Phishing Emails Are Here To Stay, Says Security Firm

A new study from Barracuda Networks says Email security threats are both cheap and easy for cyber attackers to conduct, and found that 87% of companies have faced those threats in the past year.

The study, conducted across Asia Pacific, Europe, and the Americas, with 634 team managers, executives, and individual contributors and found that one click is more than enough to bring wrath.

Phishing is basically an email in disguise that typically mimic the look and feel of an authentic, such as a bank, or even a colleague. The emails create a sense of urgency, so recipients think they don’t have much time to respond.

The company explains “The most sophisticated attackers steal the credentials of a key employee (e.g., CEO or CFO), and use them to launch a Business Email Compromise attack from the real employee’s email address.”

As Barracuda says “Phishing is one the easiest strategy and cheapest and used by hackers to target companies as it takes advantage of the weakest link in an organisation’s security chain, its employees.”

Some emails are highly targeted, but generic ones containing words like ‘invoice’ can also catch people out. ‘Invoice’ appeared in six of the 10 most effective phishing campaigns in 2018.

“Most malicious emails attempted to steal login and system information from users in order to take over their account to launch attacks to a company via an internal account. All they need to do is lure one untrained user with a clickbait link and they have access to any company’s data.”

Those links can also look genuine. They can be spoofed sites that request login credentials, or they could initiate malware downloads. Information stealers, backdoors, and ransomware are common forms of malware. Over a third of global organisations Barracuda Networks interviewed for its Email Security Trends 2018 Study said they’d experienced such an attack.

Barracuda warns that phishing attacks are becoming more difficult to spot. Criminals may also switch to AI technologies to make their emails look more genuine.

“No company is too small or free from being a target. Once an account has been compromised or infected with ransomware, the company and its data can be held for a high ransom. In the month of May alone, Barracuda blocked over 1.5 million phishing emails and saw over 10,000 unique phishing attempts (the same email content, potentially sent to hundreds or even thousands of people),” explains Forbes-May.

He says that multi-factor authentication is an effective way to prevent attackers accessing accounts with only passwords as security credentials. He also believes training sessions are necessary.

Barracuda states that companies should run phishing tests in short sessions using real-world scenarios and collect feedback on each user.

Sara Barker at Bizedge mentions how one should be looking for things like unusual senders, attachments and hyperlinks in unsolicited mail. All level of employees including part timers and interns must undergo training as all it takes is one click to cause great damage. It doesn’t matter who clicks on that phishing link, it will be equally damaging.

“Companies must look into investing in the best email security tools that can scan for malicious URLs and attachments and block the email before it even reaches the user. Behavioural and sandboxing features can help to spot more advanced zero-day threats.

Your reputation, company data and the potential loss of money is at constant risk and must be safeguarded,” adds Forbes-May.

Here are a few quick tips to help avoid phishing scams like the ones highlighted above:

• Don’t click on attachments or URLs from unknown sources. Sometimes even link from known sources that not safe—could have been compromised by criminals. So call them and confirm if you feel it is suspicious.

• Never reveal your password or login to an unidentified site you accessed via an email link. It is always better to the site directly.

• Money scams are notorious for their bad English, and in many cases the language used. Just remember, if something sounds too good to be true—it probably is.

“Phishing email are here to stay and will continue to be a problem for companies and unless they employ multi layered approaches and train their employees, they are at risk of being held for ransom by hackers,” concludes Forbes-May.