Yes, I heard this at a meeting with the CISO of a well-known establishment just the other day. This was a commonly held belief, just a few years ago, and by many that are now eating crow. When do you recognize that Phishing is ‘Your’ problem and could be a costly one at that to ignore? Efforts to help customers and employees learn how to self-protect and not become victims of deception are important, but not nearly enough. Google did some research that showed 45% of folks are still fooled by the best phishing scams – having their accounts hacked within 30 minutes. According to the report, even the least successful of phishing scams, with success rates of around 3%, can be very dangerous when targeting millions with phishing emails. Protecting your brand from the results of phishing threats (i.e., costly data breaches, wide-spread system infiltration, and unauthorized transactions) bears a greater responsibility. It requires an ongoing effort to identify and overtake attackers, and shutdown malicious services before you suffer what could be crippling losses.
It is certain that phishing attacks have played a key role in attributing to the vast number of credentials (over 300 million), banking information and personal (or corporate) identities for sale on the underground internet. Although keylogging, form grabbing and other spyware are commonly used tactics, there is an increase use in fake phishing website designed to look like a legitimate log in pages. These fraudulent websites successfully attract unsuspecting users into volunteering information. Supplemented by email or social media lures, phishing tactics have become a weapon of choice by many attackers and is also used to deploy malware packages to not only gather valuable information, but to ensure the success of larger exploits by controlling devices, evading detection, and gaining access to protected, high valued information and assets and executing a transaction or full attack on a specific application. Verizon estimates that two-thirds of Cyber espionage has a phishing component. Given what was reported about the Sony attacks, a phishing attack may have been instrumental in one of the prominent data breaches of all time – resulting in a loss estimated to have reached 15 million dollars.
The point, however, is that guarding against phishing threats (and client-side credential theft) should be an area of focus for companies, institutions and agencies alike. Attackers are monetizing credentials, seeking high-valued information, and are seizing the assets of businesses of all sizes and types. Don’t hold off protecting your users against threats that target them in order to breach your systems or execute fraudulent transactions.
Here are 4 best practices that can protect your customers, employees, and brand
Protect your customers, employees and your brand
1. Obfuscate form fields: Slow the progress of attacker by obscuring form fields on internet facing login pages and other forms where users input confidential information -- making such fields ambiguous or unknown to attackers
2. Encrypt information at rest in the browser: Protect information while users type within form fields, even before information is submitted then transmitted via SSL
3. Protect against client-side malware: Identify at-risk devices that have been unlocked, are considered vulnerable or which contain malware
4. Identify phishing sites before emails go out: Be informed when your website has been copied, uploaded to spoofed host servers, and when your customers have fallen victim to related phishing lures.
Give serious thought to this and don’t wait until price tag to resolve such matters reaches $15,000,000.00. Consider taking the above actions to improve your overall security posture and to protect against phishing threats and credential theft. You cannot expect employees or customers to always make the right choice when exploring the web. Additionally your security strategy and its effectiveness should not be dependent upon your users, nor require their involvement. Put measures in place to provide a degree of confidence that the information behind the internet facing apps your customers and employees use is protected against attackers that may target them to gain access.