Protecting your business from phishing attacks
Posted on 5 Jul 2013 at 10:13
Davey Winder tackles the ever-mutating threat from phishing - in particular, the growth of conversational attacks
Recent research conducted by OnePoll suggests that 60% of office workers in the UK receive a phishing email every day, while 6% get more than ten a day.
I wouldn’t bat an eyelid at these numbers if they related to a consumer audience, but the fact that this was a poll of the business sector is surely cause for concern.
After all, doesn’t pretty much every business in the land have some kind of technical defence in place to deal with spam and email-borne malware? Evidently, these defences aren’t working as well as they should.
Interestingly, the same poll suggests that roughly the same 60% of workers will fall for a phishing scam unless they’ve been trained to spot one. Some 27% of the office workers polled had no idea what phishing is, while one in five admitted they’d fallen victim by clicking on a link or opening a dodgy attachment.
Some 27% of the office workers polled had no idea what phishing is
Earlier this year, I wrote about how to protect your business against spear-phishing, concluding that education is the key to successful protection against this social-engineering menace.
Unfortunately, the process of educating yourself and your workers can feel rather like painting the Forth Bridge, in that it appears to be a never-ending, cyclical task. But, if you look beyond the urban myth, the Forth Bridge has never been continuously painted, and the maintenance contracts for painting it have continually improved – the latest job, completed a couple of years ago, is expected to last for 25 years.
Painting the bridge isn’t trivial, and it does take several years, but the investment pays off in the years that follow.
That’s the analogy I’d apply to the phishing problem, to counter the defeatist view that claims the bad guys come up with a new threat – and force you to start re-educating from scratch – every time you think you have them sussed. You don’t have to do anything of the sort.
If you’ll excuse me belabouring my painting analogy, all you need do is make sure the base coat is thick enough, then touch it up as necessary.
Teaching your staff how to spot the most common mistakes social engineers make when they build their phishing lures will make it easier to spot scams when they’re confronted with a more personalised attack.
To illustrate this by way of an example, PC Pro reader Neill Lillywhite forwarded me a copy of a phishing email he received that would certainly have been enough to fool most uneducated readers, since it was a pretty convincing clone of a typical PayPal transaction notification. However, Neill spotted that its sender had made several small errors that were enough to set off alarm bells.
The mistakes were basic. The account to which the fake email was sent wasn’t the one Neill normally uses for PayPal; most people use the same address for almost everything and so wouldn’t notice anything amiss.
Far sloppier mistakes included the use of a bald "Hello" (rather than Neill’s username) as the greeting, an incorrect date (the email was dated after the day of receipt), and the fact the email claimed to be from www.paypal.com rather than www.paypal.co.uk, which Neill normally deals with.
All these goofs seem obvious once they’ve been pointed out, but they’re easy to miss when you’re skimming over email – especially if you’ve never received anti-phishing training.
Perhaps the biggest error of all in this correspondence is that, if you hover over the PayPal links in the message, they reveal the destination URL is a Russian website. Forget the fact you’d never bought the item described – that’s actually the clever part of this social-engineering trap.
It triggers your "thieving corporation" reflex and almost guarantees you’ll dash off a fuming email of complaint. No, they don’t expect to fool you into paying for goods you didn’t buy; they expect to fool you into clicking the reply link.
Most scams I see are riddled with typos or use phraseology that a native English speaker would never expect in business communications.
The day crooks learn to write grammatically correct English, and discover there are things called spelling checkers, we are in trouble.
By fogtax on 11 Jul 2013
Davey is a contributing editor to PC Pro, having covered the internet as a topic since the magazine started in 1994. Since that time he's won numerous awards for his journalism, but remains a small-business consultant specialising in privacy, security and usability issues.
- Headings vs headers: how to use both in Word
- Windows Server 2012 R2: how the Datacenter edition could change SMBs
- Invoices and VAT: how to set up your documents correctly
- Nexus 5 vs Samsung Galaxy S4 Active: the best phone for avoiding screen burn
- How much is a social user worth?
- The key to choosing a secure password
- Thunderbolt Bridge: a fast Mac migration tool
- Should you advertise on Twitter?
- How to track a lost smartphone
- Self-publishing success: the best way to sell your book
- The 5 most interesting UK businesses at SXSW
- Quickest way to upload 1GB? Hop on a train
- Move over Delia: IBM Watson is cooking tonight
- Eric Schmidt on the double-edged smartphone: friend and foe
- Getty joins the race to the bottom
- Hour of Code: five steps to learn how to code
- Sony Xperia Z2 Tablet review: first look
- Sony Xperia Z2 review: first look
- Samsung Galaxy Gear 2 review: first look
- Nokia XL review: first look
- IDC: iPad intertia opens door for Windows tablets
- Office 365 goes social with "Oslo" news feed
- Windows XP: upgrading 30,000 PCs in 30 days
- LibreOffice: ignore Microsoft's "nonsense" on government's open source plans
- Intel Xeon E7 v2 servers support 6TB of RAM
- Microsoft promises video calls between Skype and Lync
- Office for iPad due before July
- Windows 7 on business PCs gets an extension
- Windows apps land on Chromebooks with VMware
- Office 365 gets two-factor authentication