phishing Archives - Security IT Summit | Forum Events Ltd
  • Covid-19 – click here for the latest updates from Forum Events & Media Group Ltd

Security IT Summit | Forum Events Ltd Security IT Summit | Forum Events Ltd Security IT Summit | Forum Events Ltd Security IT Summit | Forum Events Ltd Security IT Summit | Forum Events Ltd

Posts Tagged :

phishing

In case you missed ZIVVER at the Security IT Summit…

960 640 Guest Post

By Zivver

Last month marked ZIVVER’s first appearance at the Security IT Summit and we had a great time meeting so many people (virtually).

If you took some time during the summit to connect with us, we look forward to staying in touch!

And if you missed your chance to meet with us at the summit, now’s a great time to get to know ZIVVER.

We’re a relatively new player in the UK, but our secure communication platform has already established us as a market leader in the Netherlands. In a few short years we’ve earned the trust of over 3000 organisations, including leading insurance companies, top healthcare institutions and the national judicial system, to safeguard their sensitive data. 

How ZIVVER works

Our smart technology platform is designed to prevent human errors, which is consistently cited as the top cause of data leaks (over 75%). With ZIVVER, users receive real-time awareness training when sending sensitive communications electronically, enabling them to prevent mistakes before hitting send.  

The service conveniently integrates with leading email clients such as Outlook and Gmail, so it’s easy to use and won’t impact existing workflows. Plus, with a generous 5TB limit, you’ll never have to worry about file size limits again when you need to transfer files safely. ZIVVER also helps organisations to improve their regulatory compliance as well as business performance. 

Many companies quickly see a positive business case with us. That’s why over 98% of our customers renew their service agreements, and our average rating on Gartner Peer Reviews is 4.7 out of 5. 

Curious to find out more?

Organisations usually concentrate their security efforts on preventing inbound threats such as spear phishing and anti-virus protection, but often overlook the need to properly safeguard their outbound communications. This can create additional risks since outbound communications typically cause more data breaches. 

Learn how to enhance your email security in our new Outbound Email Security Essentials white paper

You can easily download it by visiting this page.

One million scam emails reported to NCSC

960 640 Stuart O'Brien

An influx of cryptocurrency investment scams is among a range of online threats which have been blocked as a result of more than 1 million suspect emails being reported by the public in just two months.

More than half of the 10,000 online links to scams blocked or taken down by the National Cyber Security Centre (NCSC) with the help of the public relate to cryptocurrency schemes, where investors are typically promised high returns in exchange for buying currency such as Bitcoin.

The scams have all been detected since the launch in April of the Suspicious Email Reporting Service, a tool which allows the public to forward suspect emails which may link to fraudulent websites.

The service, which was launched as part of the Government’s Cyber Aware campaign, has received a daily average of 16,500 emails and has now reached the milestone of one million.

While cryptocurrency scams – which cost the public millions of pounds annually – have been the main scam detected, there have also been numerous examples of fake online shops and spoofs involving brands such as TV Licensing, HMRC, Gov.uk and the DVLA.

NCSC Chief Executive Officer Ciaran Martin, said: “Reaching the milestone of one million suspicious emails reported is a fantastic achievement and testament to the vigilance of the British public.

“The kind of scams we’ve blocked could have caused very real harm and I would like to thank everyone who has played their part in helping make the internet safer for all of us.

“While it’s right that we should celebrate reaching this milestone, it is important for all of us to remain on our guard and forward any emails that don’t look right to report@phishing.gov.uk.”

Digital Secretary Oliver Dowden, said: “We are committed to making the UK the safest place to be online and are working tirelessly to defeat cyber criminals.

“I urge everyone to continue reporting suspicious emails and follow our Cyber Aware campaign top tips for staying secure online alongside our worl-leading National Cyber Security Centre advice.”

The Suspicious Email Reporting Service was launched as part of the Cyber Aware campaign, which promotes protective behaviours to keep your online accounts and your devices as secure as possible.

To use the reporting service, people are asked to simply forward suspect emails to report@phishing.gov.uk. If they are found to link to malicious content, it will be taken down or blocked, helping prevent future victims of crime.

Latest figures show that 10% of the scams were removed within an hour of an email being reported, and 40% were down within a day of a report. 10,200 malicious URLs linked to 3,485 individual sites have been removed thanks to the 1 million reports received.

