Before adding and sharing your Fraud Alert please check to see if a similar alert has already been posted, thank you:


Spear phishing – threat vectors highlight new realities

Post a Fraud Alert:

Not knowing when, where or how phishing and ransomware attacks
might succeed in tricking end-users into downloading malware on
to their endpoint devices and bypass perimeter defenses exacts a
great toll on cybersecurity professionals. 

“The only real defense is to continually back up data to make
sure pristine copies of critical data are always available,”
highlighted by author and blogger Mike Vizard for Barracuda. “How
long that malware lies dormant on an endpoint or when it might
start attempting to encrypt or steal data is anybody’s guess.
It’s that level of uncertainty that starts to gnaw at
the confidence
of the average cybersecurity professional
.”

This hard truth has led Jonathan Tanner, software engineer at
Barracuda Networks, to suggest the ‘human firewall’ as the most
effective line of defense. “In a world where organizations have
vendors jumping in front of each other to deploy their
‘best-of-breed’ security solutions at HQ and everywhere else, the
only thing between your company and a ransomware attack could be
whether or not your users click or don’t click on a malicious
link,” he said.

You’ve got mail

Tanner has detailed some of the criminals’ real phishing attempts
in a blog post. He also
reported that Barracuda blocked over 1.5 million phishing emails
with 10,000 unique phishing attempts in May 2018 and 1.7 million
phishing emails with over 2,000 unique attempts before the end of
June. 

In April 2017, business email compromise (BEC) duped Southern
Oregon University into sending a wire payment of US$1.9 million
to fraudsters instead of its contractor. A similar attack at
France-based industrial equipment manufacturer Etna Industrie
sent emails and phone calls purportedly from the company’s CEO
instructing an accountant to transfer €500,000 to bank accounts
abroad.

These examples represent just the tip of the iceberg but they
certainly underscore the need for employees to be properly
trained to stay safe online. Promoting proper due diligence to
bolster security defenses, Osterman
Research
, through a study commissioned by Barracuda,urges
companies to conduct a thorough audit of current security and
compliance environment; establish detailed and thorough policies;
implement best practices for users to follow; provide adequate
security awareness training that is commensurate with the risk
associated with each role; and deploy alternatives to
employee-managed tools and services. 

Employees, especially senior executives, are more likely to be
the target of a BEC attack. They should be made aware of the
risks associated with oversharing information via email and
social media. In the case of Etna Industrie, an employee who
deals with sensitive financial information should have an
alternative method of contacting the CEO to verify any request to
transfer money.

Put simply, effective email security isn’t necessarily as much
about the tools to stop threats, as poor employee behavior. All
respondents to an email security
study
 in 2018 by Dimensional Research and Barracuda
unanimously say end-user training is important. 

Real-world lessons

“We’re also seeing that it’s important for organizations to offer
users more than just a traditional classroom-style approach,”
observed Dennis Dillman, vice president of Product Management at
Barracuda Networks. “Being able to scale training, move quickly,
and be offered at the convenience of each employee could make all
the difference in an effective program.”

To enable real-time spear phishing and cyber fraud defense,
Barracuda is already harnessing machine learning and artificial
intelligence (AI) capabilities to augment human precautions. The
cloud-based Barracuda Sentinel, in particular,
combines an AI engine that stops spear phishing attacks in real
time; domain fraud visibility using the Domain-based Message
Authentication, Reporting and Conformance (DMARC) protocol to
guard against domain spoofing and brand hijacking; and fraud
simulation training for high-risk individuals who might have
access to sensitive information or the ability to authorize or
send payments.

When any phishing email tries to bait
the recipient
 into engaging in dialog and into believing
that the attacker is a colleague, the AI engine seeks and detects
red flags and signals such as a different reply-to address, an
email address that spoofs the company’s domain, or any language
that requests a favor or action in the message. It also learns
each user’s unique communications patterns via integration with
platforms such as Office 365, and analyzes multiple classifiers
to map the social networks of every individual inside the
company. 

Another Barracuda tool leverages continuous simulated phishing
attack training in improving the security awareness of
employees. Barracuda PhishLine guards against
every facet of social-engineering threats by training employees
to understand the latest attack techniques, recognize subtle
clues, and help stop email fraud, data loss and brand
damage. 

Secondly, it embeds learning into business processes by launching
customized simulations that test and reinforce good user
behavior. The computer-based training includes a wide array of
easy-to-use, customizable content in the PhishLine Content
Center Marketplace
 as well as rich reporting and
analytics capabilities to provide visibility.

“It’s a numbers game,” highlighted Asaf Cidon, vice president of
Content Security Services at Barracuda Networks. “The more
attempts that are made, the better chances the attackers have of
running off with your money. It takes one successful attack to
cause significant financial and reputational harm.”

This is a QuestexAsia feature commissioned by Barracuda
Networks
.

Article source: https://www.networksasia.net/article/spear-phishing-threat-vectors-highlight-new-realities.1533523385