Posts Tagged :

email

How can businesses combat easy email security mistakes?

960 640 Stuart O'Brien

It’s no secret that threats to email security are on the rise. According to a recent survey, 92% of organisations were victims of successful phishing attacks in 2022, while 91% of the respondents admitted to experiencing email data loss. By not implementing sufficient email security strategies, companies open themselves, their clients, and their customers to cyber security incidents such as phishing, data breaches, and business email compromises (BEC). It’s not just external cyber threats that businesses need to be mindful of, there is the human element to heavily consider.

With so many email-related incidents and data loss, the question arises of how businesses can do more to prevent these events. Oliver Paterson, Director Product Management, VIPRE Security Group, explores more…

The wrong email recipient

With an increase in hybrid employees, the traditional single office-based computer setup is now becoming less popular within businesses. The pressure on employees to work harder, better, and faster makes it easy to understand why they don’t always verify the validity of the email address they are sending information to, especially now that smarter technology like autofill in Outlook is advancing rapidly. But, while it might just seem like an innocent mistake, it could have far reaching consequences.

For example, that was the case with a university in the UK, where the personal medical details of a student were wrongly sent to the whole campus. Or when Australia’s Registered Organisations Commission (ROC) accidentally leaked confidential information, including a whistleblower’s identity. An employee entered an incorrect character when emailing someone with the same last name but a different first initial.

It only takes one incorrect character or autocorrect taking over for sensitive information to land in the wrong inbox. And, what if that recipient is a competitor or intercepted by a cyber criminal?

Sending email attachments to the wrong contact

Another common user error is sending the wrong attachment to the wrong person. This could put company data at risk. The release of confidential corporate information, such as unpatented new product information, to the wrong person or into the public domain can result in a major advantage for the competition or can even harm the reputation of the company beyond repair.

In addition, organisations now face severe consequences for violating data protection regulations, including GDPR and other industry-specific regulations. By investing in a data loss awareness tool that increases email security, businesses can take advantage of features such as prompting employees to confirm all internal and external recipients, and flagging attachments that contain confidential information to ensure your intended distribution list is correct.

For example, Surrey County Council was served with a penalty of £120,000 after three data breaches that involved misdirected emails. This included a staff member sending an email with the personal data of 241 individuals to the wrong email address. The information was not encrypted so was instantly accessible to the recipient and a direct breach of data protection regulations.

To BCC or not to BCC?

Adding in email recipients is a task that may seem simple, but if not done correctly, can have devastating repercussions for businesses. The misuse of CC and BCC functions could expose your entire contact database, exposing customer emails to potential hackers or competitors.

In March 2023, NHS Highland was reprimanded for a data breach which revealed the personal email addresses of people invited to use HIV services. Such a mistake is a common error when sending emails and that often go undetected or unreported in many cases. However, it is considered a data breach because none of the involved parties have consented to share their contact details with others.

Considering technology, companies should look to implement solutions that warn and educate people to use the CC and BCC fields properly. However, this problem is for more than just BCC and CC misuse; and companies should consider the issues of sending information as much broader.

The use of autocomplete, reply all, errors adding attachments, and lack of user awareness about the information contained in the body and attachments are all significant security risks that businesses with sensitive information need to be aware of.

Data breach – accident or intent? 

More than 300 billion emails are sent each day, so it’s no surprise that misaddressed emails are the largest source of data loss for organisations. Hackers can take advantage of complacency within email culture with a number of techniques. For example, disguising emails to appear as though they are an internal email, whereas they actually come from a spoofed domain that looks almost identical to the real thing. In an organisation that sends so many emails every day and work so quickly, employees may not notice this and fall victim to a malware or ransomware attack, exposing the network and sensitive information.

On the other end of the scale are data breaches conducted with malicious intent. For example, the Morrisons insider threat breach was carried out by a disgruntled former employee who stole and published payroll data of nearly 100,000 staff members online. His aim was to disparage the reputation of his former employer after a disciplinary matter. The breach reportedly cost the company £2 million to rectify.

