Contrary to popular belief, phishing emails are not always easy to identify. They do not always contain obvious typos, broken English or clearly come from unknown senders. Cybercriminals have become adept at crafting emails that are difficult to discern from legit messages that recipients receive daily, and even though many organizations invest in employee email security training to prevent these kinds of attacks, attackers continue to find success often through impersonation. In fact, 90% of email attacks use impersonation, and phishing attacks that impersonate senders have increased in frequency by 25%.
These stats are connected to business email compromise (BEC). BEC is a type of spearphishing attack that uses impersonation to trick the recipient into believing the message came from a trusted sender. BEC messages aim at the direct extraction of value from the target, and in this case, the message posed as fake bank instructions. This is not a one-time occurrence, in fact, the FBI found that the cost of BEC attacks reached $26 billion over a three-year period.
To prevent these attacks and avoid the same fate as the Puerto Rican government, and so many other victims, organizations must focus on validating and authenticating sender identity. By taking steps like properly enforcing DMARC and employing advanced anti-phishing solutions that confirm senders’ identities, organizations can add a crucial defensive layer to their inboxes.
It’s unfortunate to see incidents like this occur, but there are certainly tactics that Puerto Rico — or any other entity that experiences a phishing event like this — can take to ensure that moving forward, they’re more protected. For example, implementing a policy that requires confirmation for transactions over X dollar amount either in-person or with other known contacts at the organization can put an immediate stop to the scam before it progresses further.
Unfortunately, this is one of the most common scams in the industry today. It takes advantage of unsuspecting individuals with great intentions, who are simply looking to follow through accordingly with what seems to be a legitimate request for action.
To help prevent incidents like this moving forward, security awareness programs are a great help — especially programs that focus specifically on phishing awareness. Ensuring employees are comfortable with analyzing subject lines, sender addresses, etc. allows them to be a more active part of the security defense.
In addition, establishing formalized processes or systems used to manage the process of exchanging money can be helpful as well. These are often similar to what financial institutions do to detect and prevent fraud, with the goal to limit transactions or alert on thresholds that have been crossed. For example, if an organization uses a banking system, like those used in ACH transfers or payments, the security team can monitor these transactions to help identify potential fraud, above and beyond the protections and detections already built into that banking system.
Sadly, state and local government agencies are common targets for phishing attacks. To reduce the risk of becoming a victim to further phishing emails, government agencies must implement an adaptive security strategy that provides dynamic user access control to highly sensitive data such as financials. A dynamic strategy would identify and restrict access from users coming from unknown networks or foreign countries. An adaptive strategy should be applied to Multi-Factor Authentication, as the government will be able to significantly enhance their security with additional user authentication requirements – both at login and fine-grained, inside the application. Using fine-grained, even if a hacker is able to gain login credentials to the bank account, they will have to go through a stepped-up MFA challenge if they want to actually execute a transaction like change data or send money offshore. In addition, anyone granted access must be monitored by location, device and context of access so that suspicious and unusual activity can be noticed and identified immediately.
Contextual access controls can mitigate phishing risks by enabling IT teams to adopt adaptive policies in accordance with the changing context of user’s access. With the implementation of granular logging and real-time analytics, Puerto Rico can gain comprehensive insights into user activity, identify suspicious activity in due time and take remedial measures before millions of dollars are lost.
Information Security Buzz (aka ISBuzz News) is an independent resource that provides the experts comments, analysis and opinion on the latest Information Security news and topics