Meet the expert: Dr. Vasileios Karagiannopoulos to speak at #RISK London

Taking place on October 18 and 19 at EcXel London, #RISK London addresses the issues impacting organisational risk today, from Governance, Risk and Compliance (GRC), to Environmental, Social and Governance (ESG), organisational culture, and much more.

The event builds on the success of #RISK 2022, allowing organisations to examine the cumulative nature of risk, unite GRC specialities and share views with subject-matter experts.

Dr. Vasileios Karagiannopoulos is Co-Director of Centre for Cybercrime and Economic Crime at the University of Portsmouth. He will be at #RISK London to participate in a panel debate exploring phishing and what organisations can do to best combat the malicious practice in order to optimise cybersecurity.

We caught up with Vasileios to hear more about his career so far and for an introduction into the issues at the heart of his forthcoming #RISK Londonsession.

Could you briefly outline your professional journey to date?

I started my professional journey by studying Law at Athens Law School in Greece. Then I went into internet law and cyber law. Driven by my passion for this subject, I pursued a Master’s degree in Information Technology and Telecommunications Law at the University of Strathclyde where I subsequently completed a PhD that focused on Hactivism.

During the course of my PhD, I taught at both the University of Strathclyde and the University of Edinburgh. Following the successful completion of my PhD, I secured a position in Portsmouth, where I have been for the past nine and a half years.

Presently, I am a Reader (or Associate Professor) in the fields of Cybercrime and Cybersecurity. I am also Co-Director of the Centre for Cybercrime and Economic Crime, as well as the Director of the Cybercrime Awareness Clinic.

Could you describe the current phishing attack landscape – what are the latest methods being employed by threat actors to disrupt organisational security?

The current phishing landscape features both consistent and constantly evolving elements. Phishing, in itself, serves as the enabler to various cybercrimes, such as malware distribution, data theft, fraud, and ransomware attacks. Its goal is to gain unauthorised access to sensitive information, allowing cybercriminals to exploit credentials and engage in identity theft or fraud, etc.

Phishing techniques typically capitalise on people’s vulnerabilities, manipulating their emotions, anxieties, and desires. Commonly, fraudsters play on individuals’ fears by sending deceptive messages related to banking, like false claims of overseas account usage leading to termination. 

The COVID pandemic saw a surge in phishing scams exploiting people’s concerns over the virus, medical treatment, vaccines, and even parcel deliveries due to lockdowns. Cybercriminals seize any opportunity in the media or public attention to orchestrate phishing scams. 

For instance, they took advantage of publicised events like supporting war-torn Ukrainians, deceiving individuals into providing personal information or financial details. Currently, with the ongoing wildfires in southern Europe, it is highly probable that phishing scams related to supporting affected populations have emerged.

We’re also witnessing a surge in phishing scams through text and chat messages, particularly via WhatsApp, which is widely used worldwide. Even LinkedIn, the professional networking platform, is not immune to phishing attempts. The nature of LinkedIn necessitates sharing professional details, making it a prime target for phishing attacks, especially when it comes to people starting new jobs or high-profile individuals, like CEOs and CFOs, falling victim to “whaling” scams.

A concerning development is spear phishing, which has gained popularity due to the abundance of personal information available on social media. Cybercriminals exploit this data to craft targeted and convincing phishing messages.

Interestingly, there’s talk about cybercriminals potentially using AI tools like chat GPT to create more sophisticated and grammatically accurate phishing emails and messages. While not a straightforward process, people have managed to manipulate the AI’s instructions to generate convincing content that they can then modify for phishing purposes.

Moreover, on the horizon, there’s the emerging concern of deep fakes in phishing attempts. Cybercriminals may utilise someone’s voice data from social media or platforms, like YouTube, to create highly convincing voice phishing messages, leading people to believe they’re receiving calls from their bosses, relatives, or friends.

What are key strategies businesses should be employing in order to mitigate risk?

There are two crucial aspects to consider. Firstly, the technical defences play a vital role as the first line of protection. Implementing strong security measures like firewalls, antivirus scanners, and effective spam filters can prevent a significant portion of malicious messages from reaching employees.

Creating clear and comprehensive policies regarding the use of personal devices for work, especially with the rise of remote work during the COVID era, is equally important. Striking the right balance between enforcing these policies and allowing flexibility for employees to comply with them is essential.

The second key element revolves around education. As someone running a cybercrime awareness clinic, I can attest to the challenges businesses face in this area. Traditional tick-box exercises and structured training tends to be dull and uninspiring, making it challenging for employees to retain the information over time.

To combat this, a shift towards more engaging and interactive training programs is necessary. Since phishing often targets employees’ vulnerabilities, fostering a heightened awareness through dynamic and proactive training is crucial. We need to encourage critical thinking when evaluating incoming information and assessing potential vulnerabilities to stay ahead of evolving tactics.

What progress is being made in terms of behaviours that mitigate cybercrime risk?

In the past, there was a tendency for victim blaming, which proved counterproductive as people tried to hide their mistakes, allowing compromises to worsen.

Thankfully, forward-thinking CISOs, DPOs, and Information Governance Officers are leading the charge for change. They are transforming training methods by incorporating gamification to make it more engaging and rewarding. Instead of punishment and scaremongering, the focus now lies on rewarding employees for identifying phishing scams, fostering a more empowering training environment.

While progress is evident, there’s still much ground to cover. Some businesses resist conducting proper training, sticking to basic tick-box exercises just to claim compliance.

The culture within an organisation plays a crucial role in promoting security. Management needs to perceive cybersecurity as a business enabler rather than an obstacle. A critical shift is to recognise that strong cybersecurity practices enhance the organisation’s reputation, making it more appealing to customers and collaborators who trust their data and interactions will remain secure.

Creating a culture of security champions is vital, ensuring active promotion and participation in security initiatives, updates, and training.

Moreover, it’s essential to highlight the competitive advantage of good cybersecurity hygiene. Sound cybersecurity practices lead to more efficient and organised systems, better data management, and increased employee productivity. Businesses that prioritise cybersecurity gain trust and credibility as reliable third-party suppliers, which, in turn, attracts more business opportunities.