All About Phishing Countermeasures

Bianca Wirth works as the corporate security manager of education and awareness at a large Australian insurance company specialising in mitigating the risk of data breaches resulting from phishing attacks. She is also lecturing a free Phishing Countermeasures online course for Charles Sturt University and industry partner, IT Masters. She spoke with The Download about the nature of phishing, the career opportunities, and the need to understand this challenge for IT security professionals.

The Download: What does your role at the coal-face of countering phishing attempts at a large corporate involve?

Bianca Wirth: Essentially, I am involved with identifying and educating employees, partners, and customers about the key cyber and physical risks faced by the organisation. There are technical risks that are covered by the IT department and cyber security team, but I look more at the human side of things in terms of ‘what are our people and customers doing that puts the organisation at risk?’. This includes data breaches, for example, or having their data stolen by malicious actors (MA) or by putting the company in some sort of critical situation.

Phishing is on the rise. It has become a very effective and popular method of data breaching. That is because it works and because data that is stolen has currency thanks to the dark web. The “bad guys” know that many people get fooled and that it can be more technically simple to achieve than some of the traditional hacking methods.

TD: How would you briefly describe what phishing is?

BW: Phishing is a sub-category of spam which has become a massive problem. It is on the malicious side of spam and tends to be used by cyber criminals to con people.

Phishing uses email messages to entice recipients into clicking on a link that leads to websites which are designed to deceive people into revealing sensitive information about themselves or the data they have control of. It is also commonly used to trick people into downloading malware, for instance, that may encrypt data for ransom or to record keystrokes in the hope of picking out account credentials or other valuable details.

One method that is very popular with cyber criminals is emulating popular websites such as Twitter, LinkedIn or Amazon - anything that might be associated with a credit card. PayPal and freight companies are also popular with the end-game being to scrape and use your log-in and password details for their own nefarious purposes.

There are multiple levels of sophistication in phishing attacks and multiple ways they can catch you out. Sometimes there may be a malware download that starts as soon as you click on the link and then runs in the background without you ever knowing it is there. Other times there may be more blunt force used where you download ransomware that encrypts your data, or they divert you off to a page where they ask you to log-in and thereby capture those details in those process.

TD: Why is it important for people who work in IT security and IT management to have a solid understanding of phishing?

BW: There is enormous potential for damage to occur as the result of phishing attacks which can have significant commercial, political and broader economic impacts. Over $90 million was lost

to scams in the last 12 months and, at last count, phishing accounted for one on seven of all scams in Australia.

It is getting much easier for people to run these scams now. Cyber criminals have commoditised the tools needed to engineer phishing scams to the point where aspiring malicious actors can now buy complete packaged kits on the dark web to get started in the art of deceiving email recipients into clicking on a link that facilitates nefarious outcomes.

There are even operators that have gone to the extent of providing support. You can literally ring a help line and get assistance in trying to scam someone out of money, information or data using their tools. It is becoming a more formalised, sophisticated operation and it is moving into the realm of commercial structure.

Meanwhile, it’s not just organised hackers orchestrating the carnage. There are organised crime groups from all over the world getting in there now and looking for their piece of the cake because it allows them to break out of their local presence and go global.

So, the threats are more numerous, more sophisticated and more diverse in content and purpose which means that every individual and organisation needs to be on their guard. Education and awareness is key to limiting the number of people who are hoodwinked into clicking on links that carry an ulterior motive.

TD: What is the end result that cyber criminals are looking to achieve with phishing attacks?

BW: There are multiple end games, but they are generally to do with financial gain or identity theft with a view to using stolen personal data to financial advantage.

For example, if they steal your personally identifiable information - such as your name, your birthdate or other information that can be used as identification authentication - then they can use that to start a bank account in your name or take out a loan.

That’s just a couple of examples. It could be any type of malicious activity that happens thereafter but usually it is all about garnering information for direct financial gain.

TD: What sort of data are typically being targeted by phishing attacks?

From a personal perspective, they are generally targeting unique personal information or access to actual financial accounts. From a corporate perspective, they’re looking to defraud your company of funds or obtain sensitive information.

There are many instances of using email to present fake invoices in the hope that they will be inadvertently paid. Some of the world’s leading digital companies including Google and Facebook have been defrauded of tens of millions of dollars through phishing scams while there are probably millions of instances of smaller frauds that have been successfully orchestrated in this manner. Most attacks would not be publicised and some would not even have been detected.

TD: Where do phishing attacks come from? Is there any sort of typical profile that you can attribute to criminals using phishing attacks?

