Gone Phishing. How SMEs can avoid getting hooked.

There are two ways to hack a business. The first is the hi-tech approach. Here, teams of sophisticated attackers analyse a company’s IT security systems. They uncover a flaw in the code, enter the organisation and then steal the data.

The second approach is rather less sophisticated – the attackers just trick an employee into giving them access. While the latter approach might sound crude, it is alarmingly common. And it often succeeds. Take the recent scam affecting Sky Mavis’s crypto-based videogame Axie Infinity. Here, hackers set up a fake company and approached a Sky Mavis employee with the offer of a job. They sent him a contract in the form of a PDF document, which was infected with spyware. This gave the hackers access to company data, which they used to steal $540 million.

Phishing: SMEs under attack

The Axie Infinity hack is an example of phishing – a type of attack in which a criminal manipulates someone into revealing confidential information through a fraudulent file of some kind. And regrettably, phishing attacks against UK SMEs are on the rise. According to the UK Cyber Security Breaches Survey, published in March 2022, 39 per cent of UK businesses say they suffered a cyberattack in the previous 12 months. Among those, more than eight in ten were the result of phishing.

This is not surprising, given how easy it is to launch a phishing campaign. Phishing uses social engineering techniques that have been employed for centuries, and re-invents them for an age of digital communication. No advanced programming skills needed. What’s more, today’s cybercriminals can use off-the-shelf tools to create fake emails and webpages, making it easy to launch highly tailored attacks even on small businesses.

A wider attack surface

Attackers create a sense of urgency or fear to pressure their targets into complying with their demands. They continually evolve their techniques to make them more difficult to detect and defend against. And they now have so many more platforms on which to launch their fake activity. The rise of options such as WhatsApp, Slack, Twitter and LinkedIn has expanded the attack surface. And new platforms emerge all the time. During the pandemic, for example, there was an explosion of fake Zoom invites.

Another recent tactic targeted Adobe InDesign. Here, hackers concealed a malicious link in an inframe. They then sent a bogus email requesting users click on a link to access a shared document. The link directed users to a fake webpage uploaded to indd.adobe.com, a legitimate URL. This masking technique – embedding an additional link in an inframe on theindd.adobe.com webpage – bypassed numerous cybersecurity detection measures.

Fortunately, this attack was discovered before it could cause too much damage. But it illustrates the growing sophistication of phishing activity. It seems that every time a technique becomes familiar, hackers move on to something new.

Hackers move on to voice, text and IM

Some of these emerging threats include web session hijacking, email customisation, link masking and email thread hijacking. And hackers are deploying them not just on the desktop/email but also on emerging channels such as Voice over IP (VoIP), Short Message Service(SMS), and Instant Messaging (IM). Obviously, when an organisation’s defences are orientated around office technology, this can make attacks more difficult to spot and block.

With this growing array of available entry points, hackers can use a range of techniques to access sensitive information. One is spear phishing. Here, the bad actors research an intended target (maybe by social media) to obtain personal information. They use this data to add credibility to a customised email. Another technique is the man-in-the-middle attack, which relies on the interception of emails between two people.

The defence starts here

So what can SMEs do? Clearly, phishing is always evolving and become more difficult to spot for the average user. There’s no fool proof solution. However, SMEs can start with a strong cyber detection and prevention plan. They need to have the most up-to-date solutions in place to protect email and other collaboration platforms against phishing threats.

They also need to strengthen their social defences. SMEs should cultivate a culture that has an assumed breach mentality. It should consist of five key components: identify, protect, detect, respond, and recover. Since end-users are the targets of phishing, education is also critical. Users must be trained to pay attention to an email sender’s address, to grammar mistakes or odd language. If there’s a link, they should learn to hover the mouse over it to see its destination before clicking it. It should be easy for users to report a potential phishing attack quickly. SMEs should conduct phishing simulations frequently to test all of the above.

The power of authentication

Another useful protection is two-factor authentication. It can prevent cybercriminals with compromised user credentials from gaining access. Similarly, there’s the option of using a combination of hardware-based multi-factor authentication (MFA) and biometrics. This is far stronger than a password-only approach. If remote users need to access your network ,make sure they connect over Virtual Private Networks (VPNs).

Finally, it makes sense for an SME’s IT department or managed service provider (MSP) to keep abreast of new phishing strategies and solutions. In this context, it helps to check in with resources such as the National Institute of Standards and Technology (NIST)Cybersecurity Framework and the Center for Internet Security (CIS) Controls.

The growth of phishing is regrettable. But given today’s ever-changing digital environment, the situation is unlikely to improve.  In this context, cyber security can no longer be an afterthought. Every SME must use a combination of protection, process and training to stop the phishers from landing any big catches.

‍