Matt Rhodes, commercial services manager at IT support specialist Quiss, explains what action you need to take to protect you and your company from the alarming rise in phishing attacks.
An increasing number of organisations across the world have fallen victim to cyber-attacks recently, with construction materials company Saint Gobain being hit by the most recent Petya malware – the second major global ransomware attack in just two months.
Similar to the WannaCry attack in May, which exploited vulnerabilities within operating systems, Petya is understood to have been seeded through a hijacked software update built into a Ukrainian accounting programme, and via phishing emails.
Whilst this reinforces the dangers of phishing attacks via email, one in 10 individuals will still fall victim and cause untold damage to more organisations worldwide.
Cyber criminals often begin by targeting smaller businesses as their systems and processes can be less secure and easier to access. This then enables the criminals to attack larger organisations that deal with the SME, exploiting credibility in the relationship to launch a successful phishing attack.
Hiding in plain sight
Criminals create fake, though seemingly credible email addresses to impersonate those of recognisable contacts. As the phishing email appears to come from a trustworthy source and is usually personalised, it is likely to bypass security and arrive in the target inbox.
The recipient, believing they recognise the email address, will be oblivious to an attack and will open the email. Expertly crafted emails prompt readers to click on innocent-looking links where they will be directed to a believable, but malicious, website and be asked to re-set passwords or enter pin numbers.
Alternatively, emails include toxic attachments containing malware or ransomware which will infect the device and spread across the entire system, thereby granting hackers access to confidential information such as customer contact details, credit history checks or even banking details.
More worryingly, more commercially-sensitive materials such as quotes, planning applications or design details and so on, can be accessed.
Criminals know how valuable this data is and will use it to divert funds from accounts, or they will encrypt and hold it to ransom until the business pays a substantial fee for its release.
Criminals are constantly improving their methods and each attack is becoming more sophisticated, making it easier to breach the weakest point in any system – the people that use it.
The lure of phishing emails
Regardless of whether an email appears to come from a familiar contact, the recipient should always assess:
- The sender – Look carefully at the sender. Ask yourself, do I know this person? Is this their usual email address or is it just similar to one I recognise?
- Subject – Subject lines should always correspond to the body of the email. Unusual or poorly written subject lines may identify fraudulent or spam email. Does the email subject look unusual? Are there spelling mistakes? Is there excessive use of punctuation?
- Content – Be wary of any emails requesting personal information or prompting actions, like a reply to the email or a visit to a website.
- Links – Avoid clicking on any links in emails as they can easily be disguised to look genuine but may take you to a malicious website.
- Attachments – Attachments can transmit viruses. Only open when necessary and do so with caution. If there are any documents attached to the email, ask yourself whether you are expecting an attachment. Is the attachment mentioned in the email? Do you recognise the format?
Trends in attack methods are difficult to pinpoint as they change frequently. Assuming you know what to expect or believing you’re too clever to be outwitted by a criminal will only lead to complacency. This could spell disaster for the future of your business.
Phishing in numbers
Phishing is a low-risk attack method with a high success rate, making it a favoured approach for criminals. Worryingly:
- 10% of people targeted fall for a phishing attack
- 23% will open the message
- 11% click on attachments
- 250% increase in the total number of phishing sites from October 2015 to March 2016
- 91% of hacking attacks begin with a phishing or spear-phishing email
- 55% increase of spear-phishing campaigns targeting employees
Phish for weak spots
As construction companies tend to require a high turnaround of resources as projects start and finish, subcontractors and temporary specialised labourers are often spread across numerous project sites.
This and the use of various phones, laptops, mobile desktop trailers and different access points makes these companies an attractive target to cyber-criminals, who know there is likely to be at least one individual who is too distracted to spot an attack.
To help combat the risks of phishing, specialist service providers can conduct simulated attacks on your staff.
“Fake” phishing emails are created to appear as though they have been sent by recognised contacts, like colleagues, customers or suppliers. The emails will replicate real attack methods, using fake website links and toxic attachments, and will target specific groups at different times.
Responses and any actions taken will be recorded to reveal who opened the emails, clicked links or downloaded attachments, etc.
Anyone who interacts inappropriately will be advised by email that they have been caught by a phishing test and will encourage them to be more vigilant.
Comprehensive reports will identify any weaknesses within a business and will enable them to focus training where it is needed most.
You could be the subject of an attack at any time so be vigilant when engaging in any online activity and:
- Educate yourself – Follow the news to better understand different kinds of scams, and how to avoid them.
- Protect yourself – Make your passwords difficult to guess, regularly change them and avoid using the same one for every account.
- Don’t be fooled – Beware of fraudulent websites that appear genuine. Check carefully for any signs it may be fake and do not enter personal information unless you’re certain the site is legitimate.
- Shop with care – Only shop at websites with “https” and the padlock icon adjacent to the URL. It also pays to use a credit card opposed to a debit card as you are more likely to be reimbursed for fraudulent transactions.
- Keep your guard up – Regularly back up data from your computer, smartphone and other devices to avoid data loss in the event of an incident. Routinely check financial statements for suspicious activity.
- Watch wi-fi connectivity – Protect your network by changing the default settings on your router and ensure your connection is password protected. Always be careful using wi-fi in cafes, pubs hotels, etc, and ensure it is a genuine network before connecting.
Technology in construction is unavoidable – it can not only be an asset but a necessity to every company within the industry. However, to avoid technology working against you, you must tackle the weaknesses of everyone using it.