A phishing campaign is when a cybercriminal attempt to deceive victims via e-mail compromises to share sensitive or confidential information for bad reasons. While phishing attacks are not normally personalized (it is often massive fraudulent emails), there is another level of attack, called spear phishing, in which certain individuals within an organization are the target. They are trapped because the fraudsters know exactly what is going on in the company and can back up their spear phishing e-mails with a narrowly accurate context.
"In 2018 we saw a huge increase in highly successful phishing campaigns," said Ryan Rubin, partner, UK Forensic & Integrity Services team, Ernst & Young. "Unfortunately, cyber criminals are very effective and reach the defenses of organizations, despite the growing awareness of cyber risks and a general improvement in security controls." What we've seen is that companies often focus on preventing advanced cyber attacks and that they are less concerned about basic low-level attacks, such as phishing and business e-mail compromises.
"We see organizations of all sizes being targeted and successfully deceived through phishing campaigns and business email compromise attacks – it is a combination of social engineering (convincing the recipient that the sender is someone they are not) and poor cyber hygiene Many organizations have embraced email solutions in the cloud, and as a result, some of the burgeoning weaknesses in security (such as password guessing) have helped fraudsters guess guessing passwords and start spoofing or appearing as other members of staff or possible other suppliers in the supply chain. "
There are relatively simple risk-mitigation responses to e-mail compromises and social engineering, according to Rubin. Much of it is consistent with standard cybersecurity hygiene, such as switching from normal user name and password authentication to two-factor authentication, especially schemes that use security keys instead of e-mail or SMS communication. This creates a small amount of discomfort for e-mail users, but it is worth enhancing the e-mail security of an organization.
"It also comes down to general awareness," Rubin told Insurance Business. "What really bothers me is how each company can accept bank account information and instructions by e-mail, and regardless of who sent it, that transaction will allow." In today's world we simply can not trust e-mails for sensitive bank transactions , or even to provide personal information to others.
"Although business email compromise attacks seem quite simple in their implementation, they are often very cleverly done, and we should not underestimate the sophistication of the social engineering with which these attacks are carried out, often with extra pressure – for example, pressure to respond to certain time – what really plays for our human nature, where people want to be helpful and want to arrange things as quickly as possible. "
Another risk factor that may arise from human nature is a tendency to deny risk. There are still people who think: & # 39; It will not happen to us. We are not a bank, so why should we be just as cyber-safe as those financial organizations? "In addition, some organizations that have moved their email solutions to the cloud have the misleading view that the maintenance and security of services in the cloud is no longer the responsibility of the organization, which is not the case, Rubin emphasized. always important for organizations to keep a close eye on what is happening in the cloud and to ensure proper monitoring and supervision of cloud services, so that everything suspected can be picked up early.
"From an insurance perspective, I think Europe is still catching up with the US in terms of accepting insurance products and using them as a risk reduction measure," commented Rubin. "I think the insurance market is starting to offer several options that companies can have to manage their risks, but cyber insurance is not a panacea and may not provide the full coverage that organizations need.
"Again, some organizations may have a tendency to believe that, once they have cyber insurance, they do not have to do anything else – in reality, cyber insurance is just another measure that allows an organization to limit and manage part of their risk. is particularly beneficial when it comes to responding to an event or addressing the consequences of an offense, especially if an organization needs additional forensic services, legal support or identity theft protection for their customers, so cyber insurance can help provide coverage or shelter during or immediately after an event, but the tail-end of these violations (and often they have a very long tail) is something that may not be fully covered by insurance products. "