Above: Illustration by Vladgrin/DepositPhotos.
BitDepth#1335 for January 03 2022
On December 01, PrivSec Global, which hosts a series of forums examining issues of digital privacy, cybersecurity and identity protection hosted a webinar on ‘Deepsea Phishing.’
Phishing is the practice of creating false digital artifacts; emails, websites and social media posts that direct a casual internet user to click on links that may do anything from directing a browser to an unexpected website to installing software that locks out entire computer networks for a ransomware attack.
While there are different kinds and classes of phishing in this evolving system of exploits, they are all versions of social engineering, masquerading a user interaction as something benign or desirable to effect damage.
Chris White, Head of Cyber & Innovation at The Cyber Resilience Centre for the South East, explained in the webinar that, “Most successful cyberattacks are the result of someone clicking on a phishing email link and the software gets infected in the system.”
“It’s most successful when it can deliver a payload. Phishing email campaigns are getting much better and more advanced.”
Professor Mark Button,the Director of the Centre for Counter Fraud Studies at the School of Criminology and Criminal Justice, University of Portsmouth explained that: “The structure of phishing has changed to adapt to the kinds of messages that get exchanged with people who work from home and are doing more shopping online, particularly messages about packages being delivered.” explained Professor Mark Button, Director of the Centre for Counter Fraud Studies, School of Criminology and Criminal Justice, University of Portsmouth.
“Concerns about health issues, including vaccines and tests also provide cover for phishing attacks.”
“We’ve got all the weaknesses we’ve always had, but we’ve got all these new areas which are providing scammers and fraudsters with a whole new range of options to attack us with enticements, and that’s quite a lethal combination.”
“These emails align with seasonal sales pitches with discount and coupon offers that are, apparently, just one click away,” White said.
“Now there are ‘isolation style’ campaigns, promising help getting compensation and offering companionship or friends online.”
“If it’s too good to be true, it’s time to do some due diligence before clicking that link, but (when) working from home, there isn’t the same support bubble that exists in an office or workspace.”
So how are these evolving challenges to be met?
“Only 23 per cent of UK businesses had a work-from-home cyber policy. Obviously that doesn’t protect you, but it does show that you’ve thought about it and that you have strategies in place,” Button said.
“The culture among staff is important. You need to develop a culture of skepticism, of understanding the risks of clicking on certain types of emails and text messages.”
That challenge has only been amplified by fractured working conditions during the pandemic and the associated lockdowns.
“Phishing has become more active across devices, particularly since individuals are working remotely,” said Yin Mei, Director of Strategy for PerScholas.org.
“They aren’t necessarily at work using a work computer, they are home, using their own personal devices.”
Sometimes people will click on a link, realise they have done something wrong, and then try to cover up or ignore the mistake, which is one of the worst things that can happen.
“They are mixing browsers, which exposes more information that is on their computers if they are ever compromised in a digital attack.”
“There are a lot more notifications coming in (from apps) and there is generally less protection. Some companies aren’t set up to handle the need for extending protections from cyberattacks to remote workers.”
Dr Vasileios Karangiannopoulous, Reader in Cybercrime and Cybersecurity, University of Portsmouth and the webinar’s moderator, advocated creating an environment in which errors are part of the learning experience.
“Sometimes people will click on a link, realise they have done something wrong and then try to cover up or ignore the mistake, which is one of the worst things that can happen,” said Karangiannopoulous.
“(But) if they are afraid of getting fired or penalised in some way, that’s probably exactly what will happen.”
Taking action.
“Verify, verify, verify,” said Yin Mei.
“If it’s possible, individuals should use separate devices for work and for home use. Failing that, use spam email detection and ensure that work emails always go to work email addresses and not personal email accounts.”
“Confirm receipt of a (suspicious) email from the original sender in a separate email (do not reply). Inspect sender email addresses more closely.”
“Try to avoid viewing sensitive emails on a phone because it is harder to inspect a URL on a phone.”
“Consider viewing work emails on a separate, secure browser on a personal computer.”
“Try to move away from the honour policy of asking people not to do something,” said Chris White.
“As far as possible, the technical implementation should prevent them from doing that thing.”
“New recruits should undergo training in the online procedures that the company expects them to follow with annual refresher programmes.”
“Make the link between the value of safe practices at home as well as the office because phishing can hit users anywhere.”
Do this now.
Visit the Electronic Frontier Foundation’s website.
Enable OS-level blocking of cross-site tracking. You will see fewer relevant suggestions from Amazon, but correlating your data identity across multiple site visits will become a bit harder. Some browsers have extensions for this purpose, or you can use the EFF’s Privacy Badger extension.
If you use Outlook, enable Microsoft’s free Phishing add-on for the software.
Secure browsers are, in order, Brave, Tor and Epic. The most secure browser in general use is currently Firefox. If you are using Internet Explorer, be aware that you are browing the web with the least secure browser in current circulation.
wpDiscuz
