DEFEAT PHISHING ATTACKS: Protecting Employees from Phishing by creating a Human Firewall.
[Music] welcome to chromecast check it out i'm sam major commercial director of chrome technologies today on this edition of check it out i'm joined by our compliance officer chris swan we'll be talking about the security issues that end users are subject to from phishing attacks and how with the right tools tests and training you can protect and educate your employees against fishing attempts by creating in essence a human firewall chris thanks for joining me today no problem thanks sam thanks for having me laura so to begin with chris um whilst i'm sure our audience be aware could you just briefly and i'll say briefly and if anyone knows you and i we don't really do briefly but we'll do our best today um just summarize uh what fishing is um the process and the purpose okay right uh fishing baitly is an attempt to um commit online fraud so what cyber crimes are looking to do is steal your personal information they can do this in various ways by phishing emails fraudulent websites ss sms attached to your phone which they call smishing or calls directly to your phone which is wishing but they always will appear or appear to be from reputable organizations or someone you know and trust but their main aim is really just to steal your personal data such as you know credit cards or debit cards um that basically in a nutshell is what it online sort of fishing is about but what they're looking to do really is playing your fears your curiosities and your insecurities just to gather your data and to get you to fish on bogus links yeah yeah obviously we see this you know going through the roof all the time so um it's probably worth mentioning um the sophistication of these attacks and you know over the years we've seen some some obvious uh and blatant you know email scams in the past such as promises of wealth left at foreign banks for you to pay a small fee to collect from but know more recently claims you know things like indecent footage that people hold on you threats of of information being released unless you send you know extortionate uh fees via bitcoin which is also a good sign that is fraudulent or cryptocurrency of some description something that can't be traced you know these simple scams and whilst obvious um in their nature are unfortunately still very much catching people out and i guess um as you said the the issue is they do prey on on people's fears and insecurities to catch them out so yeah mentioned some of the more primitive um you know phishing attacks stuff we've you've seen i said the like playing on the on the fears and whatnot we've got this on you please send us bitcoin etc but as this gets more sophisticated and i know you've seen things are more sophisticated [Music] as that increases our threat landscape obviously changes so are you able to give us a bit of an insight into how that you know i guess that landscape has evolved and what it looks like now absolutely sam so obviously you should say the threat landscape is ever evolving and as we become smarter towards these emails and the sort of hooks that they've got in them um the criminals become smarter as well and their fitting attempts become more elaborate and in ways that um are looking much more realistic um some of the requests that we're seeing now or that the fishing missiles the recent ones they tend to be on trend as well so kovid 19 based phishing emails um appearing to be from the nhs inviting you for a jab and the sort of things they're looking there to put your information again other stuff from netflix you know there's a problem with your account from royal mail or amazon about your delivery the list goes on but effectively what these guys are looking to do is use spoofed email addresses that for all intents and purposes they look like they're from the real company um and an organization you might expect to receive an email from or you trust um but they're not you need to look a little bit closer a good example of that would be netflix um but it's spelt with two x's so when you look at it it looks all good but you know yeah it's not so as i say one i saw recently was about a covid19 jab where they were looking to get you to input your national insurance number so each of these attacks what they're looking for you to do is first of all trust what's saying look it looks all real and just provide your information somehow either log into an account that you think is your account or give the information as i say unfortunately um some of us are conditioned if you like to accept these emails so without any sort of question and respond um but once the hype the cyber criminal has your details and they're going to use it to their game um and as i say they all look genuine but they're just really designed to catch us out yeah absolutely i mean yes some very real examples i'm sitting here kind of half laughing because i've seen some you know the the hmrc the amazon the netflix 666 and and so on um i've seen them in my own my inbox and within within our business um something you didn't mention um is is spoofing you know and that can happen within an organization and for example many of our own employees have received emails that appear to have come from they come from me or or other directors of the business asking them to um some recently purchased a bunch of amazon gift cards you know and i guess unfortunately as an i.t organization [Music] and you know this because you do this for us you know our cyber security awareness is very high and we focus on it uh internally we undertake an awful lot of training we do mock phishing attacks to make sure that the business uh our team are as you know educated and that they you know as best as possible um recognize this this type of activity however no one is infallible when mistakes undoubtedly you know will happen um and i was just thinking the other day i thought before this i should try and remember it a bit better but i can't but you quoted some really interesting statistics to me fairly recently um to be frank they are they're shocking um but it really underlines um while you know why it's still so prevalent so i guess hopefully you can share uh some of those statistics with our