BW: A report came out from Kaspersky in Q3 of 2017 and it found that the top five areas where spam and phish emails were coming from were China, Vietnam, USA, India and Germany. Not the first nations that would come to mind when you think about this subject.

There is a lot of variation in the type of attacks. Some malicious actors take the approach of trying to get a small amount of money from a lot of victims while others may be engineering highly advanced stings that take a lot of money from a single large incident.

TD: What are the biggest phishing stories/outbreaks that you know of in recent times? How successful were they?

I think one of the problems is that a lot of the high-profile data breaches or other cyber security incidents don’t get attributed to a phishing attack, when that is most likely exactly what happened.

It can be difficult to attribute to a single incident sometimes. For example, it may well have started as a phishing attack where someone (or multiple people) within the organisation accidentally gave away their credentials and then the successful malicious actor logs-in and infiltrates the network to harvest whatever they can and then work out how to monetise it later.

Some of the higher profile incidents I can think of include the previously mentioned Google and Facebook examples which goes to show that even the biggest, most technologically advanced, digital companies are not fully prepared to effectively meet these threats.

There was another incident where a European wire and cable manufacturer called Leone AG in Europe lost about 40 million euros. They were targeted by a phishing email that tricked them into transferring large amounts of money paying false invoices which is a very common thing for organisations to look out for.

It only takes one person with the right credentials to be successfully targeted for an organisation to become a significant victim of a phishing attack. They just have to be fooled into clicking on an email link and put in their access details for the financial losses to start mounting and the perpetrators are getting far more sophisticated every day in getting people to accidentally surrender critical information.

That is probably the scariest thing about it; the human side of things. People must be educated not to click on links that they weren’t expecting. It only takes one person to drop their guard and the breach is realised.

TD: Are there any numbers that can be put on the extent of damage being caused by phishing attacks?

BW: It is hard to put numbers on it. We only hear of numbers from people who are willing to disclose that they have been defrauded. It is quite feasible that these are just a small fraction of what is going on because so many would not want to disclose out of embarrassment or because it could affect customer confidence or competitive advantage.

In addition, there is no single source of data on the total financial losses generated by scams and phishing attacks. In Australia, the government agency, Scam Watch said $83 million worth of scams had been reported to them in 2016 and that figure rose to $90 million in 2017 which is the latest available figure.

Keep in mind this is only the ones that have been reported to them and they would be mainly consumer-based. There would be many more that have never been reported. Generally speaking, companies do not talk about how much they have been scammed unless it falls under new legislation such as the Data Breach Notification act.

As a general rule, the cyber security industry tends to minimise its profile to help reduce what we call the ‘honeypot effect’ – that is, attracting more malicious actors to a company by talking about what you do or don’t do with your operations.

TD: What sort of damage can be wreaked on an organisation if they are subject to a successful, malicious phishing attack?

BW: It can be everything from a small false invoice being paid right up to complete financial or reputational ruin. There are multiple potential commercial impacts. Some of those are tangible and some you can’t simply put a financial value on.

Aside from the direct financial loss from a scam, research has shown that the time and cost required to remediate a breach may very well exceed the original damage. There is a report that says the average time required to fully remediate any type of cyber-attack, is about 32 days and the average cost per day has been calculated at about $32 thousand a day.

So, over that period you end up paying over a million dollars in corrective action. Of course, that doesn’t consider all the other perceivable damage that can be caused.

Organisations face potential reputational decline, business interruption, direct loss of profit, impact on stock value, possible legal action, loss of intellectual property, loss of customers and even the cost of new tools, staff and processes to negate future threats.

TD: What can individuals and organisations do to better protect themselves against the havoc that can be created by a successful phishing attack?

BW: From an organisational perspective, it is a shared technology, human and process issue so there has to be a balance between technology solutions including process change and people measures such as education and awareness.

A lot of organisations tend to focus on either one or the other, but in my experience, neither will work well in isolation. It must be a holistic, integrated remedial action to allow for the best possible future defence.

TD: What tools, processes, roles, responsibilities and training are at the disposal of cyber security teams to better defend against phishing attacks?

Having a cyber threat detection and response team in place is critical. Someone must oversee a defined process. There is a five-step methodology that has become popular. It works on the principles of Prepare, Protect, Detect, Respond and Recover.

The idea is that you are never going to eliminate 100 per cent of security threats, so you have people, processes and tools in place to stop as much as possible and then have a strategy to be able to respond and recover after an incident with the goal of minimising damage. This all then needs to be managed under a philosophy of continual improvement to the foundation processes.

