Phishing: Proactive Prevention and Reactive Response for Organizational Security
Published October 14, 2024
- Cybersecurity
Phishing is known to be one of the most widespread and damaging threats across the cybersecurity landscape. It can, and often does, lead to serious reputational, data and/or financial loss for organisations and individuals alike. According to Kaspersky reports, phishing increased by 100% from 2021 to 2022 and by a further 40% in 2023.1 There are many reasons for the rise in successful phishing attacks, however the simplest reason is that people are still such an easy target.
Many organisations consider it a high enough priority, but lack a culture that fosters and develops security training and awareness across the organisation. Beyond tooling, internal/external controls and back-up processes, organisations need increased proactivity and focus, especially where individuals are concerned. It is paramount that people are trained in secure behaviours and best practice, to ultimately mitigate or prevent the occurrence of an attack.
Phishing and other forms of scams are now more prevalent than they have ever been, whether that’s in our work or in our personal lives. Estimates still put the percentage of cyber-attacks that start with a phishing email at over 90%. Organisations have a responsibility towards their customers data, but also towards their employees at work and at home. Threats are figuratively around every corner and the only way to help people is to inform them of the risks and how to behave securely.
Recent phishing attack: The Eurovision Hotel Scam
A recent phishing scam, reported by the BBC in March 2023, highlighted how scammers targeted Eurovision fans who had booked hotel rooms in Liverpool. Phishing emails were used to access customer data, locking several accounts on Booking.com. 2
In one instance, a victim was contacted on WhatsApp by someone claiming to be a hotel receptionist claiming there was an issue with the payment. This interaction almost led to the transfer £800 to a scammer in Uganda. However luckily soon after the conversation, the transaction was cancelled. 2
While the exact method of data theft remains unclear, many fans reported near-miss phishing attempts. This case highlights the evolving sophistication of phishing scams and how quickly they can ensnare unsuspecting individuals.
Key Challenges
Despite the severity of the threat, many organizations struggle to create effective awareness programs. Some of the common challenges include:
Often, awareness programs are based on entertainment, i.e. material is fun and engaging. At Wavestone, we have found that this approach becomes a box ticking compliance exercise that employees ignore or simply don’t take onboard.
Fear based campaigns can deter employees from reporting phishing. I.e., people won’t report a real or potential phish for fear negative repercussions or discipline.
Slogans like ‘don’t click’, ‘watch out’, can instil negative connotations in people’s minds, e.g. if you are told not to think about a pink elephant, you instantly think of a pink elephant. The key is to shift the focus to the desired outcome e.g., ‘report phishing’.
Today, so much personal and professional activity relies on sharing links, whether that be to a website or PowerPoint slides. The challenge lies in balancing productivity with the need for vigilance in handling these links.
A Dual Approach: Proactivity and Reactivity
To effectively combat phishing, organizations must adopt both proactive and reactive strategies. Proactive, by ensuring there are measures to prevent the phishing emails reaching employees or causing damage in the first place. But more importantly, reactive, because attacks are a certainty and organisations must prepare for proactive measures to fail, by ensuring users are ready and equipped to deal with phishing.
Proactivity – stop the phish at the gates
Like all things in cybersecurity, it is important for organisations to be proactive at mitigating phishing risks before they even have a chance to occur.
Effective defence-in-depth techniques include:
- Email scanners and web proxy’ tools can be set up on corporate mailboxes to automatically check the content of an email sent and specifically identify hidden malware or viruses.
- Email authentication methods such as SPF and DMARC can be set-up across the environment to prevent attackers from sending in spoofed emails. 3
- Enable macro security for Microsoft Office 365 to protect systems from unauthorised access and malicious office macros. 3
- Utilise allow-listing to restrict the ability of executables to be run and for those not covered, enforce the opening of any PowerShell script files in notepad. 3
- Disable mounting of .iso files on user endpoints.3
- Restrict use of macros. For those that must use them, ensure specified training is implemented.3
- Enable DNS filtering to filter and block suspicious domains and websites.
- Utilise EDR to continually monitor an endpoint to identify any suspicious behaviour on hosts.
Reactivity – The importance of raising awareness
Given the rise in successful phishing attacks, fostering awareness and instilling a security mindset across organisations is crucial. It is imperative to ensure that every employee is educated and equipped with the fundamental knowledge of what a phishing attack is, what it entails, whom it affects, how much damage it can cause to an organisation and its services and how can they protect themselves and the organisation by consistently using best practices.
Creating a truly effective cybersecurity awareness programme goes beyond one-off training sessions or generic security posters. The challenge lies in fostering lasting behavioural change within your workforce.
Leveraging our extensive experience in cybersecurity programme delivery, our team has developed the innovative TAMAM framework.
Whether you’re implementing a company-wide strategy, or require more targeted interventions, this comprehensive, 5-step approach is designed to help you achieve your objectives and cultivate a security-conscious culture.
It can be applied to every organisation, regardless of its size, maturity, budget, or current level of preparedness.
- Target: Clearly define your objectives. What specific behaviours do you want to see from your employees?
- Audience: Segment your workforce based on roles and needs. Tailoring your message ensures it resonates with each group.
- Message: Keep it concise, positive, and action-oriented. Choose a few key messages that address critical risks and desired actions.
- Actions: Go beyond lectures with practical activities and engaging learning experiences.
- Measures: Track progress and measure the impact of your programme on behaviour change.
Final Thoughts
Phishing will remain a persistent threat, but organizations have the tools to defend against it. Proactive and reactive strategies are both vital. By following our TAMAM methodology, you can move beyond basic awareness and empower your employees to become active participants in safeguarding your organisation’s cybersecurity.
References:
2 https://www.bbc.co.uk/news/entertainment-arts-64822893
3 https://www.ncsc.gov.uk/blog-post/telling-users-to-avoid-clicking-bad-links-still-isnt-working
Thank you to Samar Akhtar for her contributions to this insight.
Author
-
Jack Martin
Manager – UK, London
Wavestone
LinkedIn