When you submit an enquiry via our website, we use the personal data you supply to respond to your query, including providing you with any requested information about our products and services. We may also email you several times after your enquiry in order to follow up on your interest and ensure that we have answered your it to your satisfaction. We will do this based on our legitimate interest in providing accurate information prior to a sale. Your enquiry is stored and processed as an email which is hosted by Microsoft within the European Economic Area (EEA). We keep enquiry emails for two years, after which they are securely archived and kept for seven years, when we delete them.
October is officially cyber security awareness month. The fact that mothers and fathers only get one day a year but cyber security gets a whole month is something I’ll leave you to reconcile for yourself, but ever since the US President made a declaration in 2004, it has been so. But it’s not just an American event, Europe joined in ten years ago and the UK, post-Brexit, is carrying on the tradition too, with Australia and many other countries around the world also recognising the idea every year.
Phishing is one of the key focusses of this year’s awareness activities, so we thought it would be helpful to provide a recap of what phishing is and some of the latest advice on how to avoid falling victim to it.
According to our friend Wikipedia (yes, I have made a donation) the concept of phishing dates back to the 1980s, with the term coming into common use during the 1990s, although the exact meaning of the “ph” remains open to debate.
In essence phishing involves sending a message to an unsuspecting person to try to trick them into taking an action that will give the attacker some form of advantage, whether that’s finding out their password, downloading some malware or stealing their money. The delivery method used to be exclusively email, but new forms of communication have opened up lots of opportunities for the attacker and now you could receive phishing messages via text, messaging apps, social media or phone.
A classic phishing message is sent to a very wide and fairly random audience in the hope that even if a tiny percentage of the targets fall for it, it will give the attacker what they want. This may be likened to a real fisherman casting a large net into the sea.
If an attacker is more focussed in their targets, they may do what is termed “spear fishing”. This often involves sending messages to people within a particular organization, perhaps if that organization is considered a good potential ransomware target.
When it has to be a specific person that can give them what they want, an attacker will conduct “whaling”, where messages are only sent to that individual, often the CEO or perhaps a member of the finance team.
The degree of care and attention that goes into crafting a phishing message will vary according to the type of phishing involved; so a spear phishing message will be more carefully designed than one which is sent to all and sundry.
But a phishing message will usually have the following characteristics:
The example below is a genuine phishing email taken from our mailbox in the last few days. It gives no personal information, it needs me to act fast or I will lose my five million dollars, and I need to reply with my details, presumably so that I can be contacted to be given further instructions.
Obviously, if it seems too good to be true, that’s because it is.
Examples such as the above are relatively easy to spot. The problem comes when a phishing email or message arrives just when you were expecting a genuine one. For example, if you’ve just ordered something from Amazon and an email arrives about package delivery (and you’re in a hurry) you’re much more likely to click the link than you would be normally.
Let’s not sugar coat the issue, spotting phishing messages can be hard, especially if the attacker has put some effort into making the message look relevant and genuine. Contacting the (supposed) sender using information not from the email is often the only sure-fire way to confirm a message’s authenticity.
So it comes down to being careful and aware and suspicious of every message you receive. Many organizations provide compulsory training courses in user awareness which aim to reduce the likelihood of users falling victim to phishing. These are a good idea, but they are really only one line of defence. Latest guidance from agencies such as the UK National Cyber Security Centre encourages a multi-layered approach to phishing.
The first layer is to try to head off the phishing messages before they reach the user. Increasingly, standards such as DMARC (Domain-based Message Authentication, Reporting and Conformance – catchy title eh?) are becoming more widespread to confirm who sent the email, and reject it if that’s not possible, or the address is fake. Combine this with a good email anti-spam service and we have a good chance of taking down most phishing messages early and not having to ask the user to make difficult judgement calls.
If the phishing email gets through our defences, we’re then at layer two, relying on the user to spot it for what it is. Training and clear business processes will help with this.
Layer three tries to protect the organization if the user is duped and takes the action requested by the phishing email. This consists of blocking access to malicious websites, using effective anti-malware software on computers, patching devices regularly and using multifactor authentication (MFA) rather than passwords on their own.
At layer four we are monitoring for intrusions and breaches, reporting incidents internally and to external bodies, and managing incidents according to a well-defined and thought-through plan.
Phishing is here to stay, and a total reliance on the user spotting fake messages is going to fail at some point. That’s not to say that training shouldn’t happen, but an organization needs to think through its defences, including designing business processes so that adequate checks are made at key points. As the number of communication tools increases, the opportunities for bad actors to gain an advantage multiply. Even the fledgling “Metaverse” has had its share of issues already, and these are likely to grow. Remember – don’t blame the user; help them.
CertiKit is a provider of ISO toolkits, consultancy and internal auditing services, and has helped more than 4000 organizations worldwide with their compliance.
For more guidance on implementing the ISO27001:2022 standard, we’ve put together a list of our best free resources including video guides, blogs and downloadable documents.