Brushing up on Brand Protection – Why phishing is a growing business for cybercriminals


    by Stuart Fuller (CentralNic)

    In a series of short articles explaining some of the growing trends in intellectual and physical asset risks, Stuart Fuller examines one of the most common issues facing brands and consumers alike, CEO Phishing.

    According to a report issued last year by Lloyds Bank Plc, CEO Fraud, or Business Email Compromise (BEC) attacks, cost small to medium-sized enterprises an average of £27,000. More worryingly, they reported that more than half of the respondents had received an email from a fraudster pretending to be their boss.

    In their Phishing and Malware Review of 2019, Cofense, one of the global leaders in Threat Management solutions saw nearly 2,700 different attacks in the six month period to March 2019. The vast majority of all Cyberattacks start with a phishing email. One click from one unsuspecting user and the results can be devastating for a business. Worryingly, one of the biggest motivations for people being fooled by phishing emails, is actually curiosity.

    We are naturally suspicious in the real world but put us in front of a computer or a smart device and that barrier falls; we seem to believe that just because we can’t see anyone doing anything wrong, everything fine. It will probably surprise you just how many people genuinely believe the contents of a phishing email. With so few organisations having processes in place to check or verify an email from a superior is genuine, it is no wonder that reports of such attacks are up by over 50% in 2018.

    Some people are motivated by reward or even the opportunity to see something saleacious, whilst others are driven to act by the fear of not completing a particular task, especially when the phishing email is targeted at particular employees in instances of CEO fraud.

    CEO Fraud is a targeted phishing attack, aiming to fool an employee into making a financial payment or revealing sensitive data by pretending to be from an executive of the same company. In large companies, where there isn’t a close relationship between the executives and admin staff, such as those responsible for making payments, there is even more of a risk.

    "Fear and urgency are a normal part of everyday work for many users," says Aaron Higbee, former co-founder and CTO of PhishMe. "Most employees are conscientious about losing their jobs due to poor performance and are often driven by deadlines, which leads them to be more susceptible to phishing."

    Whilst we are used to seeing poorly written emails with very unlikely stories about millions of dollars in foreign bank accounts, cybercrime has moved on, and today’s most successful phishing attacks are very carefully planned, look like they are the real-deal and are often targeted at perceived weak points in an organisation, most notably its staff.

    The economic and reputational damage to victims of “successful” phishing attacks can be huge. UK Finance, the collective voice for the UK banking and finance industry and representing more than 250 firms, reported the total loses in the UK alone last year were nearly £15m. However, this only accounts for those cases where the fraud was reported – corresponding data from other countries suggest that a far greater number are never reported by organisations for a variety of reasons.

    In the US the problem is much larger. According to FBI statistics, CEO fraud is now a $12 billion problem, with cases reported in every state. In November 2018, a major French cinema chain revealed they had lost over $20 million due to CEO fraud.

    So how can employees be part of the solution and not become the catalyst for major problems? One of the oldest sayings may be over-used but it still holds true – if it looks too good to be true, it almost certainly is. Some very simple checks can ensure the risks of becoming a victim of a phishing attack are significantly reduced. If you have ANY doubts about the validity of an email:

    • Check the actual domain name used in the email address: Whilst email addresses can be spoofed, many attacks rely on cyber or typosquatted domain names.
    • Check the WHOIS record: If the address details are masked, or the domain is registered in the last few days, warning signals should be flashing in your mind.
    • Use an email authentication service: The use of an email authentication service will significantly reduce exposure to phishing emails but beware it is not always the panacea.
    • Trust your common sense: A large dollop of common sense can work wonders in reducing phishing fraud in the workplace. However, today’s workplace is now a high-pressure, deadline driven environment and as such the time needed to look at things with a critical eye is in short supply.
    • Education: Awareness education is the fastest, cheapest and most effective solution for all employees and is the last line of defence against such attacks. Organisations also need to ensure that they have sufficient monitoring and blocking solutions in place that stop any potential attacks reaching their staff. Using an anti-fraud monitoring solution from BrandShelter will provide that essential front line defensive wall for brands, keeping them protected against the increasing threats that BEC present in the digital landscape.