audience i'm sure they'll find it just as eye-opening as i did okay yeah definitely some um they are eye-opening and so basically if you your fishing campaigns are usually or typically sent millions of emails out to unsuspecting individuals and i sort of the figures i got i've got a bit of a saying about this it's a sort of bad day's fishing beats an honest stage work so if you look at that so see how that works now it would play out so imagine there's two email two million emails are sent out so five percent of those people let's say they actually get to the intended recipient so it's a hundred thousand users will actually open the email just quite a lot so after let's say again out of that 100 000 uh people who open the emails five percent of them will actually click on the link um so that's five thousand clicks there's five thousand people it's a lot and again draw that down a bit more if two percent of these people lent a data into the site uh that's a hundred individuals who have actually been caught there so on an average uh let's look at these sort of things the trends i've seen there's about a hundred pounds ish on an average from each person who give their details in good faith and so in one day's work the scammers are able to scam ten thousand quid from unsuspecting victims now that's that's not a bad day's work ether it's not a bad day's work well it is well yeah but it's yeah you know you check those sort of statistics how easy it is uh to use you know intelligent marketing campaigns you have to fill a system up with that many emails and press go it's not a lot of work for that sort of return it's no wonder that you know we see so much of this because you know how easy is it to feed a machine data press go and just wait you know you're praying as you said on people's insecurities um you know it's a horrible thing and and i'm sure i know you do and i do we all know people have been caught out by this to to to a lesser or or greater extent but it's hardly surprising and it really is a you know these people are just throwing enough mud at the wall you know hoping that that somebody sticker and these these statistics there's no less shocking to hear the second time around um you know i said um it's just this is never nice to hear about people falling foul of these type of scams but you can see why they're now becoming more advanced in their approach we've all got used to like we mentioned before the uh you know this prince wants to give you his money etc etc um and they are improving uh becoming way more intelligent like you said with the spoofing and referencing companies you've heard of so i guess obviously in an ideal world you'd wave a wand uh and this problem would just go away that'd be lovely right um but clearly you know that's not not an option um so for our audience uh and in your position um and i don't want to age you chris obviously you've been doing this for a while a couple of weeks ago what top tips uh this is all my podcast bit there's always a top tips bit or you know how would you be um now what top tips do you have and you can share our audience um that will stop them from being the next victim of one of these these awful scams okay sam well i think really the best way to defeat defeat these type of fishing campaigns is just to be vigilant um i know that can be easy to say but um if you just think of things if you're asked ever asked for any of your personal information on an email or asking you to go to a website once you put these in just remember you know stop you're a legitimate company will not ask you to do this you your you know your royal mary's raw mails and inland revenues and all these sort of people will never ask you for this sort of information on an email um it it's just as simple as just stop and think and be careful i know sometimes that easy but i can give you a sort of a few things to to sort of check it out so if you look closely at this the sender's email and if you just take a second to look at it you can spot the sort of things you know the the netflix with the two x's again yeah look at the the email see if it matches the actual uh website address that it's from that you know so if it's netflix let's say with two emails to it two x's sorry you can see that that netflix doesn't have two exits so little things like that beware of generic emails now what i mean by this it's ones like you know dear sir or dear customer um yeah they're not addressed to you personally because that basically what they've got this above email as we mentioned earlier and they don't have your personal details just your email address a big thing but even this is getting more sophisticated now is look at the spelling and the grammar because they might the the way that we would speak or we would do um an email it might just be wrong might be a capital letter on the wrong place the wrong context of the word a comma or too many full stops just look and just take just that extra time something that i'd expect hmrc or amazon or someone to get right yeah that's a exactly that's um no matter who the email is from um never respond to the email asking for your information said never click on the link if you're unsure and say it's from netflix so we've had we voted as we said there's lots of things come off of your email open up your browser of choice whatever it may be go into netflix official site through your browser not through the link and actually look on there and look at your account from that and then you'll see or if you can is possible contact these people by phone and say look i'm unsure i've had an email i don't know what it's all about um or even sometimes it's better than that speak to your local your manager your i.t team anybody and you mentioned earlier on about some of these threatening sort of things never be ashamed to speak to people and say i think this is wrong nobody's going to come down on you and say don't waste my time we would rather you speak to us and come and say look you know yes okay that that actually turned out to be real but well done that's good for spotting it and you're aware that's a good thing so yeah a simple thing if it looks strange it probably is yeah if it walks like a duck yeah that's like a duck yeah um okay so i think that