Gone Phishing

By: (CISA, CISSP, CRISC)

Publication: Nebraska Banker , September/October 2014

The Nebraska Banker Sept/Oct 2014 Phishing attacks are a part of everyday life, and according the “Global Phishing Survey 2H2013: Trends and Domain Name Use” by Anti-Phishing Working Group (APWG), the banking industry is the primary target of these types of attacks. So, what are phishing attacks and how can we protect our banks against these attacks?

What is a phishing attack?

A phishing scam is a type of social engineering attack that typically uses fraudulent electronic messages (email, text, etc.) appearing to come from legitimate sources. These messages usually attempt to acquire sensitive information or install malicious software by directing the recipient to click a link or open an attachment. Some common types of phishing include:

  • Spear Phishing: targeting specific individuals, roles or organizations
  • Whaling: targeting executives or Board members
  • Phaming or Minnowing: targeting family or kids of key employees
  • SMiShing: an attack using text messages
  • Vishing: an attack over a phone call

What are some examples of recent phishing attacks?

Here are a few common phishing attacks we have seen recently:

  • An email appearing to come from the Better Business Bureau claiming someone opened a complaint about your institution and directing you to, “click here to read the report.”
  • An email appearing to come from your corporate phone system directing you to “click here to listen to the voicemail.”
  • An email appearing to come from Facebook asking you to reset your password.
  • An email notifying you of a recent transaction supposedly from eBay or Amazon and directing you to “click here to view or cancel the transaction.”

Are phishing attacks successful today?

Yes. Over the past 12 months, we have conducted 96 social engineering tests on various financial institutions across the U.S. During these tests, we were over 90% successful in getting at least one employee from the institution to click on a link or open an attachment.

Why are phishing attacks successful?

There are many reasons phishing attacks are so successful, including:

  1. The sheer number of attacks. Phishing attacks are fairly easy to construct and inexpensive to deploy.
  2. Inherent human desire to please. We train our employees to be kind and helpful, and it is human nature to want to please. Phishing attacks prey on these natural and trained characteristics.
  3. Hurried work life. Employees are wearing so many hats and have so many deadlines, they learn to move quickly and can easily overlook common sense, clicking a link or opening an attachment when they shouldn’t.
  4. It only takes one. It just takes one person in the organization to fall for an attack in order for the attack to be successful.

What can we do to train our employees?

Training must be repetitive. We need to continually remind our employees of these attacks and show them examples of what they look like.

Testing is also a good training mechanism. Employees may think they will never be targeted with a “real” phishing attack; however, if you tell them they will be tested, then their attitude changes from “this doesn’t apply to me” to “I better be prepared.”

Here are five practical reminders for employees, related to phishing attacks:

  1. Look for typos. While phishing attacks are getting better each day, many still have obvious typos or grammar issues. Look for these as obvious flags.
  2. Be suspicious. Just because it looks like it came from the president or IT department doesn’t mean it did.
  3. Be cautious. Be extra cautious before opening attachments or going to links from an email, regardless of who sent it.
  4. Trust your instinct. If you have a feeling something isn’t right with an email or message, trust that instinct and get a second opinion. Attacks are very sophisticated, but many times, there are small things that should trigger questions or concerns.
  5. Report. Make sure to report any suspect phishing attack immediately.