With phishing the most common attack method for cyber criminals, tackling ignorance among staff and students has never been more important.
Don’t make the mistake of thinking that cyber security is the responsibility only of IT professionals; we all have a key role to play in our own online safety, and that of our employers.
Criminals who use the internet are becoming more prevalent and sophisticated in their attempts to exploit our online mistakes and lack of knowledge, and none more so that those who launch phishing attacks.
The government reports (in its cyber security breaches survey 2017) that 46% of UK businesses suffered an online attack during the past year. By far the most common type of infiltration related to fraudulent emails sent to staff (72%).
Understanding the dangers of phishing
Commonly carried out via email, text (smishing) or voice messages (vishing), phishing is the malicious attempt to obtain sensitive information, such as usernames, passwords, account numbers, or credit card details, by masquerading as a trustworthy source. Attackers are usually after money, or goods, but may also be motivated by the power to disrupt.
Imagine what could happen if inadvertently you gave away your Amazon password, or you responded to a fraudulent request via an email apparently from your finance director asking you to pay a large invoice with the company’s credit card.
To any organisation, the potential for financial and reputational loss is immense. Organisations that suffer a data breach could even be fined by the Information Commissioner’s Office.
Fortunately, universities and colleges don’t underestimate the threat of phishing. In a recent Jisc survey, members cite phishing and lack of security awareness among users as the two biggest threats to their cyber space.
Simulated attacks and awareness training
Increasingly, they are turning to experts to help staff and students spot a phishing attack. Jisc offers members simulated phishing and associated awareness training delivered by Khipu. This works in three stages: assessment, training and reassessment.
Firstly, Khipu will check devices, software and infrastructure for vulnerabilities such as a weak firewall or spam filter, and conduct an initial phishing campaign among staff and/or students. Usually, knowledge of this campaign is limited to only a very few individuals at each institution.
It consists of an email with a link to an authentic-looking website (both tailored to each institution), where the user is invited to enter information (customisable). The email can also contain a file to download, simulating other common phishing techniques.
The number of users who open the email, followed the link and enter information is measured to give a percentage risk score. For example, if 5,000 emails are sent and 3,250 people click and enter information, then that organisation’s risk of being compromised is 65%. This then gives the institution an understanding of its risk factor and how vulnerable it is to phishing attacks.
The second stage is awareness training, which can be delivered using online tools including fact sheets, quizzes, videos, as well as through classroom training.
Finally, another, or a series of further simulated phishing campaigns are launched over a period of months (the member can choose how many times this is repeated) to determine how well the training has worked.
A subsequent report will include stats and graphs of each campaign, a breakdown of the users who visited the training website, completed the quiz and watched the video, and a best-practice cyber security guide for forward planning.
The importance of educating users
Increasing awareness is a necessity. The user is both the first and the last line of defence against phishing and nobody can say ‘it’s not my job’ to guard against cyber attacks.
Organisations only know they are vulnerable when it’s too late, so educating the user is essential. Often, it’s simply a case of paying attention to the email address – a dot or a hyphen added or omitted is easy to miss – and always checking with the IT department before updating credentials. It pays to be suspicious.
These types of criminals are becoming more and more sophisticated, producing believable emails and associated websites. I was almost caught out myself recently, when tempted by a two-for-one offer purportedly from Apple. It was only when I was asked to enter details like my full name and my mother’s maiden name that I realised it was scam; they were trying to steal my ID.
Khipu has been providing this service, and other cyber security products, on Jisc’s behalf since April, and is already working with more than 30 members.
How to spot a phishing email
There are a few things to watch out for:
- The message asks for personal information
- The message makes threats if you don’t carry out the proposed action within a specific time frame
- The message contains poor spelling and grammar, or poor-quality logos/images
- Links are mismatched – if you hover a mouse over the link it displays the true URL
- Domain names appear on the left, not the right-hand side. Eg firstname.lastname@example.org is likely to be legitimate, but email@example.com is suspicious
- There are subtle anomalies in the sender’s address (a dot where a hyphen would normally be, for example)
- Offers look too good to be true
- You’re asked to send money / make a donation
- There are enticing-sounding attachments you didn’t request
Reporting the crime
If you suspect phishing email at work, report it immediately to your IT department. If you receive a phishing (email), smishing (by text) or vishing (voice call) message outside work, you should report it to the national fraud and cyber crime centre, where you’ll also find lots of usual advice, or call 0300 123 2040.