Last week, the UK holiday camp company, Butlin’s announced that it was the latest in a growing list of businesses to have suffered a data breach. In this case, the company lost 34,000 visitor records (including names, postal address, email addresses and telephone numbers) when a member of staff responded to a phishing email. This yet again validates the need for an ultra-modern multi-layered email security solution to stop increasingly sophisticated targeted attacks, as well as the ongoing need for security education and awareness training.
Phishing isn’t exactly a new threat, but for some reason it’s something that continues to catch people out. We all know not to click on links or open attachments from unknown sources, but that awareness doesn’t seem to translate into caution. One of the reasons for this is that phishing has become incredibly sophisticated. No longer are Princes in far off countries offering millions of pounds if you’d be so kind as to send them your bank details. People have become more clued up and fraudsters have become more sophisticated, they have become highly professional and differences between legitimate and illegitimate emails are sometimes almost imperceptible.
Not only are fraudsters adept at making their emails look like genuine correspondence (HMRC scams are a common example), but they’re also adopting new techniques to trick unsuspecting recipients. We’ve talked before about CEO Fraud, where criminals pretend to be the CEO asking for, for example, the accounts team to pay an urgent invoice, hoping that they’ll be so willing to please the CEO, they won’t notice it’s a fake. These clever tactics combined with the fact that we’re all busy people means that taking the time to scan each email for potential signs of phishing is likely to slip down the list of priorities.
This doesn’t, however, negate the need for better training. While humans are fallible, and mistakes happen, they are the first line of defence in an organisation and should be trained to spot potential threats. While scams of years gone by were riddled with spelling and grammatical errors, these days it is more nuanced and instead people need to pay far more attention to where emails are coming from. Often criminals will try and keep the domain names as believable as possible, but a cursory glance and a bit of consideration should indicate whether it is real or not – HMRCtax, for example, is unlikely to be the real HMRC. Training employees to take more care over email, as well as to go direct to a website if they aren’t sure, is also going to help in reducing the attack surface within a company.
In addition, every organisation needs tools that can cope with these sophisticated attacks and that combine traditional pattern, message attribute and characteristic matching with algorithmic analysis for the ultimate answer to email threat prevention. Cyber criminals are getting cleverer and we need tools that can beat them at their own game. Phishing has stood the test of time and I have no doubt it will continue to live long and well, unless we set the barriers far higher.