With emails accounting for such a big part of the way we communicate professionally, particularly when working remotely, it’s important to be aware of and educated about the common email mistakes that often occur. Businesses can support their employees and reduce the risk of a data breach by implementing intuitive technology that detects and highlights errors, pointing out potential errors and threats.

Investing in technology that warns users about poor email security techniques by providing a simple safety check and prompting them to recheck a message twice before sending all without impacting employee productivity allows organisations to quickly reduce errors. These solutions can prevent organisations from revealing the wrong information to the wrong person by allowing a quick double check of the receipts of emails and attachments before sending them.

Conclusion

While foresight is essential, so is the ability to prepare a smart defence. Businesses can implement best practices to protect themselves from email threats and prevent becoming the next easy target. These best practices include:

  • Implementing a layered email security strategy
  • Training employees for better security awareness
  • Deploying email-specific security controls

The email safeguards businesses can implement today will have a broader and more lasting impact as the organisation grows. When implementing these best practices, it’s essential to partner with the right email security vendor to ensure the company’s email security solutions are tailored to the company’s size and scale with the business’ growth.

Image by Gerd Altmann from Pixabay

How financial organisations can stay protected from financial data breaches 

960 640 Guest Blog

Email is a crucial function of business communication, which many organisations strongly rely upon. But as the pandemic brought a new world of remote and hybrid working, it’s arguably more important than ever to keep both individuals and organisations connected – wherever they may be.

A staggering 333.2 billion emails are sent and received daily – but in turn, it’s inevitable that typos can occur or the wrong attachments are sent to the wrong person. However, whilst innocent mistakes can happen, the consequences could be much more devastating.

The consequences of sending an incorrect email within the financial industry, in particular, could be drastic – both in terms of a firm’s reputation and legal penalties. Within an industry that deals with sensitive and valuable information, it’s vital that financial organisations prioritise keeping their confidential data secure, explains Andrea Babbs, UK General Manager, VIPRE…

At What Cost?

IBM’s latest Data Breach Report revealed that 2021 had the highest average data breach costs in seventeen years, rising from $3.86 million in 2020 to $4.24 million. Particularly within the financial services industry, research indicates that cybercrime is more prevalent in this sector compared to any other. Both external and insider breaches are equally as dangerous, but human errors are almost twice as likely to result in data disclosure.

For example, if human errors occur in the financial services when sending internal emails, such as including the wrong individuals in CC, or attaching the wrong document, this can cause serious issues as it may be perceived as ‘Insider Trading.’ If two departments are working for two directly competitive clients, and accidentally share non-public, material information about one another, this could put either team and/or client at an unfair advantage by having this insight.

Depending on the size of the breach will determine the size of the cost. However, at a minimum, there will be penalties. Not only could there be a financial loss for the organisation, but companies will have to pay for audits to understand what happened, and what protocols need to be put in place to prevent further attacks, as well as compensating customers who were affected by the breach.

Additionally, the aftermath of a data breach is far worse than just financial loss. Businesses in the finance sector have reputations to uphold in order to preserve a loyal customer base, especially in such a demanding and competitive market. Yet, failing to protect sensitive customer information can result in negative press, which can, in turn, make existing and potential customers apprehensive about an organisation. This can potentially result in them taking their business, and money, elsewhere.

Strategy Checklist

A layered cybersecurity strategy is key in any industry in order to mitigate cyber threats and keep sensitive information secure. However, within the financial sector, it’s more important than ever as the stakes are much higher. When considering a cybersecurity strategy, three components should be considered:

