Phishing is a significant threat in the world of cyber crime involving the use of email and fraudulent websites to steal highly sensitive personal data inclusive of information such as credit cards, passwords and internet banking account details. Fraudsters undertake phishing by sending fictitious emails with links to capture such information. These emails often come from organisations such as banks or financial institutions in order to trick us into believing they are authentic in their request. Unfortunately people do fall victim to this horrendous crime resulting in the theft of funds and/or accounts opened in your name. With unlimited access to emails through smartphones and tablets, we are at increased risk to this method of cybercrime.
How do we identify and deal with phishing activity? First we must identify phishing activity, it is important to know that such emails typically include company logos or trademarks in an attempt to make them authentic and legitimate as possible. The fundamental objective with phishing emails is similar to scam emails; do not click on any links and delete immediately. Usually within organisations, emails are protected by highly secure systems, firewalls and high levels of spam filtering. However, should you receive one and respond unbeknown to the dangers, we advise to change all passwords and PIN numbers on all digital accounts which may be at risk of being compromised and alert your manager or IT Department. It is also important to notify your bank or financial organisation and close any accounts that have been accessed by such criminals. It is also beneficial to review bank statements and monitor all transactions.
We are already seeing how the UK Government is educating and increasing awareness of such activities through the ‘Cyber Street’ campaign with the objective of helping us, and businesses become more cyber streetwise. They have also introduced the ‘Cyber Essentials Badge’, allowing organisiations to advertise the fact that it adheres to a government endorsed standard that protects them against cyber threats and increases awareness.
What happens when a data breach hits a large organisation? One of the most significant data breaches took place at Target Corp, the third largest store in America when they were hit by a major credit card attack that affected more than 110 million consumers, it was the result of a malware-laced email phishing attack which was sent to employees at an HVAC firm that did business with the US retailer. This breach exposed credit card details including credit and debit card numbers, card expiration dates and card verification digits as well as personal information. The breach is believed to have commenced on Black Friday 2013, the busiest shopping day of the year. Customer data was compromised over three weeks of the Christmas shopping season and Target spokesperson Molly Synder described it as a “sophisticated crime”. The information that was compromised would allow criminals to create counterfeit cards, leaving millions of consumers victims of cyber crime as a result of this data breach. There are various arguments as to how and why this happened at Target Corp. however, according to Bloomberg Businessweek, the breach could have been prevented by significant investment in a sophisticated anti-malware software that would have eliminated any danger of data breach, had it been activated.
From a business or organisational perspective, it is critical that phishing attacks are prevented and the threat of malware infecting organisational systems is stopped, preventing the theft or loss of information. Although there are a variety of software packages which deal with adding increased security to organisational systems, it is the responsibility of employers to ensure employees can identify phishing emails and become aware of subsequent threats. The only way in which organisations can foster a secure business culture is through implementing best practices in all areas of work.
The implementation of a user awareness campaign to identify how susceptible employees are to phishing attacks will provide a foundation for identifying the best way to effectively educate and embrace employees to a level where security can be substantially increased.
According to the PWC 30 September 2014 report, they state the link between employees and cybercrime; “insiders – current and former employees, in particular – have become the most cited culprits of cybercrime. That’s not to say that all employees exhibit malicious behavior, however. In many cases, they may unwittingly compromise data through loss of mobile devices or targeted phishing schemes.” By targeting employees and investing in raising awareness levels and understanding, organisations can increase the detection rate of phishing and reduce compromise. This will in turn have a combined advantage of increasing personal security against cybercrime and phishing attacks.