helps us uh establish um obviously there's a lot to look out for um and attacks as we said are getting more and more sophisticated and subsequently more difficult for people to to to recognize and differentiate between important email and obviously this nefarious kind of stuff um what measures can organizations so if we take that upper level from you know the front line from the person who is uh unintentionally you know clicking the wrong button and causing a problem but what measures should a business an organization put in place to protect you know itself and its users from from getting caught out okay well it's a good point that sam see companies normally have good protection in place such as your firewalls the antivirus and so on and so forth but they often miss out one key thing it's the forgotten vulnerability and that is the human element so if you look at that it's to say if you perform your network monitoring and so on and so forth your network testing in order to show you that you insure your business say do the same thing for the users so run regular human security testing test for their vulnerable vulnerabilities of the staff so as you said earlier sam nobody's infallible at all you know not not even me let's say but by running a regular um education that he uses you can create an additional security layer as we said it's it's in essence a human firewall so yeah the the more testing that we do we do a lot of testing at chrome and our users in fairness are very sharp uh again nobody's invaluable so the sort of things you can do um the approaches that we're looking at is where you devise sort of diverse and sort of targeted phishing attempts to actually evaluate and respond to the particular weaknesses that users are falling foul to so you'd run regular testing um targeted at groups and maybe your finance department as you're saying there where you know a director is shouting and balling for all the intense bugs it looks like it comes from one of you just tweak this training and target it more better make it a bit more realistic and then once you get the results from that we can target the training according to what sort of weaknesses that we're seeing so regular testing overall gives the management a good view and a good level understanding of vulnerabilities that we found across the users within the business and the ways to do this as i've just said there create the targeted roles towards a staff member um but by regular testing and educating the users we will strengthen our security and effectively be creating a stronger and a human firewall yeah absolutely i mean and that's definitely something you know that we uh we can and do help our clients out with the um the security as a service piece and with phishing assessment services being small but but very relevant piece of that of that wider offering um conscious of time and and we were briefed by marketing beforehand not to go on for too long so um i guess it'd be my final piece um as our compliance officer you've been rather heavily involved with us achieving and maintaining both our cyber security plus we're sorry essentials plus isn't it certification uh and also our iso 27001 certification so in your opinion um what is the importance of having something like that in place from a compliance perspective okay well as we've covered many points today sam cyber crime is a major concern so that the more that companies can do to minimize the effect of these phishing attacks that less likely will be that they'll fall foul of them so the compliance the key thing is people often think compliance is just ticking a box and you know it's what the order says so we've got to implement it but really it's not just about that following good compliance basis gives us the tools to keep the company and the sas staff safe and sometimes not in all cases but in some cases it makes our jobs easier so if we implement a good security training program that we keep all our staff well trained and well informed of potential threats we look at the risks as they evolve we look at different things we look at the different trends um we we can minimize to say but a good way that i would say to everybody is lead by example so when you're doing these in training security awareness training programs don't just targeted the users look at the senior managers and directors include everybody in because it's not do as i do we do as i say it's we're all we're all in this together so if staff see that you know they're getting the help and the training and the directors and managers are in on it as well we're all got the same amount of buying that's a better way to be i think that sums it up sam i think it does and and i can attest to that having been um on the receiving end of on your tests the other day to make sure that as a as you know the senior team in our business that you know we are you know uh paying attention and aware of this and you're absolutely right it is it is top down you know you've got to make sure that everyone in the business takes this seriously and that everyone is educated because you're only as you know as weak as the the strongest link i guess so we've got to make sure that we look at all the different moving parts and make sure everyone is equally well educated because it just takes one person to do the wrong thing all of a sudden we've got a crypto locker attack or whatever it might be and as we both know the costs of undoing that sort of problem is uh well doesn't they're thinking about so okay well criticism thank you for uh for making the time to speak to me today it's um it's always good to speak to you um i mean this is a real a very real threat um so it's good to go through a bit more detail hopefully our audience will get some good uh use out of this and you know they can use the data or the information contained to help uh know help their business and to remain compliant themselves so really appreciate your time pleasure's mine thanks a lot this has been chromecast we hope you've enjoyed today's content if there's anything you'd like us to cover in future episodes then please do leave that in the comment section below remember to like comment and share and join us again next time on chromecast check it out you
2021-04-02 20:36