Experts at PrivSec Global discuss the threat of phishing

Day two of PrivSec Global saw a panel of industry leaders talk through the threat that businesses face on a daily basis, and what companies can do to stay one step ahead of the fraudsters.

Setting the scene, Ranjeeth Bellary, Associate Partner at EY India, said:

“I think the biggest issue we see is what sort of damage [phishing] can do to an organisation. Almost 90% of the cyberattacks we see today are part of some phishing attack. They’re a lot riskier than they used to be; [scammers] could be going after user credentials or trying to trick financial teams.”

Commenting on why employees are so vulnerable, Ranjeeth said: 

“We are curious to know about things; we have easy access to digital content and it’s easy for us to not know what’s happening. This is where hackers want to exploit people, if they send you something you could be interested in.”

“During Covid in India, hackers exploited people by making them think that they were being sent information regarding COVID due to the lack of information available.”

Discussing how employees can be made more aware of signs of phishing campaigns, Ranjeeth said:

“I think that I would put it into two dimensions: Firstly, awareness, and secondly, technology. 

“Regarding awareness, a lot of organisations are doing new training programs for their employees which show different scenarios and phishing schemes. Also, simulation-based training – send phishing emails to employees and see what results you get. 

Regarding technology, use technology to understand that if there are links within an email are they coming from a valid source?” 

Delving deeper into the threat realities of phishing attacks, Jack Chapman, VP of Threat Intelligence at Egress, said:

“A modern phish looks professional; it’s believable and it’s very targeted. Recently there’s been a move away from targeting financial services with phishing.

“There’s also been a change in hacker technology. For me, the main driving force behind this step change is Crime as a Service (CaaS). They’re scoping out their targets and it’s a maturity of the criminal ecosystem. With phishing, the ability to purchase pre-done research on an organisation’s weaknesses and being able to buy a phishing kit they can launch in five mins for thousands of dollars.”

“Attacks come by text, email or voice. They create special mobile phone templates; if a computer reads it, it’s complete garbage. Email is the most common channel, but there is a rise in attacks to your mobile. 

“More people are working from home after Covid and one of the core risks is if I can link someone’s personal life to their business life the information quadruples. In terms of understanding who is being targeting and why, look up the kill chain. Why are they choosing my employees and how?”

Vickie Guilloit, Partner at Privacy Culture, said:

“Mobile devices – emails look very difficult, and might not pick up that it’s a phishing email.”

Looking at how success against phishing can be measured, Ranjeeth said:

“I think that a lot of this training that organisations are doing, once they do the training, they must ask how the employees are responding. Send a fake phishing scam to 100 employees, if 10 open it, look at what do they do. There needs to be a holistic way of looking at it and at how you’re securing your organisations network.”

“It’s not uncommon for people to hear about cyber-attacks and phishing, so people can get bored of the messages and notifications,” Ranjeeth added. The advice, therefore, is to prioritise training and security. People who are vulnerable need to be made aware of how they could be targeted, i.e. people who are not tech savvy,” he concluded.

Jack Chapman said:

“As we know as an industry, there’s a cyber skills shortage globally. If attackers know that there’s no point targeting you because you’re secure, you’re less likely to get attacked.

“I think it’s imperative that we look at phishing holistically. For me test campaigns are one test in our tool box, and you have to utilise intelligence to make it useful. If you know what your risk is you can target your awareness accordingly.”

Commenting on the availability of affordable tech for small businesses, Jack said:

“Egress has a fantastic phishing tool but there are other things. As a small business, it’s easier to keep your risk profile low, follow the core standard security principles and be aware of your associations as this could bring you to the attention of an attacker.

“Organisations should have playbooks for phishing situations so that they are prepared. Once you’ve been phished, statistically you’re more like to get targeted again,” he warned.