When data is breached by cybercriminals

Data leakage has become a major concern these days for all organisations worldwide. As the digital world has rapidly evolved and the majority of financial transactions become exposed to fraud attempts performed by cybercriminals, the fundamental question that every company must face these days is not “if” but “when” will we be breached? A few words about what phishing attacks are and how to protect yourself against them.

According to the Verizon 2021 Data Breach Investigations Report, 91% of successful data breaches started with a spear phishing attack. At the same time 73% of organisations fell victim to successful phishing last year.

Phishing is an example of one of the most effective fraud activities on the internet. It may lead to severe financial losses, sensitive information disclosure or identity and credential theft, and as such requires focus and attention from all possible directions. One of the most efficient approaches in fighting against this threat is to consistently increase our awareness of it and educate ourselves about it.

How to define and distinguish between Phishing, Spear-Phishing and Whaling

There are currently more than a dozen different types of phishing attacks but to start with, it is worth focusing on the most common ones:

Phishing is a form of social-engineering attack that uses email to acquire sensitive information either through fraudulent solicitation, or a malicious link or attachment, where the criminal masquerades as a legitimate person.

Spear-Phishing, on the other hand, is a phishing activity that is very carefully designed and targets a selected lower profile recipient as opposed to typical phishing attempts where multiple recipients are involved and receive the same email.

What distinguishes Whaling/CEO Fraud from spear-phishing is that whaling targets exclusively high-ranking individuals within an organisation, typically senior leadership (C-Level), in order to conduct a fraudulent activity.

What are the Consequences of Phishing-type Attacks?

The insurance sector frequently faces phishing attacks from external actors. This type of attack seems to be the easiest way for attackers to achieve their aims. According to recent studies, financial motivation is responsible for driving over 90% of criminal fraud attempts, 3% are state-driven sophisticated espionage actions (APTs), and grudge, fun or ideology make up the remaining 5%.

Adversaries typically use multiple tools and techniques to achieve their criminal objectives. One of the major goals is to steal user credentials and use them in further hacking or malware attacks. For instance, a criminal may either establish new accounts or compromise existing ones, and send multiple urgent fraud messages or use these accounts to gain additional access to sensitive data.

The other scenario assumes dropping malware on the user’s computer (malicious software that is a harmful program or file). This malware may include various types of viruses, trojans, worms, spyware and especially ransomware. Depending on the type of ransomware it is designed to either lock up or encrypt files on your computer until a ransom is paid. More sophisticated versions (called double extortion) may encrypt files and export data from the victim’s computer.

It is important to know that ransomware has become a major challenge not only for individuals but also for companies, governments and organisations around the world, and that most often, ransomware attempts are enforced through phishing emails. According to Malwarebytes reporting, notable ransomwares like GandCrab, SamSam, NotPetya and WannaCry generated losses of around $3.9 billion.

How to Protect Yourself Against Attacks

In order to avoid potentially serious consequences connected with certain types of malware you need to follow some basic rules when dealing with a suspicious email:

1. Verify the email sender. Cybercrime has become a business today and cybercriminals are constantly developing their skills. Malicious emails look like legitimate messages from your boss, coworker or official communications channels. Always check the sender email address by hovering over the sender’s name or by clicking on the Reply button.
2. Check the URL. Bad actors create URLs that are remarkably similar to legitimate websites in order to trick potential victims into clicking the link.
3. Don’t click on suspicious links. If you suspect that the sender and/or content doesn’t seem to be legitimate, do not click on the link.
4. Don’t open attachments from suspicious emails. Attachments can be malicious files design to launch an attack on your computer. They may look like typical Office365 or pdf files but after clicking a malware will be installed.
5. Be sceptical and suspicious about unusual and non-standard requests you have received. Double-check this kind of request, and in case of doubt call the requestor directly to confirm.
6. Report phishing attempts. If you receive a phishing email or if you’ve either clicked on a suspicious link or opened a malicious attachment, always report this immediately to you IT colleagues or security.

As always, these very basic security countermeasures, if properly enforced, may reduce the attack surface for phishing-type attacks significantly. Raising awareness and adherence to basic security rules and precautions are considered to be two of the most effective ways of minimizing the attack success ratio and reducing the cybersecurity risk.

Text: Marek Kost, IT Security Manager, ERGO Technology & Services S.A.