In today’s COVID world, it’s difficult to find many certainties. But one thing that has stayed the same throughout the pandemic is the continued threat posed by phishing scams.
Many organizations have found a way to adapt to a remote work environment because of the pandemic, and with this new remote environment comes an increase in cyberattacks and employees falling victim to phishing attacks because they can’t readily walk next door to management to verify an email purportedly from them.
Examples of Phishing Attacks
By now, many, if not almost all of us, have received at least one of the following examples of nefarious emails:
- Receipt of an email with a resume attached for a position that doesn’t exist.
- An email that appears to be from a customer or vendor your organization works with, however the domain has been spoofed by changing a character in the email address.
- An email that appears to be from a customer or vendor your organization works with and the domain has NOT been spoofed, but you become aware of a customer’s or vendor’s mailbox being compromised.
- A Windows Error Report email indicating unusual sign-in activity.
- An email from Microsoft Outlook regarding a password being expired with a lookalike domain.
- Account-related or order-related emails from Amazon, Netflix or other popular organizations individuals personally use or subscribe to.
Here’s how one manufacturing entity learned about a phishing scam the hard way.
Unfortunately, many employees, customers and vendors continue to fall victim to these emails because the bad actors have improved their skills in making these phishing emails appear to be legitimate. When someone falls victim to a phishing email, we typically can categorize these victims into the following classes:
- Those who don’t know they are a victim.
- Those who believe they may be a victim, but don’t report the event for a variety of reasons, including, but not limited to, not understanding the potential impact of the attack or fear of embarrassment or other negative consequences.
- Those who believe or know they are a victim and do report the event to the organization’s management, IT department or provider.
The Importance of a Proactive Cybersecurity Awareness Plan
In a perfect world, organizations would provide ongoing security awareness training, and employees would never fall victim to these phishing attacks. However, we all know of at least one “click-happy” fellow employee that can’t help themselves. We also know that “never” and “always” rarely happen. Employee education on an ongoing basis is a great way to help employees know what to be on the lookout for and to “say something if you see something.” In addition, organizations need to be ready with a plan to properly respond to an employee’s call for help when they believe they may be a victim.
What do we mean by having a plan in place? An organization and its IT department or provider need to realize that when an employee’s email account may be compromised, this security event could quite possibly be an incident, triggering the need for a more thorough response approach.
However, many IT departments and providers respond from an IT perspective by getting the email account free from compromise by using Microsoft’s Office 365 instructions and calling it a “closed case.” This approach is good for remediation, but it fails to address concerns of what happened after the phishing attack was successfully carried out, including:
- Employee’s position, job responsibilities and access to data.
- Does the employee have global administrative rights?
- Does the employee maintain passwords for other technologies within their email?
- Does the employee’s mailbox contain any sensitive data (e.g., PII or PHI) or proprietary data?
- What happened when the employee clicked on the malicious link or opened the malicious document?
By remediating email mailbox accounts without addressing these considerations, organizations may be left exposed to an ongoing or future cyberattack such as ransomware. Worst yet, there are potential legal liability implications if the compromised mailbox account contains sensitive data. It is imperative for organizations to consider these factors when responding to a compromised email account to determine the proper response. Oftentimes, this is where the handling of the incident should shift from IT remediation to forensic incident response.
Next Steps in Incident Response When Phishing Attacks Occur
What happens next in responding to the incident is typically determined by what type of attack it is. It could be a business email compromise so that the bad actor can use reconnaissance between you and your customer or vendor until the timing is right for an attempt to divert funds through an ACH change. Or, the phishing attack could be used as an initial entry point to drop malware on an organization’s system with the intended purpose of encrypting data and demanding ransom payment.
Worst yet, the initial phishing email could be used for a combination of nefarious activity including, but not limited to, data exfiltration, harvesting of authorized credentials, sending mass spam emails to contacts, public posting of sensitive data, and data encryption.
Without a proper response in place to identify the type of attack and its effect, organizations may remain exposed or unprepared to address other potential fallouts from the attack, such as needing to potentially address business operations, public relations and legal liability issues. Therefore, it is extremely important to have the proper response plan in place when addressing compromised email mailboxes.
Protecting against common phishing attacks involves people, processes and technology. As such, organizations need to have ongoing employee awareness training to raise the perception of cyberattack detection, cybersecurity controls in place and cybersecurity technology solutions to mitigate risks. This multi-layered security approached coupled with an incident response plan will greatly assist organizations in preventing and detecting future cyberattacks.
If you believe you’ve experienced a cyber breach or been the victim of a phishing scam, it’s time to take action.
Stay current on your favorite topics
Learn More
See what more we can bring to organizations just like yours.
Dealerships Nonprofit Government Construction & Real Estate Manufacturing Consulting Financial InstitutionsTake a deeper dive into this Insight’s subject matter.
Cybersecurity Consulting Fraud & Forensic Advisory
