters of our inboxes. That means encouraging staff to take the extra minute or two to contact the presumed sender directly and ask if the email is legitimate or to manually type in the company’s URL rather than click a link.

Reeling in the phish

Decreasing phishing attacks is a two-part process: one part training and one part alerting.

Most employees struggle to tell the difference between a legitimate email and a phishing attack. Even those with a solid security background will struggle at times to tell the difference. Even though many companies now provide mandatory training, it often assumes that everyone is at the same level of knowledge, and even then, training is often just listening to a webinar or taking a quick quiz and that’s the end of it.  Many employees don’t absorb or retain the training and go back to their normal risky email and link-clicking behaviors.

Training needs to dive deeper. It could begin with a survey that assesses each employee’s cybersecurity sophistication and base the training from there. It’s also reinforcing how the employee behavior can impact company operations. The training should stress the importance of unique passwords and other bad behaviors. Training is great, but it only goes so far.

That’s where alerting comes in. With the right tools, it will be possible to monitor how employees use passwords or other online behaviors. These tools will also help customers practice better habits when they are on a company website and reduce risks for both them and the business.

In addition to the standard tools and processes, intelligence software will be needed. For instance, if your employees browse the web during their lunch hour or use their personal devices to access the enterprise network, software from a company like Covered Security can apply intelligence to browsing behaviors. Companies like KnowB4 and Cofense provide the software intelligence for anti-phishing training.

Despite the high numbers of shark sightings in the Cape Cod waters, community officials have been able to stave off attacks through effective threat warnings and working with their neighbors. That same approach can work with phishing attacks. Rather than work in silos, security professionals should work together to come up with effective threat strategies, better training and intelligence alert systems in effort to keep phishing attacks at a minimum. The hackers are always going to be circling; it’s up to us to make sure they don’t bite.