Meanwhile, mitigating risks associated with phishing attacks needs to be an integral component of the organisation’s broader cyber security and business risk management plans. Some organisations are taking an approach that removes cyber security from the responsibility of technology teams and putting them into the risk management structure.

One example of a cybersecurity framework - there are many others - comes from an American government organisation, the National Institute of Standards and Technology (NIST). This provides a defined guideline to assessing where you stand currently and where you need to improve.

TD: Is there a role for tighter regulation over how public and private organisations protect their data from phishing attacks?

BW: There are a couple of areas where regulatory authorities step into the picture. Financial organisations and publicly-listed companies are already under compliance and reporting obligations overseen by ASIC which has guidance papers and various recommendations for certain measures that should be put in place.

Any organisation within those categories must work with those regulators to put appropriate measures in place and provide assurance that they comply.

Meanwhile, there has also been a new regulation put in place that compels a much larger group of organisations to report data breaches. Effective as of 22 February 2018, any organisation with a turnover more than $3 million now has to report a data breach. Other smaller organisations - including health services, financial services providers, credit reporting bodies and all Government agencies - must comply with the same mandatory reporting obligations.

This is a significant step in the right direction towards the type of controls that need to be in place. If you get phished and your data gets exposed, you now must report it to your customers and the relevant authority.

Unfortunately, I think that regulatory bodies will always be behind the technology and trends of attack in terms of negating threats. Technology and methods deployed by malicious actors move so quickly that it can never keep pace with the evolving dynamic of the crimes.

So, I would expect that there is going to be more legislation in the future that is designed to try and protect people’s privacy and data, but the stark reality is that they will always be playing catch up.

TD: What else should all IT professionals understand about the rise of phishing as a cyber-crime challenge?

There are many opportunities out there for people to build careers in cyber-crime detection, prevention and recovery and having knowledge about phishing trends is important because that is where a significant number of threats are coming from.

Existing IT professionals are in the perfect position to transition their careers over to cyber security because they are already in possession of the base technological knowledge, hands-on skills and work-place experience that is required.

In some cases, the fight against cybercrime attacks will offer an exciting and challenging line of work as well.

Demand for the sort of skills required to counter phishing and cyber threats generally is only going to increase as the threat becomes more ubiquitous and the criminals expand, refine and improve their operations based on success.

TD: In what ways are phishing attacks evolving now? Is there any insight into where things may go in the future?

Like most online scams, the genesis of phishing can probably be traced to very basic “Nigerian”-type (advance fee) schemes trying to get money out of people by promising a big pay-out in return.

It has subsequently evolved from that point about 20 years ago - and let’s be clear, people are still trying on those scams - through to the type of ransomware we see today.

I think the next evolution where the threat has yet to be fully realised is to do with the Internet of Things where we will have billions of individual online-enabled devices. I saw a great cartoon where a man is standing in front of a fridge and the fridge is refusing to open until a ransom is paid and next to him is burning bread with a toaster demanding a ransom.

This is not as silly as it sounds, and we are facing a future where this sort of threat is potentially a reality. With the Internet of Things, we are talking about anything that is internet connected - including air-conditioners, fridges, washing machines and even cars - being potentially subject to hijacking.

It has already been proven that ‘smart’ cars can and have been hacked. If you start thinking about the ramifications of that, it can get a bit scary. We’ve probably all seen movies that show autonomous vehicles being taken control of by a malicious party and today it still seems a bit far-fetched for the average citizen to be involved in something like this.

The reality is that there are still a few barriers before those sorts of things could happen, but it is not beyond the realm of possibility.

For example, in 2017 in the US, there was a case of almost 500,000 internet-enabled pacemakers that had to be recalled for a firmware update due to hacking fears.

For IT security professionals, the challenge is to keep pace with change. Just as technology continually evolves so too does the threat from malicious acts and they will be shaped in the future by evolution in ways that we are yet to see.

It is not too long ago that ransomware was not even thought of, so nobody knows where the threats of the future will emerge from. The trick is to stay informed and to continually upgrade your knowledge which is why the free phishing countermeasures course we are offering helps to achieve this.

Another thing to keep in mind is that we are not talking about dumb criminals here. Often we are under threat from very smart, ingenious criminal minds that are in many cases very well resourced to continually apply their intellect to new ways of scamming people and accumulate wealth.

Find out more about CSU’s free Phishing Countermeasures short course here.