How to prevent your organisation from becoming a victim of phishing?

Why are phishing and BEC a problem?

Phishing and BEC pose significant problems for several reasons. They often have substantial financial consequences for individuals and organisations, as well as potentially severe personal impacts.

Personal impacts

In 2014, over 200 well-known American film actresses had their Apple iCloud accounts hacked. This incident was known as 'The Fappening.' After receiving phishing emails, these actresses entered their iCloud credentials into a phishing website.

The criminal gained access to their accounts and stole nude photos and videos, which were then spread online. These explicit materials are now in the hands of people worldwide and are still accessible online.

In this case, the hacker responsible for stealing the images was sentenced to 8 months in prison, but the stolen photos and videos remain online, causing great shame to some victims.

Financial Consequences

When your personal bank account is emptied through phishing, the bank usually compensates for the damage in most cases. However, this is not always the case for business accounts.

BEC has the most significant financial impact because the money is genuinely gone. Banks often do not reimburse the losses since the bank account itself was not taken over.

Organisations frequently fall victim to BEC. For instance, in 2019 there was an incident at Nikkei. BEC scammers impersonated an executive from Nikkei and requested a large money transfer. The scammers used sophisticated tactics to make the request appear legitimate, and the finance department of Nikkei complied with the fraudulent request, transferring approximately $29 million to the scammers' account.

The incident came to light when the company realised the mistake and reported it to the authorities. It was later revealed that the scammers had used carefully crafted email communications to deceive Nikkei's employees into thinking they were dealing with a legitimate request from a high-ranking executive.

This example highlights the severity of BEC attacks and the potential financial damage they can cause to organisations, regardless of their size or reputation. It also emphasises the need for constant vigilance and robust cybersecurity measures to protect against such threats.

Phishing Prevention: What can your organisation do?

While it is impossible to entirely prevent your organisation from becoming a phishing victim, there are many steps you can take to reduce the risk and impact. We recommend focusing on education, implementing processes, and utilising technology.

1. Education

Education is crucial when it comes to the people in your organisation. Ensure that employees are aware of the existence of such attacks and educate them about both phishing and BEC.

Key points for education

Train individuals to recognise phishing emails and phishing websites. It is essential that they understand how these attacks work. For example, if the attacker slightly alters their tactics and sends a link via SMS (known as smishing), employees should still be able to recognise it as a form of phishing.

If employees receive invoices from suppliers that seem suspicious, they should be aware of BEC and know how to take appropriate action. Those with interesting profiles, such as financial department employees or executive assistants, are more likely to be targeted and must be extra vigilant.

Exploiting current events

Cybercriminals often exploit current events to increase the credibility of their messages. Less than a day after the outbreak of the war in Ukraine, phishing emails on this topic were already being sent. Similarly, pandemic-related measures and vaccinations have frequently been used in phishing emails.

This tactic is also applied at the company level. For instance, when companies announce the opening of a new branch in a foreign country, phishers may use this information to send emails requesting login credentials for the system to be used in the new branch.

Conduct a phishing test

A phishing test involves a legitimate hacker, also known as an ethical hacker, pretending to be a phisher and sending messages within the organisation. The goal is to identify who clicks on these messages. It is crucial to conduct this test to assess awareness, not to shame individuals. The focus should be on creating awareness.

2. Processes

Establish various processes within the organisation to prevent and mitigate phishing attacks.

Phishing prevention

Make it clear to recipients when they receive emails from outside the organisation, such as adding [external] to the subject line. This is a simple yet effective measure.

Phishing contact person

If someone suspects a phishing attempt, they need to know who to report it to. They should always be able to contact this person in the following situations:

• When receiving a phishing email but not clicking on any links. When clicking on a phishing email but not submitting any information on the phishing website.
• When clicking on a phishing email and submitting their information on a phishing website.
• In the last scenario, employees must know what to do and whom to contact.

This designated contact person must also know the necessary steps to take upon receiving a report of a potential phishing incident, such as advising the employee to change their username and password.

Avoid punishing employees

When employees fall for a phishing website and submit their information, they often try to hide it due to feelings of shame. Thus, having a clear process in place is crucial. Proper education should emphasise that anyone can be a target and that individuals will not be punished.

Processes should be designed to ensure employees are not penalised. The longer people conceal that a phishing incident has occurred, the more damage it can cause to your organisation, which should be avoided at all costs.

3. Technology

Ensure that your organisation has the necessary technology to detect phishing emails and prevent them from reaching employees. Solutions for your mail server can be used to add a message to the subject line, such as [Warning! Possible Phishing]. This will raise awareness among employees that they need to be extra cautious when checking these emails.

Also, as mentioned above, indicate when someone receives an email from an external person by adding [external] to the email's subject line.

Managed Detection & Response

Consider utilising Managed Detection and Response (MDR) to protect your organisation against digital attacks, including phishing.

MDR can often (unfortunately not always) detect when an employee visits a phishing site. If a login occurs shortly after with an IP address from Nigeria, for example, proactive action can be taken by blocking that employee's account.

What to do if your organisation falls victim to phishing?

If your organisation becomes a victim of phishing or business email compromise, it is essential to determine exactly what happened. This is especially critical if BEC occurred with a fake invoice, and the customer claims to have paid it. In such cases, it becomes even more crucial to investigate how it happened. Which accounts were compromised? Which passwords need to be changed? What actions did the attacker take? Were any other fake invoices sent? This process is known as incident response.

Larger and more developed organisations may consider using threat intelligence. This involves understanding the activities of cybercriminals, and it is not limited to phishing or BEC but encompasses a broader range of activities. Sometimes, threat intelligence includes compromised login credentials obtained through phishing. If you discover that your employees' credentials are on such a list, you can take proactive action. However, before implementing threat intelligence

Let's talk about cybersecurity

If you want to learn more about preventing phishing or discuss the cybersecurity services and solutions we offer, please get in touch with us by sending a message or giving us a call.