EY on the ‘huge proliferation of successful phishing campaigns’

EY on the ‘huge proliferation of successful phishing campaigns’ | Insurance Business

EY on the ‘huge proliferation of successful phishing campaigns’

Phishing campaigns continue to dominate the global cybercrime arena. While issues like ransomware, cryptocurrency mining and state-sponsored attacks make the media headlines, it’s the lower-level cyberattacks that are impacting the most businesses around the world.     

A phishing campaign is when a cybercriminal attempts to trick victims via email compromise into sharing sensitive or confidential information for malicious reasons. Whereas phishing attacks are not normally personalised (they’re often mass fraudulent emails), there’s another level of attack called spear phishing, in which particular individuals within an organisation are targeted. They’re tricked into obliging because the fraudsters know exactly what’s going on within the company and can back up their spear phishing emails with scarily accurate context.

“In 2018, we saw a huge proliferation of very successful phishing campaigns,” said Ryan Rubin, partner, UK Forensic & Integrity Services team, Ernst & Young. “Unfortunately, cyber criminals are being very effective and are getting through organisations’ defences, despite there being an increasing awareness of cyber risk and a general improvement in security controls. What we’ve seen is that businesses often focus on trying to prevent the sophisticated cyberattacks from happening, and they’re less concerned about basic low-level attacks like phishing and business email compromise.

“We see organisations of all sizes being targeted and successfully defrauded via phishing campaigns and business email compromise attacks. It’s a combination of social engineering (convincing the recipient that the sender is someone they’re not) and poor cyber hygiene. A lot of organisations have been embracing email solutions in the cloud and as a result of that, some of the nascent weaknesses in security (like password guessing) have helped fraudsters to guess account passwords and start to spoof or pretend to be other members of staff or potentially other suppliers in the supply chain.”

There are relatively simple risk mitigation responses to email compromise and social engineering, according to Rubin. A lot of it ties into basic cyber security hygiene, such as moving away from ordinary username and password authentication to two-factor authentication, particularly schemes that make use of security keys rather than email or SMS communication. This does create a small bit of inconvenience for email users, but it pays off in strengthening an organisation’s email security.

“It also comes down to general awareness,” Rubin told Insurance Business. “What really puzzles me is how any business can accept bank account details and instructions via email, and no matter who it’s sent by, will then allow that transaction to take place. In today’s world, we simply can’t trust emails for sensitive banking transactions, or even to supply personal information to others.

“While business email compromise attacks can seem quite simple in their deployment, they’re often very cleverly done. We shouldn’t underestimate the social engineering sophistication by which these attacks are undertaken. Often there’s extra pressure being applied – for example, pressure to respond by a certain time – which really plays to our human nature where people want to be helpful and get things sorted out as quickly as possible.”

Another risk factor potentially stemming from human nature is a tendency to deny risk. There are still those who think: ‘It’s not going to happen to us. We’re not a bank, so why should we be as cyber secure as those financial organisations?’ Furthermore, some organisations who have moved their email solutions to the cloud have the misguided understanding that the maintenance and security of services in the cloud are no longer the organisation’s responsibility. That’s not the case, Rubin stressed. It’s still important for organisations to keep a close handle on what’s going on in the cloud and to ensure there’s proper monitoring and oversight of cloud services so that anything suspect can be picked up early on.

“From an insurance perspective, I think Europe is still playing catchup compared to the US in terms of the adoption of insurance products and the usage of those as a measure for risk mitigation,” Rubin commented. “I think the insurance market is starting to offer a variety of options that companies can have to manage their risk. However, the cyber insurance isn’t a silver bullet in its own right and may not provide the full cover that organisations need.

“Again, there could be a tendency for some organisations to believe that once they have cyber insurance, they don’t need to do anything else. In reality, cyber insurance is just another measure by which an organisation can mitigate and manage some of their risk. Insurance is particularly beneficial when it comes to responding to an event or dealing with the impact of a breach, especially if an organisation needs some additional forensic services, legal support or identity theft protection for their customers. So, cyber insurance can help provide some cover or shelter during or immediately after an event, but the tail-end of these breaches (and often they have a very long tail) is something that may not be covered fully by any insurance products today.”