The NCSC has launched a relatively new pioneering ‘Suspicious Email Reporting Service’, which will make it easy for people to forward suspicious emails to the NCSC – including those claiming to offer services related to coronavirus.
WHAT IS PHISHING:
Phishing can be done via a text message, social media, or by phone, but the term 'phishing' is mainly used to describe attacks that arrive by email. These attacks usually have two aims:
Steal sensitive information
Facilitate the installation of malware that will attack the confidentiality, availability or integrity of important information systems.
SOME ILLUSTRATIVE EXAMPLES:
In a typical phishing attack, you may receive a demand for some sensitive information or a payment. Usually, this is because the attacker wants to commit some form of identity fraud or steal your money.
However, you may also receive an email that invites you to click a link, whereupon you will be redirected to a logon page for a service that looks totally legit. Unfortunately, the website is bogus and when you enter your credentials they are stolen by a malicious cybercriminal.
Alternatively, the link could lead to an infected website that scans your device for security vulnerabilities. These vulnerabilities can be exploited, giving the attacker access to your system and, potentially, the network it is a part of. A malicious email attachment often achieves the same end result.
SO WHY PHISH?
There are two answers to that
The advance of technology makes it difficult to steal user credentials and hack into networks. It is far easier to trick a unsuspecting innocent into giving you the keys to the kingdom.
An attacker may have also sorts of reasons for wanting access to your online account, your device or your network. They may be motivated by money; a personal vendetta or because they are attempting to commit industrial sabotage. An attack may be politically motivated or done just for the thrill of it.
MASS CAMPAIGNS: In a mass campaign the attacker might fire off hundreds of emails hoping that someone will give away vital information or make some form of payment. Whilst these attacks are easier to detect, they succeed because of the sheer number of potential victims.
SPEAR PHISHING: This is a targeted attack usually directed towards a specific individual or organisation. The email will be far more persuasive and realistic; because the attacker has spent time researching the victim and framing the email for maximum impact.
WHALING: Another phishing variation is ‘whaling’, where the attacker will impersonate a senior executive. These emails also contain personalised information; convey a sense of urgency and are crafted with an understanding of business language and tone.
HOW TO DEFEND AGAINST PHISHING
Defence against phishing often relies on users being able to spot these types of emails. This means security awareness training which is
WELL CONCEIVED - with regards to timing, materials and delivery - so resources have the maximum impact.
RECORDED - so we know who has been trained and when the next sessions are due.
EVALUATED - so we know if our training was effective.
SUPPORTED BY SENIOR MANAGEMENT - so we have the budget, time and authority to conduct the training as well giving it the gravitas it deserves.
To be honest, nothing gets employee's thinking harder or will change the culture of an organisation towards emails than a bogus phishing campaign using a commercial product or free software such as Gophish. Not only can these tools help you craft different types of emails, for different types of end users, they will also give you credible metrics to work with.
Of course, your training materials must not only help users to identify and report suspicious emails, you have to train people how to respond to incidents by having policies and procedures in place. For example, how do we
PREPARE - which might cover how problems will be defined, evaluated (in terms of impact and severity) and communicated to our various stakeholders
DETECT & ANALYSE - to determine what systems & accounts have been compromised and how this has happened
CONTAIN, ERADICATE AND RECOVER - which might cover how to purge the mail server, isolate and sanitise devices or implement account recovery
REVIEW - so we can improve our response to future threats and incidents when they happen
For further mitigation strategies check out our email security article here and NCSC guidance here.