The rise of cyber-attacks on organizations via the email vector is continuously escalating. As we have seen recently, hospitals, transit companies, financial institutions, academic institutions, telecommunication companies and many others were all victims. Cyber criminals have become more advanced, sophisticated and dynamic than ever and they are constantly attacking irrespectively to geographical location or nationality, with the purpose of extracting valuable information, reaching personal data and stealing money. Below are just some examples of business email compromise (BEC):
- In the 2015 tax report season, more than 55 companies fell victim to a specified and sophisticated phishing campaign. This campaign was responsible for stealing and compromising the W-2 U.S. tax records of every employee working for the affected companies in 2015.
- During August 2016, Leoni AG (cables, wiring systems and related products), has been deceived out of approximately US $44 million after it was targeted by an email scammer.
- The Democratic National Committee (DNC) fell victim to a cyberattack where their email systems were breached during the 2016 U.S. presidential race through spear phishing emails.
- During April 2017, it was reported that Google and Facebook were conned out of $100 million in a phishing scam that involved sending emails to employees at the companies and asking them to wire money as part of a scheme in which the con man impersonated a Taiwanese electronics manufacturer.
Social engineering methods for deception (Phishing) are applied to lure a targeted victim to open what appears to be a legitimate email. The origin of this email could be of a hacked legitimate email account or a spoofed email that is being used by the attacker to send these malicious emails. The emails can contain different types of infected files disguised as something else or a URL link to a compromised website pretending to show materials of interest to the targeted recipient. Accessing an infected attachment or malicious website could open a direct link to a command and control (C&C) used by the attacker. Once this has taken place, the hacker can steal user ID’s, passwords, customer records, and later the attacker might even perform more destructive actions such as modification of critical business data, ransomware attacks and denial of service. This could eventually have severe consequences on the victim and the organization, such as disruption of operation, reputational damages, massive financial loss and even potential termination of business. Organizations need to be able to validate their cyber security posture more frequently, more comprehensively and with greater responsiveness.
Government agencies worldwide have started to get more involved. For example, on Wednesday May 30th 2017, the United States’ Federal Bureau of Investigation took the action to warn the American business community, and published a short and focused notice in order to raise awareness about this issue.
Here are some tips that the organization’s IT and Security departments along with all of the other employees should consider:
- Verify that your security solutions such as Firewall, Anti-Virus, URL filtering and system configurations are updated and robust.
- Conduct constant security awareness activities to all employees which should include guidelines for preventive behavior.
- Don’t ever open a suspicious email. Be sure to report it to prevent others from opening it and then verifying its legitimacy.
- Consider incrementing the security level of employee’s email with the use of a two-factor authentication solution.
- Keep updated on recent phishing attack techniques and affected victims.
Cymulate platform provides organizations the ability to test their email security and perform phishing drills on their employees thus enabling them to identify vulnerabilities in their security framework. Many organizations worldwide would have avoided recent phishing attacks if they had used Cymulate’s platform and assessed their vulnerability gaps and improved employee awareness.
Test now your organization’s email security and employee awareness to phishing campaigns with Cymulate’s advanced attack and phishing simulations. The assessment’s results might be troubling or assure you that you have been progressing well.
So be prepared and avoid the next phishing attack!