On the 24th May 2016, the supervisory board of Austrian aerospace parts maker, FACC, fired its CEO, Walter Stephan. The move came after Stephan fell victim to one of the highest profile cyber fraud attacks of the modern age.
In a phishing scam known as a “fake president incident”, criminals wrote a hoax email, apparently from Stephan, to an employee who was duped into transferring money into an account for a phoney acquisition project.
While some of the losses were recovered, the hackers initially stole around 50 million euros, pushing FACC to an operating loss of 23.4 million euros in the financial year 2015/16. The money disappeared into accounts in Asia and China, wiping a huge chunk off the company’s share value.
Phishing is popular with cyber criminals, and Stephan’s case demonstrates that big companies are not immune from this subtle, highly covert form of fraud.
In 2013, a phishing (or whaling) attack is believed to have been behind a massive data leak that eventually affected 110 million people in the US. The breach led to Target, the third largest retailer in the US, losing hundreds of millions of dollars while its CEO and CIO were both fired.
1. Educating employees
Target’s top personnel were sacked amid accusations that computer security was not being taken seriously enough. This points to cultural failings within the organization which in turn depends on employee education about the ever-present danger that is cyber fraud, and the most common kind of attack; phishing.
Research by Gartner finds that 84% of “high cost security incidents result from employees sending confidential data outside the company”. No matter what software measures are in place, individual staff members can compromize organizational data security through emails if workplace culture is not geared correctly.
While most of us can spot and dismiss phishing attacks that are often poorly written, other attacks can be highly sophisticated, executing hidden code on the user’s computer if the email is even opened - these types of attacks are called spear phishing and are a very advanced form of cyber threat.
By way of an effective security education programme, companies can develop an awareness of cyber threats and a diligence to behaviors that prioritize the organization’s digital health at all times.
Often, if training is given online, employees rapidly click through the content and the message has limited penetration. If training is given as a class, through a teacher employing a range of techniques that engage and promote discussion, staff are far more likely to assimilate the core messages and practices.
2. Use anti-phishing technology
Many technological approaches exist for combating phishing attacks. Some of these deliver test phishing emails to corporate personnel which then return metrics to security leaders on how effective corresponding anti-phishing training programmes are.
Wombat helps big organizations avoid “a ticking time bomb” of security with assessment tools that can identify employee knowledge gaps and reinforce areas of the workforce found to be most susceptible to attack.
Through Wombat’s CyberStrength, vulnerabilities related to mobile devices, apps, data management and physical security can be made, informing an overall action plan on how to shore up organizational policy and procedure.
Security service, Mimecast, works to make business email and data safer for its clients and customers worldwide by offering next-generation cloud-based security and comprehensive email risk management.
As part of its targeted threat protection, Mimecast offers defence against whaling attacks and CEO fraud, URL protection against spear phishing emails that include malicious web links, and attachment protection against ‘weaponised’ attachments. These files contain scripts that, when run, can launch malware – unleashing it upon the unsuspecting employee that opens it.
3. Consider a BYOD policy
Employees stand to put corporate networks at risk when access is gained through privately-owned devices or through unsecure connections in remote locations.
Businesses should install mobile security software on user devices which scan apps and prevent those users from accessing corporate networks if privacy is not deemed secure.
Part and parcel of employee education, users should be reminded that using WIFI networks that are not controlled by the company can compromize security. Mobile device users should be connected over virtual private networks (VPNs) to services which provide secure domain name system (DNS) and blacklisting, which in turn prevent access to phishing sites.
These approaches should be supported by practice that allows phishing attacks to be easily routed to IT so that they can be filtered and added to blacklists.
4. Identify threats with SPF
The possibility of Trojans being used to enable backdoor attacks demands that operating systems are thoroughly up to date with latest security patches.
However, firewalls and patches will often not prevent users from entering their details into a forged site (unless they have a URL reputation feature that checks for this).
Sender-authentication technology, such as Sender Policy Framework (SPF) allows an organization to permit certain servers to send emails on the company’s behalf. As such, any email which claims to be from a firm, but which has not been sent from an approved server, can be rejected.
A carefully crafted SPF record will reduce the chances of your domain name being spoofed and will prevent your messages from being flagged as spam or bounced back by a recipient’s mail servers.
DMARC, DKIM and Sender ID are further examples of email validation systems which add layers of email authentication, helping to identify genuine senders and determine if the origin of the email is legitimate.
5. Use a layered approach
No silver bullet exists in the fight against cybercrime, a reality which demands that companies take a layered approach that keeps the issue at the top of the agenda at all times.
Dovetailed with continuous employee training, this approach should begin around company assets and accounts with strong user authentication that requires multiple user ID and passwords to gain access to accounts.
Fraud detection and monitoring of sensitive applications can be built on top of these measures. These work by comparing user and account activity to continually updated profiles of what is established as ‘normal behavior’.
Protecting business teams from data breaches and other cyberattacks is critical to the bottom line of entire organizations. Email accounts ship so much information on a daily basis that if a leak does occur, you can almost always trace it back to the inbox and outbox in question.
Having all the security measures and cultures in place is, therefore, critical to survival in an online world that never stops evolving.