Protecting your organisation from sophisticated phishing attacks
This recent article in the FT on the Anatomy of a Hedge fund attack reminds all of us how old attacks are evolving and align to our lifestyle. Today’s more sophisticated phishing attacks are no longer about sending thousands of emails and targeting multiple targets. These low-effort and low-technology attacks still exist, but they are not very profitable for cybercriminals and easy to detect.
Today’s social engineering techniques are reliant on a fairly intensive reconnaissance phase, often lasting weeks, spent to study the victim, to collect information aided by OSINT (open-source intelligence) tools, which may analyse a target’s digital footprint and create a map of what they do, how they do it and where the weakest link is.
After this phase, often carried out without leaving any tracks, the next phase usually leverages on social engineering techniques, such as creating a sense of urgency, or desire to comply, delivering misleading messages, requesting to act with enough credibility because of the intelligence gathered during the recognisance phase. Let us be clear: these attacks are highly targeted, and no one is immune.
The only protection is to create the right awareness amongst your users, particularly those in senior positions. Educate them, not on technology or spell-checking (long gone are the days in which the messages could be easily recognised because of grammar errors or typos), but rather by identifying unusual patterns and by being mindful of what is happening and if it may be happening in not the usual way.
There is not enough technology to protect us from a well targeted spear phishing attack, rather you need to rely on your people as your first line of defence. Every company, small or large, should make sure that their leadership teams are constantly trained and made aware of the risk of poor security hygiene standards, both inside and outside their working lives. As we are living in a highly connected world, we all need to be aware that our actions may be more visible than we realised.
Finally, organisations need to develop a culture where our users are reminded that they are not part of the security problem, rather they may indeed be a fundamental element of the solution.