At a glance
- Phishing attacks result in victims being tricked into clicking on a fraudulent email link or attachment
- While companies are investing heavily in technology to fight these attacks, human error makes all businesses vulnerable to phishing
- Zurich offers brokers practical guidance to help their customers mitigate the risks
This article counts towards accumulating your annual CII CPD structured learning hours for Emerging Risks.
By reading this article, and correctly answering the three questions underneath, you will have achieved the following learning outcome: Identify key emerging risks and describe their main characteristics.
Visit the CPD Hub to log in and begin accumulating CPD hours.
Cyber crime is a growing challenge for businesses of all sizes, with latest police figures revealing there were 2.5 million cyber crimes in England and Wales over the past year. Cyber crime cannot be countered by technology alone.
Phishing attacks in particular require a combination of an effective human response and a technological solution.
Here, we examine why phishing can be a huge problem for brokers’ customers, and the strategies that can be deployed to fight off phishing attacks.
The scale of the phishing threat
Successful phishing attacks can give hackers access to a treasure trove of data, which they can use for financial gain.
There have been numerous high-profile attacks in the UK, including one that led to the theft of £1.2 million from hundreds of students, and the recent £20 million Dridex Trojan attacks, which targeted British banks and government agencies.
In the UK, there were more than 3,500 unique phishing attacks last year.
Phishing attacks work because they target human vulnerabilities that exist in every business.
Janet Roberts, Zurich’s Head of Security Awareness, Group Information Security, says: “Cyber criminals rely on the possibility of human error when planning a phishing attack. Perhaps the person is in a hurry while reviewing emails and does not check before clicking on a link. Or perhaps they have not been educated about phishing and the risks it poses.
“Criminals may try to infiltrate a firewall or other system, but a company with robust technology can often prevent these types of attacks. Companies are investing heavily in preventative technology, which is good, but they need to remember that without educating their people, employees remain a weak and obvious target.”
Fighting off phishing attacks requires a three-pronged approach: detection, reporting and technology.
1. How to detect a phishing email
Many fraudulent emails share common characteristics, such as:
- A generic greeting, e.g. “Dear customer” – in most organisations where people interact via email, they would be addressed by their name
- A threat to take action – banks, credit card companies or internet service providers wouldn’t notify somebody that their account was in danger via an email threat, but cyber criminals might
- Requests for personal information – e.g. passwords, PINs or log-in details
- Spelling/grammatical errors – cyber attacks originate from all over the world and English is often not the attackers’ first language. Although some criminals are now employing proof-readers to check for spelling errors. Other grammatical or syntactical errors may give cause for suspicion
- Addresses that don’t match up – one of the most basic, but important, phishing defences is to hover the mouse over a link (without clicking). The website URL will then appear on screen. Comparing this URL with the typed address will give a good indication as to whether the link is genuine (see infographic)
2. Importance of reporting phishing attacks
Companies should establish clear mechanisms for staff to report suspicious emails to their IT department straightaway.
If an employee has clicked on a link they suspect contains malware (unwanted/hostile software), prompt reporting will help the company to stop it from spreading. Even if the employee has not clicked on the suspicious link or attachment, reporting the incident will allow the company to investigate whether any other employees may have done so. The time it takes to detect and respond to an attack is critical.
Verizon’s 2015 Data Breach Investigations Report highlights how, in a majority of cases (60%), attackers are able to compromise an organisation within minutes of a successful data breach.
Phishing and spear phishing – what’s the difference?
Phishing is when a cyber criminal lures their victim into inadvertently dropping malware onto their computer or their company’s network, by clicking on an authentic-looking link or attachment on an email.
The malware can spread through the victim’s computer network, potentially giving the attacker access to sensitive company information, including personal and financial details about employees, suppliers or customers.
Often, the fraudulent emails purport to be from a large organisation such as a bank. However, some phishing emails are designed to convince the recipient the sender knows them personally. For example, the email might address them by name, and purport to be from a colleague, or senior manager. This is known as spear phishing.
One study found that while 80% of companies have a process for employees to report phishing, more than half (52%) of companies say their staff report fewer than a quarter of the suspicious emails they receive.
It is therefore vital that companies foster an environment in which employees understand their role in preventing phishing, and that employees are updated regularly on the latest phishing lures being used.
3. Importance of regular updating of technology
Cyber criminals are continually adapting their methods to make their phishing lures harder to spot. Therefore, while a human line of defence can complement a technological solution, it cannot replace it.
As cyber security company Proofpoint observes in The Human Factor 2015 report on phishing: “While an important tool, user education cannot be the last line of defence: organisations should deploy automated defences capable of detecting and blocking threats that do not look or behave like previously known threats.”
Proofpoint’s research highlights that on average, one in 25 malicious messages is clicked on, and that this ratio remains almost exactly the same regardless of an organisation’s size or how many malicious messages it receives.
Cyber criminals realise if they keep attacking, they will find a soft target sooner or later. However, companies that have built a human line of defence to back up their IT solutions will be best placed to minimise the risk of becoming the criminals’ next victim.
For more information on helping customers manage their cyber security risks, please speak with your local Zurich contact.