Stories
Slash Boxes
Comments

SoylentNews is people

posted by Fnord666 on Tuesday August 20 2019, @05:54PM   Printer-friendly
from the do-you-have-a-phishing-license? dept.

Phishing is still the most common way for cyber attackers to gain entry into networks. Whether it's crooks looking for financial gain or state-backed hacking operations engaging in cyber espionage, it almost always starts with a message designed to make someone click a link or give away sensitive information. Just one person falling victim can be enough to provide hackers with the foothold they need to gain access to the whole corporate network and the confidential information stored within.

But blaming the victim rarely solves anything – especially given how phishing emails can be so highly tailored towards victims, meaning it can be almost impossible to distinguish a real message from a spoofed one created as part of an attack.

"It's fairly easy for an attacker to get hold of an email address and pretend to be somebody," says Amanda Widdowson, cybersecurity champion for the Chartered Institute of Ergonomics & Human Factors and human factors capability lead for Thales Cyber & Consulting.

[...] "There's a power play going on in a lot of these emails. There's somebody impersonating a position of authority, of seniority, effectively saying don't ask questions, just get it done, which is effective," says Tim Sadler, CEO of email security provider Tessian.

"When people send spear-phishing emails, they're taking on the persona or identity of a trusted person. That personalisation makes it highly effective in terms of getting the target to comply with the request, pay the invoice, do what they need to do," he adds.

[...] "There's very little to let the person receiving the email know the person they're receiving it from is who they say they are. It's a little asymmetric, asking a person to do the hard bit, then making not life easy for them," says James Hatch, director of cyber services at BAE Systems.

This behavior isn't restricted to email either; there are times when banks, utilities, telecommunications and other service providers will call customers out of the blue, and then ask the customer to provide their personal security details to verify it's them, yet the customer has no way of identifying if the call is a hoax or not.


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 0) by Anonymous Coward on Thursday August 22 2019, @01:23AM

    by Anonymous Coward on Thursday August 22 2019, @01:23AM (#883401)

    We had that once. Some pentester sent a bunch of emails to mid-level people from one of the C-suite executives. One of the IT people noticed and the Director of IT himself sent a copy of the email to EVERYONE with the subject "Example phishing email." It started with a LONG paragraph telling people that this is what fake emails look like and to report them in the future and then attached the text of the email without any sort of horizontal rule or other division. The text was two sentences that were something like, "I need you to fill out this form [phishing.example] as soon as possible. Also, please forward this to anyone you think needs this information. Sincerely, Executive's Name," except with the proper name and a working phishing site at the link. According to a friend in IT, over 1/3 of people in the entire company (literally hundreds if not thousands of people) clicked the link in the forwarded email and filled out their SSO credentials, and the Director of IT had his email blacklisted off and on for weeks because of all the people who marked his forward email as "junk" or reported it.