Cybersecurity Training

You may ask or be asked, why use cybersecurity training? This is a perfectly reasonable question. One which opens up a whole conversation about how cybersecurity affects your company, what types of threats are most relevant to your organisation, and why employee knowledge of cybersecurity can help de-risk the impact of cyber-threats.

In our series of short guides, we will answer those questions, giving you the reasons why cybersecurity training provides a fundamental baseline for best security practise.

This introductory guide covers the various aspects of cybersecurity and the threats fraudsters make to our business. We also offer some tips on making your company more cyber-safe. In further guides, we drill down deeper into the world of cybersecurity, giving you advice and ideas on staying cyber-safe.

Read on, for an introduction to the shady world of the cybercriminal and how to beat them at their own game.

What kind or cybersecurity breaches threaten businesses?

Cybercriminals are sinister in their creativity. They will stop at nothing and use every trick in the book to carry-out cybercriminal activities. But cybercriminals often depend on the human-factor in their attack. A report by Accenture and Ponemon, looking at the cost of cybercrime, said that “People-based attacks have increased the most”. With this in mind, we take a look at the most prevalent attack types. As such, this list is non-exhaustive but gives you a flavour of the depth and breadth of cybersecurity threats.[1]

Phishing

Phishing is the number one danger for businesses of all sizes. In a UK government report, “Cyber Security Breaches Survey 2019”[2] they found that 80% of UK businesses had been subject to a phishing campaign. Phishing scams account for over half of all cyber-attacks across the globe.[3] Phishing remains the number one threat because it works.

Phishing is entirely dependent on tricking a human being into doing something that leads to a cyber-attack. The means of engagement with the human target varies. Fraudsters use emails, mobile device SMS texts or messaging apps, and voice calls. Increasingly, social media sites are being used as a way to push-out phishing messages too.

Email Phishing

This is the traditional method used by fraudsters. Phishing emails are usually sent out, en masse, as a way to maximise the click rate. Phishing emails are often tailored to events rather than individuals. For example, during tax season, spoof emails purporting to be from the Inland Revenue will land in countless email inboxes offering tax refunds or threats of legal action for non-payment of tax.

Typical phishing emails typically contain either:

• Link, which if clicked goes to either an:
  • infected website and/or
  • requests personal and/or financial data
• Attachment, which is:
  • Infected with malware which on opening can infect the computer
  • Contains a link to a malicious website

SMShing

Phishing on a mobile is also known as SMShing because of the predominant use of SMS messages to carry malicious links. However, mobile apps, such as WhatsApp are increasingly being used to carry the fraudsters’ message to a mobile device.

One of the main findings of the 2019, Verizon Data Breach Investigation Report was that mobile-based phishing, aka SMShing, has a higher click-through rate than the email counterpart. The report stating that “Research shows mobile users are more susceptible to phishing, probably because of their user interfaces and other factors.”[4]

Spear-phishing

Spear-phishing, like SMShing, is often successful. The reason for this is that the spoof messages are tailored to the recipient. Spear-phishing is about precision. The emails are written with the victim in mind. This means that they are rarer than traditional email phishing but more deadly. Spear-phishing emails often target users with privileged access to company resources. This might be a database administrator, in the hope of stealing login credentials or a CFO/CEO to carry out a Business Email Compromise (BEC) attack (see later).

Malware and the Ways it Infects Your Device

Phishing is the main method that cybercriminals use to infect a machine with malware. This is done either using a malicious link to an infected website or an infected attachment. There are many strains of malware and within each, many variants of a strain. In 2019, AV-Test found over 1000 million strains of malware.

Source AV-Test[5]

Ransomware

Ransomware is one of the most destructive and prevalent types of malware. Ransomware

encrypts data and/or locks down computers/mobile devices. It then places a message on the screen demanding a ransom payment (in crypto-currency form) to decrypt data/unlock the machine. It is extremely damaging and costly. In Q1 of 2019, ransomware attacks increased by 118%[6]. Research from insurer Beazley Group^[7] found that the burden of ransomware fell on the small to medium sized company with 71% of attacks focusing on those organizations.

Drive-by-downloads

Imagine navigating to a website and without even clicking on anything, your computer is infected with malware. Drive-by-download refers to a website that contains malicious code. If you go to such a website by clicking on a phishing link, and software on your mobile or computer has security flaws, the code will start a process to infect your machine – you won’t even know it is happening.