The Suspicious Email Reporting Service was co-developed with the City of London Police. As well as taking down malicious sites it will support UK policing by providing live time analysis of reports and identifying new patterns in online offending – helping them stop even more offenders in their tracks.

Going phishing? Five emails you don’t want in your inbox

960 640 Stuart O'Brien

Phishing attacks are the most common form of cyber attack. Why? The simplicity of email gives cyber criminals an easy route in, allowing them to reach users directly with no defensive barriers, to mislead, harvest credentials and spread malicious elements.

All organisations think it won’t happen to them, but phishing isn’t a trap that only ensnares the gullible or those unacquainted with technology. Far from it. Gone are the days of poorly-worded, patently obvious attempts at scamming users out of their hard-earned cash. Some of today’s most sophisticated phishing attacks are almost indistinguishable from legitimate business communications – they’re well-written, thoroughly researched and establish a thread of communication with the victim before attempting to steal their credentials or bank balance.

Email is the single biggest attack vector used by adversaries who employ a plethora of advanced social engineering techniques to achieve their goal. Andy Pearch, Head of IA Services at CORVID, describes five common types of social engineering attack that no employee – from CISO to HR assistant – wants to see in their inbox…

1. Payment diversion fraud

Cyber criminals often masquerade as a supplier, requesting invoices are paid to alternative bank details. They can also pretend to be an employee, asking the HR department to pay their salary into a different account. Payment diversion fraud targets both businesses and individuals and the results can understandably be devastating.

There’s little point requesting someone to make a bank transfer or change payment details who isn’t authorised to do so – threat actors target finance and HR teams, who would expect to process payments and deal with changes to personal account details, so are more likely to comply with the fraudulent request.

2. CEO fraud

Impersonating a VIP – often the CEO – is big business for adversaries, knowing the recipient will often action the request straightaway. Threat actors research their executive target thoroughly to make sure their spoofed email is as convincing as possible, so it stands more chance of succeeding. They prey on users’ implicit trust of their seniors to coerce them into providing commercially sensitive information, personal information, or bank account details.

These deceitful requests often convey a sense of urgency, and imply the interaction can only be carried out via email – the victim therefore has no time to question the validity of the request, and is unable to call the CEO to confirm if it’s genuine.

3. Whaling

The opposite of CEO fraud, whaling targets senior executives rather than impersonating them. These targets are often the decision-makers in a business who have the authority to give the go-ahead on financial transactions and business decisions, without further levels of approval. These phishing attacks are thoroughly researched, containing personalised information about the company or individual, and are written in the company’s tone, adopting fluent business terminology that’s well-known to the VIP target.

4. Spear phishing

Perhaps the most widespread form of email-based cyber attack, spear phishing targets individuals and specific companies with links to credential harvesting sites or requests for confidential information, such as bank details and personal data. Attackers study their victim’s online presence to include specific information which adds credibility to their request, such as purporting to be from a streaming service the victim is subscribed to, or a supplier that is known to the target company.

5. Sextortion

Not all phishing attacks are subtle. A form of cyber blackmail, sextortion is when cyber criminals email their target claiming to have evidence of them committing X-rated acts or offences, and demanding payment to stop the criminals from sharing the evidence with their victim’s family or employer.

Attackers count on their victim being too embarrassed to tell anyone about the email (although they haven’t done anything wrong), because it’s a taboo subject most wouldn’t feel comfortable talking about with others. They often make the email sound like they’re doing their victim a favour in keeping the details to themselves. The victim may decide to pay up to stop embarrassing details about their private lives being made public, regardless of whether they’re true or not. Payments are usually demanded in Bitcoin so the transaction is untraceable, meaning the adversary cannot be identified.

But if the victim knows they’re innocent, why do these attacks still work? It’s all about credibility – attackers harvest email addresses and passwords from previous cyber attacks, which are available on the internet, and include them in their email to add credibility. If an attacker emails you claiming to know one of your passwords and includes it for proof, you’re more likely to believe the rest of the email is genuine.

Conclusion

These common types of social engineering attack cannot be ignored by any organisation – these threats are very real and won’t disappear anytime soon. Email security and threat protection can be transformed by the use of multiple sophisticated detection engines and threat intelligence sources; employees shouldn’t have to carry the weight of identifying these threats, essentially plugging the gaps in flawed cyber security strategies. Organisations need to treat email as the serious security risk that it is and begin to put appropriate measures in place.