  1. Encryption and Authentication: Security protocols are designed to prevent a majority of instances of unauthorised interception, email spoofing and content modification. When a hacker is attempting to infiltrate a company, they may try to intercept emails via transport links or attack systems directly. Whilst encryption services do not protect businesses against human error, including them in your email security strategy will help to protect companies from hackers intercepting emails.
  2. Training and Guidelines: It is essential that businesses put in place strong security rules and guidelines concerning the movement and storage of sensitive financial information. This should also provide clear guidance on the steps employees should take if a security incident occurs.  Additionally, when employees first join an organisation, they should take part in cyber security awareness training. However, this should be an ongoing programme to ensure that all employees understand the role they play in keeping their organisation safe. As part of this training, automated phishing simulations should be included to demonstrate how these threats can appear in order for the user to identify them, and act appropriately. Following this training, key metrics and reports can be provided on how the users are improving, or where more education is needed. By fortifying key security messages across the workplace, combined with simulated phishing attacks, continuous training ensures that individuals are able to identify potential attacks, whilst providing them with the necessary skills to handle the risks.
  3. DLP (Data Loss Prevention): It is crucial for businesses, especially financial firms, to deploy security measures for the detection and prevention of potential email threats, both internally and externally. Humans play a key role in deciding what is safe to send, and what is not – but DLP solutions can support this process by providing the necessary alerts. For example, colleagues exchanging confidential documents across different areas of the business means that the CC fields are likely to have multiple recipients in them. An incorrect email address is likely to be overlooked without a tool in place to highlight this error to the user, and instead, provides them with the opportunity to double-check the accuracy of the email recipients and attachments.  Supporting staff with a crucial second chance helps to raise awareness and understanding of existing email threats, and provides that essential security lock-step – before it’s too late.

Conclusion

Email will remain an essential platform for communication, but will continue to be a high-risk tool for businesses and employees to communicate both internally and externally. And, particularly for financial service organisations, as they remain a prime target for cyber hackers given the temptation to access personal information and financial transactions. Therefore, the finance industry must prioritise cyber security and invest in a layered approach, which must include security awareness training and data loss prevention tools, in order to minimise human error and provide the strongest possible defence in the modern security landscape.

Phishing attacks ‘soar 220% during COVID-19 peak’

960 640 Stuart O'Brien

COVID-19 continues to significantly embolden cybercriminals’ phishing and fraud efforts, with incidents rising 220% during the height of the global pandemic compared to the yearly average.

That’s according to new research from F5 Labs based on data from its Security Operations Center (SOC), which says the number of phishing incidents in 2020 is now set to increase 15% year-on-year, though this could soon change as second waves of the pandemic spread.

The three primary objectives for COVID-19­­‑related phishing emails were identified as fraudulent donations to fake charities, credential harvesting and malware delivery.

Attacker opportunism was in further evidence when F5 Labs examined certificate transparency logs (a record of all publicly trusted digital certificates). The number of certificates using the terms “covid” and “corona” peaked at 14,940 in March, which was a massive 1102% increase on the month before.

“The risk of being phished is higher than ever and fraudsters are increasingly using digital certificates to make their sites appear genuine,” said David Warburton, Senior Threat Evangelist at F5 Labs.

“Attackers are also quick to jump onto emotive trends and COVID-19 will continue to fuel an already significant threat. Unfortunately, our research indicates that security controls, user training and overall awareness still appear to be falling short across the world.”

As per previous years’ research, F5 Labs noted that fraudsters are becoming ever more creative with the names and addresses of their phishing sites.

In 2020 to date, 52% of phishing sites have used target brand names and identities in their website addresses. Using phishing site data from Webroot, F5 Labs discovered that Amazon was the most targeted brand in the second half of 2020. Paypal, Apple, WhatsApp, Microsoft Office, Netflix, and Instagram were also among the top ten most impersonated brands.

By tracking the theft of credentials through to use in active attacks, F5 Labs observed that criminals were attempting to use stolen passwords within four hours of phishing a victim. Some attacks even occurred in real time to enable the capture of multi-factor authentication (MFA) security codes.

Meanwhile, cybercriminals also got more ruthless in their bids to hijack reputable, albeit vulnerable URLs – often for free. WordPress sites alone accounted for 20% of generic phishing URLs in 2020. The figure was as low as 4,7% in 2017.

Furthermore, cybercriminals are increasingly cutting costs by using free registrars such as Freenom for certain country code top-level domains (ccTLDs), including .tk, .ml, .ga, .cf, and .gq.  As a case in point, .tk is now the fifth most popular registered domain in the world.