Mobile apps

Mobile apps can be a conduit for several different types of malware. One of the most damaging and prevalent is the banking trojan. The numbers of banking trojan malware were at an all-time high in 2018, then in Q1 2019, the numbers increased again by 58%.[8]

Once a mobile device is infected with a banking trojan, which can happen via SMShing, your online bank account will be at danger of being compromised. Banking trojans can detect which bank you use from your device and replace the interface with a spoof one that grabs your login credentials and uses them to log in to your real bank account.

Business Scams

Business Email Compromise (BEC)

Business scams abound, but BEC is a crime that has massive costs associated. The crime involves surveillance to get to know your company and key employees. It often involves spear-phishing or even spoofing a CEO or CFO email address to trick employees. It may involve Vishing (phone call phishing). The goal is to initiate a money transfer from your company bank account to the fraudsters account.

Other Cybercrime Tactics

Man-in-the-Middle (MitM)

 Various methods can be used to intercept traffic, such as email messages or SMS messages. MitM attacks usually occur over unprotected web traffic, such as an insecure Wi-Fi connection.

Credential stuffing

One of the results of all of those data breaches we hear about is credential stuffing. During a data breach, email addresses and often unsecured passwords are compromised. These are then sold on the darknet. The cybercriminal will then use them to try and brute force their way into various online accounts. This is possible because people reuse passwords across multiple accounts.

Insider threats

Although most attacks come from the outside, insiders are still a threat. Malicious insiders are hard to detect, but non-malicious, e.g. those who share passwords or accidentally leave an unsecured laptop on a train, are still a potential source of data compromise.

What’s the Impact of a Cybersecurity Attack?

A cyber-attack on a business, if successful, has a multi-faceted impact. Here are the typical areas affected:

• Customer data: In 2019, the world saw a 54% increase in the numbers of data lost due to a data breach. Much of this will be customer data. The result of this is a loss of trust and customer loyalty and damage to reputation. A study by Privitar[9] found that 68 percent of customers would stop using the service if they did not use robust security to protect personal data.
• Company proprietary data: The loss of sensitive company information is another area that can seriously impact a company. This is especially true if it is leaked publicly or sent to a competitor.
• Fines for non-compliance: Privacy and data protection legislation such as the EU’s GDPR and UK specific DPA2018, issue heavy fines if personal data is exposed.
• Downtime: Loss of business during a cyber-attack response has serious repercussions. As an example, the average downtime due to ransomware is, on average, 9.6 days.[10]

Phishing – The Root Cause of Most Cybercrimes

As mentioned earlier, phishing emails are behind most cybercrimes. The main reasons for the success of phishing emails are:

1. Social engineering: Phishing relies on a human being to work. This means that the fraudster must manipulate that human into doing their bidding. This is where social engineering comes in – this is a way to trick users into performing tasks they’d otherwise not carry out.
2. Ease of accessibility and use: Phishing is big business and when something is this successful it spawns new models. Phishing-as-a-Service is one such technique that has made phishing accessible and easy to use. You no longer need to be a software programmer to carry out a phishing campaign. Instead, the phisher kit, including email, spoof website, and even target list, comes ready packaged on the darknet. The fraudsters rent a phishing kit, then pay a subscription or use revenue sharing with the original seller.

The Tell-Tale Signs of a Phishing Email

Because phishing is such a major issue in cybersecurity, one of the focus areas of cybersecurity training sessions is phishing awareness. Fraudsters, as we have seen, use email as a means to target phishing messages. These phishing emails use specific ways and means of manipulating a person into performing certain actions, such as clicking a link or opening an attachment.  Cybersecurity training teaches employees how to look for signs that an email is a spoof. Typical signs to spot a phishing email are:

The sender’s email address

The first thing to check is the email address of the sender. Does it look like a legitimate address? Look closely, is the email domain correct? Some phishing emails are blatantly illegitimate. However, cybercriminals often go to great lengths to disguise the sender’s email address and make the domain look legitimate. Well-known brands are disguised in this way, for example:

support@apple.com  – correct

support@app1e.com – phishing

Link URL

Many phishing emails use links to connect to infected websites or sites that are set up to collect your personal or financial data. These links can be a giveaway as to the legitimacy of the email.

Most email clients allow you to hover your mouse over the link which will then display the link URL in the bottom corner of the screen/client application. This is much more difficult to do if you receive emails on a mobile client.

A phishing link will often be long and complex and will not reflect the actual brand that it is attempting to spoof.

