As an Official Champion of National Cyber Security Awareness Month (NCSAM), the Council will be sharing educational resources on payment security best practices on the PCI Perspectives blog, and through our Twitter (@PCISSC) and LinkedIn pages.
“Phishing” happens when cybercriminals use specially crafted, seemingly legitimate-looking emails and social media messages to trick employees into providing confidential data (for example, passwords, usernames, payment card details) that can be used for fraud. Every day 80,000 people fall victim to phishing scams from 156 million phishing emails sent globally- why is this such a popular attack method?
Jeremy King: Quite simply because it is very effective for the criminals. We have seen with friendly phishing attacks that you will achieve an average of around 25% hit rate amongst staff, rising to 33% at board level. When the criminals only need one click to gain access, they are almost guaranteed success. Unfortunately, many organizations are not training their staff to understand what a phishing attack is or the damage it can do to a company. They do not explain that criminals use this as a way to insert malware into the company that can actively seek cardholder data.
Companies need to be very aware of the significant danger phishing presents. In addition to enabling traditional malware attacks, successful phishing attacks can also result in ransomware being inserted, which can lock you out unless you pay a release fee. Worse still, we’ve seen attacks where criminals pretend to be a senior executive requesting the immediate payment of invoices or fees. This has resulted in millions being sent to the criminals bank accounts.
It is, therefore, essential that organizations educate all of their staff on the dangers this represents
What are some common tactics criminals use to create legitimate-looking email correspondence?
Jeremy King: In the early days it was easy to spot the phishing attack - the look, and language of the content was obvious. It also tended to come from an unknown email source. Now criminals can spoof the email address to make it look like it is coming from the legitimate source and the content and grammar of phishing emails have improved, making it harder to spot. In addition, the criminals will use social media to identify specific targets so that they will know the person’s name and job title.
Can people rely on anti-virus software alone to prevent phishing attacks?
Jeremy King: The simple answer is no. Many phishing attacks contain only the minimal amount of code to gain access and inform the criminal as such. The criminal will connect in later to insert the main payload. In addition, 0-day attacks mean that the antivirus software just does not know the virus is there.
The sheer volume of virus’ means that Anti-Virus software can only check for so many, otherwise, it would slow your computer to a snail’s pace. Therefore, after a certain period, the older viruses and malware are dropped off the back being replaced with newer identified viruses and malware. The criminals have figured this out and are now using older malware that is no longer detected to good effect.
So it comes back down to the basics of people, process and technology working together as the best defense against attack. In fact, the assumption should not be “How do I keep the criminals out?”, but “How do I detect that they are in my systems quickly and prevent any loss of data?”.
A recent study found that 30% of people targeted opened a phishing email. What are some red flags people should look to prevent falling victim to a phishing scam?
Jeremy King: The biggest problem is that we are often in a rush and want to please our boss or senior manager, and the criminals know and rely on this. Also, they know we will react to things that are just plain wrong. I remember one case when I received an email confirming my purchase of an item from a popular website. Written neatly near the bottom was one line: “If you did not make this transaction please click here”. I was at the point of clicking when something at the back of my brain shouted “phishing attack!”, and I stopped. That “something” was as a direct result of training.
We receive emails with links every day. We cannot stop using links altogether, but when we receive an email with a link consider the following:
- Why have I received this email with a link- am I expecting it?
- Is the email from someone I know or do not know?
- Hover your mouse over the link and see if it is sending you to the location described in the link or somewhere else.
- If in doubt, do not click.
Staff should be very cautious of emails arriving late on a Friday or before a public holiday making requests to transfer large amounts. If you receive emails asking for urgent action, especially relating to the transfer of funds, double check with the originator of the email. Do not reply to the email as this will only go back to the criminal. Instead, send a completely new email to the person who is claiming to have sent you the email to confirm the veracity of the request- or better yet, call. A quick call can literally save your company millions.
What can organizations do to better educate their employees on email safety practices?
Jeremy King: Put your organization to the test with a “friendly” phishing attack. Friendly phishing attacks are impactful as they highlight how easy it is for criminals to trick unsuspecting employees to click on a link. Employees who do click are then sent on to training. This will help ensure next time they are less likely to click that link. Studies have shown that friendly phishing attacks result in a significant reduction in the numbers who click on a malicious link a second time.
Security should not be seen as a once-a-year activity. Security is critical to your company’s future, so make it more important to all your staff. Involving staff in the development of programs makes them more interesting.
And of course use the PCI Security Standard Council’s set of standards and guidance documents. Plus make use of the range of training available from PCI Awareness to Internal Security Assessor training and more.
Learn more by downloading our Defending Against Phishing & Social Engineering Attacks resource guide.