The season for serious shopping is almost upon us – and with it comes the problems of phishing and fraud. As the annual holiday and related shopping season begins, Marcel Fouché, Networking and Storage General Manager at value-added distributor Networks Unlimited Africa, a channel partner of F5 in sub-Saharan Africa, organisations are advised to remind their employees of the dangers of phishing e-mails, and give them the required training and technical support they need to avoid falling prey to scams.
The F5 2018 Phishing and Fraud Report found that phishing continues to be a top attack vector and is, in many cases, the hacker’s tried-and-trusted, initial probe in multi-vector attacks, with phishing being the root cause of 48% of the data breaches that F5 Labs investigated during the period of the report.
F5’s research, which was also sub-titled ‘Attacks peak during the holidays’, outlined how phishing and cyberfraud start to increase steadily towards the end of the year, with incidents from October to December jumping an astonishing 50% and upwards from the annual average.
The report notes that this time-frame is the season ‘when phishers and fraudsters creep out of their holes to take advantage of people when they’re distracted – businesses are wrapping up end-of-year activities, key staff members are on vacation, and record numbers of online holiday shoppers are searching for the best deals, spending more money than they can afford, looking for last-minute credit, and feeling generous when charities come calling.
The old saying, ‘forewarned is forearmed’, should prompt us into vigilance. This report reminds us that the general strategy of a phisher involves three distinct operations, namely target selection, social engineering, and technical engineering. It’s a combination of research, to a greater or lesser degree; baiting a metaphorical hook; and then supporting these ill-intentioned out-reaches with technological methods to lure the victim into the final trap, which, when successful, allows the phisher to harvest information or plant malware into the network.
We should also note that people today tend to voluntarily provide a great deal of useful information about themselves online. Additionally, large-scale data breaches unfortunately result in information for sale. This all works together to make it easier for scammers to specialise their phishing campaigns, which in turn makes them more effective.
In more detail, phishing works as follows:
- Target selection involves finding suitable victims, especially their e-mail addresses and, when the lure is more sophisticated, also enough background information to find a psychological reason for them to click on the bait
- Social engineering involves then ‘baiting’ the technical hook with a suitable lure that would entice a victim to ‘bite’, allowing the cybercriminal to steal their credentials, or plant malware. In the case of spear-phishing, this lure is very specifically customised to the targeted victim
- Technical engineering refers to the methods employed to hack the victim, which can include building fake websites, crafting malware, and hiding the attack from security scanners
But it’s not all doom and gloom. The report also offers valuable explanations of how phishing works, how to defend your network against phishing attacks, and the importance of training your employees to recognise malicious e-mails. Reducing the amount of phishing e-mails that creep into employee mailboxes is key, but you also need to accept the fact that somewhere along the way, employees will fall victim to a phishing attack.
It is, therefore also vital to prepare your organisation with containment controls that include web filtering, anti-virus software, and multi-factor authentication. Silly season is going to be upon us all too soon, and so organisations are well-advised to empower their employees against the dangers of phishing e-mails, both with training as well as technological defences.