2020 also saw phishers intensify efforts to make fraudulent sites appear as genuine as possible. F5 SOC statistics found that most phishing sites leveraged encryption, with a full 72% using valid HTTPS certificates to trick victims. This year, 100% of drop zones – the destinations of stolen data sent by malware – used TLS encryption (up from 89% in 2019).

Combining incidents from 2019 and 2020, F5 Labs additionally reported that 55.3% of drop zones used a non-standard SSL/TLS port. Port 446 was used in all instances bar one. An analysis of phishing sites found that 98.2% used standard ports: 80 for cleartext HTTP traffic and 443 for encrypted SSL/TLS traffic.

According to recent research from Shape Security, which was integrated with the Phishing and Fraud Report for the first time, there are two major phishing trends on the horizon.

As a result of improved bot traffic (botnet) security controls and solutions, attackers are starting to embrace click farms. This entails dozens of remote “workers” systematically attempting to log onto a target website using recently harvested credentials. The connection comes from a human using a standard web browser, which makes fraudulent activity harder to detect.

Even a relatively low volume of attacks has an impact. As an example, Shape Security analysed 14 million monthly logins at a financial services organisation and recorded a manual a fraud rate of 0,4%. That is the equivalent of 56,000 fraudulent logon attempts, and the numbers associated with this type of activity are only set to rise.

Shape Security researchers also recorded an increase in the volume of real-time phishing proxies (RTPP) that can capture and use multi-factor authentication (MFA) codes. The RTPP acts as a person-in-the-middle and intercepts a victim’s transactions with a real website. Since the attack occurs in real time, the malicious website can automate the process of capturing and replaying time-based authentication such as MFA codes. It can even steal and reuse session cookies. 

Recent real-time phishing proxies in active use include Modlishka2 and Evilginx23. F5 Labs and Shape Security are set to monitor the growing use of RTPPs in the coming months.

“Phishing attacks will continue to be successful as long as there is a human that can be psychologically manipulated in some way. Security controls and web browsers alike must become more proficient at highlighting fraudulent sites to users,” Warburton concluded.

“Individuals and organisations also need to be continuously trained on the latest techniques used by fraudsters. Crucially, there needs to be a big emphasis on the way attackers are hijacking emerging trends such as COVID-19.”

Phishing attacks still a major concern for business

960 640 Stuart O'Brien

Phishing attacks remain a global concern for organisations, with physical security and FM professionals among the most at risk through lack of knowledge.

That’s the opinion gathered from the latest 2019 Beyond the Phish report by cybersecurity company Proofpoint.

Based on data from 130 million questions answered by end users across 16 industries, the fourth annual report revealed that respondents answered one in four questions incorrectly, demonstrating a knowledge gap and need for increased cyber education.

Other key findings going that: 

  • Customer Service, Facilities, and Security employees are the least savvy when it comes to phishing threat knowledge, incorrectly answering an average of 25 percent of cybersecurity questions asked. As these are respondent-defined department designations, the Security department could include both physical security and cybersecurity.
  • Hospitality employees scored the lowest in three categories, including “Physical Security Risks,” in which 22 percent of questions were answered incorrectly.
  • Communications teams are the most savvy when it comes to phishing threats, with end users correctly answering 84 percent of questions.
  • End users in the Education and Transportation industries have the weakest phishing knowledge, on average, answering 24 percent of questions incorrectly across all categories.
  • Finance was the best performing industrywith end users answering 80 percent of all questions correctly.
  • End users in the Insurance industry delivered the best performancein three of the 14 categories analysed, specifically excelling in the “Avoiding Ransomware Attacks” category.

“Cybercriminals are experts at gathering personal information to launch highly targeted and convincing attacks against individuals,” said Amy Baker, vice president of Security Awareness Training Strategy and Development for Proofpoint. 

“Implementing ongoing and effective security awareness training is a necessary foundational pillar when building a strong culture of security. Educating employees about cybersecurity best practices is the best way to empower users to understand how to protect theirs and their employer’s data, making end users a strong last line of defence against cyber attackers.”

To download the 2019 Beyond the Phish report, and see a full list of industry comparisons click here: https://www.proofpoint.com/us/resources/threat-reports/beyond-phish

Image by Robinraj Premchand from Pixabay