Organizations need to do a better job educating staff about cybersecurity, according to the 2018 Beazley Breach Briefing.
The insurance company’s report highlights the continued prominence of phishing and the rapid rise of ransomware, which is often delivered through phishing emails. Both attack methods exploit human error, with phishing used to gain access to sensitive information, and ransomware used to disrupt business and blackmail organizations.
How are people being fooled?
Phishing schemes come in many guises, which can make spotting attacks tricky for the uninitiated. Beazley’s report focused on a popular scheme from 2017 in which cyber criminals aimed to change direct deposit information and open lines of credit. Beazley said it handled 54 such incidents in 2017, with 54% of them targeting the education sector. The reason for this, according to Beazley, is that staff emails are often publicly listed on college websites.
The report outlines how this scheme works:
- The attacker sends a malicious email to various employees asking for their email credentials
- One or more of the employees falls for the attack
- The attacker determines which payroll provider the organization uses
- The attacker uses the employee’s credentials to automatically send emails from the payroll provider to the trash, and then requests that the payroll provider reset the password for the compromised account. Because it automatically gets sent to the trash, the user never sees it
- The attacker finds the email in the trash and uses the newly supplied password to access the employee self-service portal. From there, they change the employee’s direct deposit information so that the employee’s pay check goes into an account held by the attacker
Although these steps are specific to this scheme, most phishing attacks use a similar process. It only takes one error of judgment from an employee to give cyber criminals extensive access to the organization’s systems. Phishing emails are particularly dangerous because victims might not even know that they’ve been tricked.
Ransomware – hard to spot?
Ransomware, on the other hand, is hard not to spot. Criminals infect an organization’s systems with malware that locks users’ computers until the organization pays a ransom. There was an 18% increase in the number of ransomware attacks in 2017, according to Beazley. The healthcare sector was the most targeted, facing 45% of attacks, followed by education (18%), retail (15%), and professional services (13%).
Organizations that are hit by ransomware attacks are often tempted to meet the cyber criminals’ demands, as it seems to be the simplest and cheapest way of returning to business as usual. However, experts say that organizations should never pay up. There is no guarantee that criminals will stick to their word, and even if they do, the organization becomes susceptible to repeated attacks. There is also the ethical issue; paying the ransom means you are funding future attacks.
To avoid being put in this position, organizations should have regularly maintained backups that they can turn to in the event of an infection. Better yet, they should take steps to prevent a successful attack. Beazley’s report gives many recommendations on staying secure, including:
- Training employees to spot ransomware and phishing attacks
- Applying patches as soon as they are released
- Applying access controls to prevent employees accessing sensitive information that isn’t necessary for their job role
To put these lessons into practice, you should consider our Phishing and Ransomware – Human patch e-learning course.
This course introduces your employees to phishing and ransomware, describing the link between the two, and showing them how attacks work. Equipping your employees with this knowledge will help them spot attacks and respond appropriately if they think your organization has been compromised.