It's A few weeks before Christmas. You want to surprise a family member with a new laptop, but you can’t decide which one, so you reach out to your social media community to crowdsource some options.
Suddenly, you receive an email from a colleague who often comments on your posts. Apparently, they’ve got some top tips for you - and “here’s the link with all the details”.
Merry Christmas! You’ve just been spear-phished. In a matter of seconds, you’ve been hoodwinked by a carefully constructed scam and your personal data is now in cybercriminals’ hands.
You wouldn’t be alone. F5 Labs’ recent report, “Lessons learnt from a decade of data breaches”, states that phishing is fast becoming cybercriminals’ easiest and most productive attack vector, and is now responsible for almost half of all recorded breached records by root cause. According to Symantec, spear-phishing is today’s dominant infection vector, employed by as many as 71percent of organised cybercriminal groups. The data is supported by figures from the Anti-Phishing Working Group, which indicates that global phishing incidents have risen by a staggering 5753percent over the past 12 years.
The holiday season brings perfect conditions for phishing to thrive. Research from payment system firm ACI International shows that online fraud grew by 22percent globally between November 22 and December 31 last year, and you can bet that trend will continue.
At the same time, the potential attack surface is expanding. Worldwide analysis by Salesforce suggests that the 2018 holiday season e-commerce revenue will increase 13percent on last year, with AI-based product recommendations driving 35percent of all revenue.
A perfect storm is brewing. Here’s how you can prepare and stay safe:
Take care before you share. It is easy to let your guard down when you’re self-promoting or updating followers with engagement-stoking details. Even seemingly innocuous information can be weaponised by persistent hackers. Individuals need to be wary, alert and responsible. Organisations, on the other hand, must run robust, continually evolving awareness-raising programmes to ensure all employees embrace a culture of appropriate social sharing. They should also double check the essential nature of business-related web content on third party properties, such as online directories and partner websites.
Think before you click. Treat any link with suspicion, particularly if you’re unsure of its origin. Hover over hyperlinks to view the destination URLs, because spear-phishers will often hide their URLs in email body text or via online forms that appear credible.
Sound phishy? It probably is. Spear-phishing has been honed to a fine art, including the incorporation of an impressive array of personal and circumstantial details to crank up the realism factor. Question everything and try to establish sender veracity before doing anything. Canny cybercriminals often use high-ranking figures within an organisation to accelerate carefree actions, such as sending sensitive details via email.
Interrogate email headers. Attackers frequently send email inquiries to gather IP addresses, determine mail server software, and ascertain emails traffic flow. Check all email headers before opening content from unknown sources.
Adapt or die. There is no protective silver bullet. Make sure any endpoint protection tools are behaviour-based to help ensure lessons are learned from successful attacks.
Secure the network. In the business world, it is imperative that security teams regularly ensure network systems are optimally configured to withstand threats
Test your limits. Businesses should consider periodically hiring a penetration tester to unearth the who, what, where, when and whys of attacker behaviours.
Simon McCullough is the technical manager at F5 Network.