Fraud detection and content checking in real time automatically highlight phishing and social engineering techniques, which removes the burden from users and instead leaves technology to do its job. Furthermore, technology enables potentially concerning emails – such as those attempting to harvest credentials, mislead users or spread malicious elements – to be automatically flagged, meaning employees can make quick, informed and confident decisions as to whether the email should be trusted.

With such sophisticated technology available and a growing threat landscape that shows no sign of slowing, it’s time for organisations to make a change and adequately protect themselves from incoming attacks.

VIDEO – Top tips to spot phishing attacks

960 640 Guest Post

By Falanx

Phishing, viruses and ransomware are some of the most common attacks aimed at organisations of all sizes, with phishing emails proving the most successful.

With this October being Cyber Security Awareness month, empower your staff to recognise and defend against these attacks.

Here are some of the signs to look out for > https://falanx.com/cyber/top-tips-to-spot-phishing-attacks/

Save £35k by deleting emails from your CEO

960 640 Guest Post

You work in finance. You get an email from your CEO addressing you by your first name, apologising for the late Friday email, but requesting you make an urgent payment to a regular supplier, with account details helpfully provided in the email. You’d pay it, right?

CEO fraud is an increasingly common type of phishing attack, where a threat actor impersonates a senior executive, and attempts to coerce an employee into transferring funds or personal information to the attacker’s account.

The average cost of this attack has risen to £35,000, but how do they keep getting away with it? Check out the latest advice from Corvid:

https://www.corvid.co.uk/blog/save-yourself-35k-delete-ceo-emails

Automation reduces the risk of phishing attacks

960 640 Stuart O'Brien

It’s hard to overestimate how fundamental email has become to initiating cyberattacks. While there are numerous ways for attackers to target organisations, email is nearly always the common denominator.

Email phishing attack detection, analysis and rapid response is one of the biggest challenges email admins and security teams face today.

Did you know?

  • Phishing represents 98% of social incidents and 93% of breaches.
  • Email continues to be the most common vector for cyber attacks (96%).

Download our latest Whitepaper in Partnership with Ironscales: Office 365 is not built to defend against modern real world email threats

Learn why organisations that rely on cloud email services must budget for advanced phishing prevention, detection and response.

https://discover.everycloud.co.uk/automation-reduces-the-risk-of-phishing-attacks

For more information, contact:

Paul Richards, Director, EveryCloud

Mob: +44 7450 100 500 | DDI: 0203 904 3182 | Tel: 0800 470 1820

Email: paul.richards@everycloud.co.uk

Do you provide Phishing Detection solutions? We want to hear from you!

960 640 Stuart O'Brien

Each month on IT Security Briefing we’re shining the spotlight on a different part of the cyber security market – in April we’re focussing on Phishing Detection solutions.

It’s all part of our ‘Recommended’ editorial feature, designed to help IT security buyers find the best products and services available today.

So, if you’re a Phishing Detection specialist and would like to be included as part of this exciting new shop window, we’d love to hear from you – for more info, contact Chris Cannon on c.cannon@forumevents.co.uk.

Here are the areas we’ll be covering, month by month:

Apr – Phishing Detection
May – Advanced Threat Dashboard
Jun – Browser/Web Security
Jul – Authentication
Aug – Penetration Testing
Sep – Vulnerability Management
Oct – Employee Security Awareness
Nov – Malware
Dec – Network Security Management

For information on any of the above topics, contact Chris Cannon on c.cannon@forumevents.co.uk.

Millennials ‘most vulnerable’ to phishing attacks

960 640 Stuart O'Brien

‘Digital savvy’ millennials are more likely to fall victim to cyber threats than baby boomers and older generations, demonstrating a concerning lack of knowledge on cyber threats such as phishing and ransomware.

New research, commissioned by cybersecurity and compliance company Proofpoint for their fifth annual ‘State of the Phish’ report, also revealed that 83 percent of global respondents experienced phishing attacks in 2018, compared to just 10 percent of respondents reporting experiencing a ransomware attack.

