Even the most sophisticated cyber security measures can be undone by cyber scams. But what are cyber scams, why should they be given more attention and what can businesses do to reduce the threat?
Benjamin Hosack, Chief Commercial Officer of cyber security specialists Foregenix, tells us why tackling this often over-looked issue is essential for any business which wants to take thorough precautions against cyber criminals.
Recently the financial details of as many as 380,000 British Airways’ customers were compromised. It was a financial and public relations disaster. The national flagship carrier called it a ‘sophisticated and malicious hack’.
BA is far from an isolated case, even in the airline industry. In the past year Air Canada, Thomas Cook and Delta Airlines have all made the news for the same reasons.
Yet, such incidents give a skewered view of the dangers most businesses and organisations face. Cyber criminals generally look for the weakest and easiest ways to gain access to valuable data and the most common and effective way is through cyber scams, sometimes called social engineering.
Cyber scams are the Achilles’ Heel of cyber security defences. Whatever budget is employed, however sophisticated the measures taken, if an unsuspecting member of the team falls for one of these scams the results can be devastating.
So what is a cyber scam?
Cyber scams rely on deceiving an individual within an organisation to unwittingly allow cyber criminals to bypass otherwise sound cyber security defences.
Attacks commonly come in the form of targeted phishing emails trying to entice recipients to give away passwords or confidential information. Some of these e-mails aim to enable a virus to penetrate an organisation’s business systems and networks through clicking on a link or opening an attachment.
Some efforts to compromise an organisation’s security through such efforts are comically amateurish. However phishing e-mails are increasingly ‘professional’ and closely replicate genuine correspondence. They appear to be from trustworthy companies and organisations. And they use human ‘vulnerabilities’ such as compassion – such as following a natural disaster – or fear to overcome caution. Who would not be concerned to have an overdue demand and potentially large fine from an official body such as HMRC?
Phishing e-mails are often sent out in mass, so even if a small percentage fall for the scam the rewards can be significant for criminals.
Another approach is spear phishing which involves targeting a specific individual. Cyber criminals will use a personally designed approach to gain trust which can be exploited. They can appear to be from someone within the potential victim’s own company who has authority and status.
Let’s look at an example of a phishing email
It looks legitimate? If you’ve shopped at Amazon you’ll recognise this automated communication received with a purchase.
It’s easy to take the information at face value as the attackers want. Using the incredulity and irritation that you haven’t made the order, they are looking for you to act on your initial impulse and click the ‘go to the refund page’ link at the bottom of the email to quickly ‘resolve’the matter. Clicking the link leads to a webpage asking you to input your login details and if those details are revealed, it’s open season for the cyber criminals.
The good news is that the damage from phishing e-mails is easily avoidable. In the above scenario, hovering a mouse over the link will reveal its destination address – and it’s not leading to Amazon.
The first step to protecting an organisation is awareness about cyber scams. Education is key. The list of actions in the accompanying box will reduce the chance of at the very least spoiling your day and worst causing substantial and perhaps lasting damage to your organisation or business.
Phishing emails never fail to hoodwink a few otherwise sophisticated and experienced professionals. Don’t be caught out and get the message out – share this article.
Benjamin Hosack is Chief Commercial Officer of cyber security consultancy Foregenix. He speaks across the globe about the cyber security threats and how the industry can protect organisations, businesses and the wider economy.
What to look out for:
- It pays to have a healthy suspicion of unsolicited contact from individuals asking for confidential information.
- If you want to find out if an email is legitimate, verify it by contactingthe company directly.
- Do not provide personal / sensitive information about your organisationunless you are certain of a person’s identity and authority.
- Do not respond to email solicitations for confidential information, includingclicking on links sent.
- Pay attention to the URL of a website – malicious websites have variationsin spelling or a different domain name.
- Install and maintain anti-virus software, firewalls, and email filters.
- Use anti-phishing features offered by your email clientand web browser.