In today’s world, it’s difficult to find many certainties. But one constant is the continued threat posed by phishing scams.
Many organizations have been moving toward options for a remote work environment, and with this new remote environment comes an increase in cyberattacks and employees falling victim to phishing attacks.
By now, many, if not almost all of us, have received at least one of the following types of nefarious emails:
Unfortunately, many employees, customers and vendors continue to fall victim to these emails because the bad actors have improved their skills in making these phishing emails appear to be legitimate. When someone falls victim to a phishing email, they can typically be categorized into the following classes:
In a perfect world, organizations would provide ongoing security awareness training, and employees would never fall victim to these phishing attacks. However, we all know how people can sometimes click before they think. Education on an ongoing basis is a great way to help employees know what to be on the lookout for and to say something if they see something. In addition, organizations need to be ready with a plan to properly respond to an employee’s call for help when they believe they may be a victim.
What do we mean by having a plan in place? An organization and its IT department or provider need to realize that the compromise of an employee’s email account could be a serious incident that triggers the need for a more thorough response approach. And the last time you want to be planning your incident response is while an incident is actively occurring.
Many IT departments and providers respond to phishing attacks by simply freeing the email account from compromise through the Microsoft Office 365 instructions and calling it a closed case. This approach is good for remediation, but it fails to address concerns of what happened after the phishing attack was successfully carried out, including:
By remediating email mailbox accounts without addressing these considerations, organizations may be left exposed to an ongoing or future cyberattack, such as ransomware. Worse yet, there are potential legal liability implications if the compromised mailbox account contains sensitive data. It is imperative for organizations to consider these factors when responding to a compromised email account to determine the proper response. Oftentimes, this is where the handling of the incident should shift from IT remediation to forensic incident response.
The next steps following an incident are typically determined by what type of attack it is. It’s important to examine the details to see what information can be determined regarding the why. Was it a business email compromise so that the bad actor can use reconnaissance between you and your customer or vendor until the timing is right for an attempt to divert funds through an ACH change? Or were the attackers looking to use an initial entry point to drop malware on an organization’s system with the intended purpose of encrypting data and demanding ransom payment?
At worst, the initial phishing email could be used for a combination of nefarious activity including, but not limited to, data exfiltration, harvesting of authorized credentials, sending mass spam emails to contacts, public posting of sensitive data and data encryption.
Without a proper response in place to identify the type of attack and its effect, organizations may remain exposed or unprepared to address other potential fallouts from the attack, such as needing to potentially address business operations, public relations and legal liability issues. Therefore, it is extremely important to have the proper response plan in place when addressing compromised email mailboxes.
Protecting against common phishing attacks involves people, processes and technology. As such, organizations need to have ongoing employee awareness training to raise the perception of cyberattack detection as well as implement cybersecurity controls and technology solutions to mitigate risks. This multi-layered security approach, coupled with an incident response plan, will greatly assist organizations in preventing and detecting future cyberattacks.
If you believe you’ve experienced a cybersecurity breach or been the victim of a phishing scam, it’s time to take action.