Also amongst the standout findings was the revelation that despite popular belief, older generations were actually less likely to fall victim to cyber attacks than their younger counterparts. 58% of those aged 22-27 knew correctly what phishing was, compared to 73% of those aged 54+ who knew correctly what phishing was. In addition, 52% of those aged 54+ knew correctly what ransomware was, whereas only 40% of those aged 22-37 knew correctly what ransomware was.

“Email is the top cyberattack vector, and today’s cybercriminals are persistently targeting high-value individuals who have privileged access or handle sensitive data within an organisation,” said Joe Ferrara, general manager of Security Awareness Training for Proofpoint.

“As these threats grow in scope and sophistication, it is critical that organisations prioritise security awareness training to educate employees about cybersecurity best practices and establish a people-centric strategy to defend against threat actors’ unwavering focus on compromising end users.”

“Lack of cybersecurity awareness, in particular amongst the millennial/Generation Z demographic, presents a greater threat than many businesses expect,” added Adenike Cosgrove, strategist, EMEA, Proofpoint.

“Our latest research shows that surprisingly, older generational groups can more accurately identify threats such as phishing and ransomware than digitally-savvy millennials. This tells us that millennials, despite being much more comfortable and at ease with digital platforms, display greater complacency towards threats and perceived risks.

“With the percentage of millennials in the workforce set to reach 50 percent globally by 2020, it’s imperative that businesses focus on developing a people-centric approach to security and deploy cybersecurity awareness training programs that aim to change employee behaviour. The bottom line is that organisations that do not consider the human factor as a key pillar to their cyber defence strategy will continue to be prime targets for cybercriminals, putting their businesses at risk of potentially crippling attacks.”

A copy of the report can be downloaded here: https://www.proofpoint.com/us/resources/threat-reports/state-of-phish

Cybersecurity responsible for 36% of management stress

960 640 Stuart O'Brien

Over half of SME owners count internet issues as one of their biggest bugbears heading into 2019, with phishing emails from overseas ‘billionaires’ topping the list of the strangest mailbox scams from the past 12 months.

In a survey conducted by Q2Q, 52% of company bosses complained that problems with their internet were responsible for some of their firm’s biggest technology-related headaches. While an additional 41% of respondents said that six months on, GDPR compliance was still causing confusion within the workplace.

The research also found that phishing emails – including those masquerading as financial information requests from the CEO, and communications purporting to be from a foreign billionaire looking to pass on significant sums of money – made up 38% of the most common scam communications.

Unsurprisingly then, cyber-security was responsible for 36% of management stress, with 22% of respondents citing emerging online risks as one of their biggest IT challenges heading into the New Year.

The research also found that around 64% of SMEs choose to outsource their IT support, while – shockingly – 10% of company owners didn’t have any sort of technical provision.

Andrew Stellakis, managing director at Q2Q, said; “Hearing that internet issues are still responsible for over half of SME’s IT-related headaches is simply inexcusable in this day-and-age. There are plenty of things which can cause a slow connection, but understanding the root cause is key to getting the most out of our systems, employees and the working day.

“It’s also rather worrying that – six months on – 40% of SME’s are still unsure about the rules and regulations surrounding GDPR. Over the past 18 months, I’ve spent a lot of time working closely with SMEs to ensure they are fully compliant – and it isn’t as daunting as it may seem.

“The appointment of a dedicated IT provider or GDPR officer – either in-house or externally – is often left until something goes wrong. But, as the news has been filled with reports of cyber-attacks and GDPR fines over the past few months, it should be all SME owners’ New Year’s resolution to ensure their company – and reputation – remains intact in 2019.”

INFOGRAPHIC: Only 29% travel sites opt to fully protect consumers with EV SSL

960 640 Stuart O'Brien

UK phishing scams jumped 648% YoY on Cyber Monday, with lack of EV SSL certificates on travel websites cited as a primary cause.

Sectigo investigated security levels on the websites of 35 airlines, 27 hotel groups, 23 travel comparison websites, 11 car hire firms and eight train operating companies, to find out whether they are doing all they can to protect customers as we approach peak travel season.

Among its key findings were:

  • Only 29% of these enterprises had an EV SSL certificate on their website.
  • As many as 65% of these organisations only have a free SSL certificate, with neither any company branded address on their homepage nor any “Not secure” warnings.
  • Up to 6% had no EV certificate whatsoever

Full findings are illustrated in the infographic below:

  • 1
  • 2