Don’t be fooled if the URL link website is secured using the HTTPS://websitename.xxx. prefix. The Anti Phishing Working Group (APWG) has found that over half of websites used for phishing, use HTTPS.[11]

Email body content giveaways

Phishers are adept at copying the style and branding of big-name company emails. This makes it difficult to spot a spoof from a legitimate email. However, they do make mistakes, including:

• Poor spelling and grammatical errors.
• Lack of salutation or using the name from your email address as a greeting, e.g. smith@domain.com is used “Dear john.smith”

Spear phishing emails, which target specific people, will use a real, correctly formatted, name, so the above does not apply.

Other tricks of the phishing trade

Fear of Missing Out (FOMO)

If something seems too good to be true, it probably is. Phishing emails manipulate human behaviour. Tricks involving prizes, rewards, and offers, are common, as the fraudsters hope to catch those of us who like a bargain or to win a prize.

Urgency

Another trick is to try and initiate that knee-jerk reaction we all have. An example is a phishing email that says something like “to reinstate your account click this link immediately, otherwise it will be permanently deleted”

The well-known brand

Trust is a big driver when making decisions. If you trust something or someone you are more likely to carry out a request. Phishing emails depend on this human trait to encourage you to do something.

Phishing emails typically take on the guise of a well-known trusted organization. For example, your bank or government service or Apple or PayPal. Many of the most popular organisations have been and will continue to be used by phishers. Which brand a phishing campaign uses often depends on topical issues or the time of year. For example, around tax return time you will often see a spate of phishing emails that are disguised as the Inland Revenue brand.

Vade Secure keeps a watch on which phishing brands are most imitated in any given quarter of the year. In Q3 2019, the top spot went to PayPal, followed closely by Microsoft, Netflix, and Facebook.[12]

Always be vigilant when an email from a well-known brand enters your inbox that has any of these tell-tale signs. However, be aware that spear-phishing emails are often cleverly targeted and much harder to spot.

Top tips to prevent cybercrime

Here are our top tips to protect your organisation and your employees from cybercrime.

Tip one: back away from the attachment

If you do not know the sender, do not open an attachment.

If you do know the sender, but you still aren’t sure the email is legitimate, ask the original sender to verify it was them that sent the attachment.

Tip two: check the sender’s email address

Remembering to check our tell-tale signs of phishing, check the sender’s email address.

Tip three: Do not click links in emails

Unless you are 100% certain the link is legitimate, do not click a link in an email. To double check a link, hover over the link (being careful not to click it). The address usually shows in the bottom pane of the email client. This cannot usually be done using a mobile email client.

Be aware that many phishing emails now hide links in images. If you click on the image (easily done by accident) you will be taken to the spoof site which may be infected with malware.

Tip four: Don’t give out personal details

Be extremely cautious about entering personal data and financial information into websites. Check the URL, is it the expected web address?

Remember, just because a website has an HTTPS prefix does not mean to say it is safe to enter data.

When signing into an online account, always navigate to the source website rather than clicking on a link in an email.

Tip five: keep on top of phishing tricks

Fraudsters are continuously upping their game to trick users. Always keep up to date with new tactics that are used in phishing emails. Read “The Defence Works” weekly “Breaking Scams” section to find out what phishing emails are doing the rounds.

[1] Accenture and Ponemon, 9^th Annual Report on the Cost of Cybercrime: https://www.accenture.com/us-en/insights/security/cost-cybercrime-study

[2] Cyber Security Breaches Survey 2019: https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/813599/Cyber_Security_Breaches_Survey_2019_-_Main_Report.pdf

[3] RSA: https://www.rsa.com/en-us/offers/rsa-fraud-report-q3-2018

[4] 2019 Verizon Data Breach Investigation Report

[5] AV-Test: https://www.av-test.org/en/statistics/malware/

[6] McAfee: https://www.mcafee.com/enterprise/en-us/assets/reports/rp-quarterly-threats-aug-2019.pdf

[7] Beazley Group: https://www.beazley.com/london_market.html

[8] Kaspersky: https://securelist.com/it-threat-evolution-q1-2019-statistics/90916/

[9] Privitar: https://www.privitar.com/hubfs/Edelman Survey/2018_Privitar_Privacy_Pulse_Infographic.pdf

[10] Coverware: https://www.coveware.com/blog/2019/7/15/ransomware-amounts-rise-3x-in-q2-as-ryuk-amp-sodinokibi-spread

[11]  Anti-Phishing Working Group: https://docs.apwg.org/reports/apwg_trends_report_q3_2018.pdf

[12] Vade Secure: https://www.vadesecure.com/wp-content/uploads/VS_Infographic_Phishers_Favorites_Q3_2019_EN.pdf