Tag Archives: Phishing

KnowBe4 study reveals 92% of organisations’ biggest security concern is end users

KnowBe4, the provider of the world’s largest security awareness training and simulated phishing platform, has released the results of new research. The company’s report examines over 350 organisations globally and reveals the security weaknesses and concerns within them. On average, 81% of organisations had some degree of concern around security issues.

Cyber crime continues to evolve and become more sophisticated. Artificial Intelligence and machine learning are leveraged by many criminal organisations to help them better understand how to improve their attacks and they’re now targeting specific industry verticals, organisations and even individuals.

Increases in the frequency of ransomware, phishing and crypto-jacking attacks have been experienced by businesses of nearly every size, vertical and location.

KnowBe4

When it comes to attack vectors, data breaches are the primary concern, with credential compromise coming a close second. These two issues go hand-in-hand as the misuse of credentials remains the foremost attack tactic in data breaches. That’s according to Verizon’s 2018 Data Breach Investigations Report.

Phishing and ransomware ranked next, demonstrating that organisations are still not completely prepared to defend themselves against these relatively “old” attack vectors.

Other key findings

*92% of organisations rank end users as their primary security concern. At the same time, security awareness training along with phishing testing tops the list of security initiatives that organisations need to implement

*Organisations today have a large number of attack vectors to prevent, monitor for, detect, alert and remediate. In terms of attacks, 95% of those organisations surveyed are most concerned with data breaches

*Ensuring security is in place to meet General Data Protection Regulation (GDPR) requirements is still a challenge for 64% of organisations, despite the GDPR’s fine details having been public knowledge for quite some time

*Attackers’ use of compromised credentials is such a common tactic. 93% of organisations are aware of the problem, but still have lots of work to do to stop it

*When it comes to resources, 75% of organisations don’t have an adequate budget

“2018 was a prolific year for successful cyber attacks, with many of them caused by human error,” said Stu Sjouwerman, CEO of KnowBe4. “IT organisations are tasked with establishing and maintaining a layered security defence. The largest concern, as demonstrated again in this report, is employees making errors. Organisations must start their defence by establishing a security culture. In order to combat the escalation of social engineering, they absolutely have to ensure that users are trained and tested.”

To read the full report visit www.KnowBe4.com

Advertisements

Leave a comment

Filed under Risk Xtra

“EMEA now top source of phishing attacks worldwide” suggests NTT Security’s Global Threat Intelligence Report

Over half (53%) of the world’s most recent phishing attacks have originated in the EMEA region, according to the 2017 Global Threat Intelligence Report (GTIR) published by NTT Security, the specialist security business within the NTT Group.

Analysing global threat trends from 1 October 2015–31 September 2016, the report also shows that, of all phishing attacks worldwide, 38% came from the Netherlands, second only to the US (41%). The data highlights that 73% of all malware globally was delivered to its victims because of a phishing attack.

According to the GTIR, which highlights the latest ransomware, phishing and DDoS attack trends and the impact of these threats against organisations, the UK was the third most common source of attacks against the EMEA behind the US (26%) and France (11%).

In terms of top attack source countries globally, the UK was second only to the US (63%) accounting for 4% of all attacks, just behind China on 3%.

CyberThreatIntelligence

The report reveals some of the biggest regional differences related to brute force attacks, which are commonly used to crack passwords. Of all brute force attacks globally, 45% started in the EMEA, which is more than the Americas (20%) and Asia (7%) combined. In addition, 45% of brute force attacks that deliberately targeted EMEA customers also started in the region.

“While phishing attacks affected organisations everywhere, the EMEA has emerged as the top region for the source of these attacks,” stated Dave Polton, global director of innovation at NTT Security. “These figures, combined with those for brute force attacks, should be of very serious concern for any organisation doing business in the EMEA, especially with the European Union (EU) General Data Protection Regulation just around the corner. Any organisation processing data belonging to EU citizens needs to demonstrate that their information security strategy is robust.”

Polton is calling for more active collaboration between business, Government and law enforcement agencies to tackle global threats and ensure measures are in place that will have a long-lasting and positive impact on global security.

Other key EMEA findings

In the EMEA, over half (54%) of all attacks were targeted at just three industry sectors: finance (20%), manufacturing (17%) and retail (17%). Over 67% of malware detected within the EMEA was some form of Trojan.

Top services used in attacks against the EMEA included file shares (45%), websites (32%) and remote administration (17%).

Frank Brandenburg, COO and regional CEO at NTT Security, said: “We all know that no security plan is guaranteed and that there will always be some level of exposure, but defining an acceptable level of risk is important. Clients are starting to understand that, by default, every employee is part of their organisation’s security team. Businesses are now seeing the value in security awareness training, knowing that educating the end user is directly connected with securing their enterprise.”

Brandenburg added: “Expanding cyber education and ensuring employees adhere to a common methodology, set of practices and mindset are key elements. Clients see that assisting and coaching their employees on the proper use of technology will only enhance the organisation’s overall security presence.”

*Download the NTT Security Global Threat Intelligence Report by accessing the following web address: https://www.nttcomsecurity.com/en/gtir-2017

Leave a comment

Filed under Risk UK News

Social engineering “a top cause of cyber incidents” finds Cyber Resilience Report

Research commissioned by Crises Control from the Business Continuity Institute for its annual Cyber Resilience Report 2016 confirms much of what we already suspected about the changing nature of the cyber threat and the way that cyber criminals have found new ways to defeat corporate perimeter security.

66% of respondents to the survey reported that their companies had been affected by at least one cyber security incident over the last 12 months. The costs of these incidents varied greatly, with 73% reporting total costs over the year of less than €50,000, but 6% reporting annual costs of more than €500,000.

The increased difficulty of breaching perimeter security and the increased human resources available to cyber criminals has combined to produce a new point of attack. This is focused on the weakest link in the corporate security chain, which is now human beings rather than technology.

The term ‘social engineering’ describes this attack vector, which relies heavily on human interaction and often involves tricking people into breaking normal security procedures. The BCI research shows clearly that phishing (ie obtaining sensitive data through false representation) and social engineering is now the single top cause of cyber disruption, with over 60% of companies reporting being hit by such an incident over the past 12 months.

A further 37% were hit by spear phishing (ie phishing through identity fraud).

BCICyber

The research has also confirmed that, to effectively counter this threat, companies now need behavioural threat detection provided by a cyber security network monitoring solution. These plug-in devices monitor your network for signs of suspicious insider activity and failed attempts to hack into the system.

They can also provide invaluable intelligence to be acted upon proactively to nip a successful hack or insider threat in the bud.

Traditional anti-virus monitoring software is no longer enough. The BCI research shows that 72% of companies have this software in place, but only 26% of real cyber security incidents were actually discovered through this route. Much worse, 18% of incidents came to attention through an external source such as a customer, a supplier or the impact on a public website.

Network monitoring solutions are much more effective than anti-virus software in terms of alerting companies to a cyber breach, with 63% of businesses having network monitoring software in place and 42% of cyber incidents being brought to attention through the work of the IT Department to whom such systems report.

The scale of the cyber threat can feel overwhelming at times, but educating your own employees about the nature of the threat and then putting in place the right solutions can go a long way towards mitigating the social engineering threat and significantly enhancing your corporate cyber resilience.

The message is simple… Act now before it’s too late.

Leave a comment

Filed under Risk UK News

Unwitting cyber scammers cold call industry expert at C3IA Solutions

Would-be cyber scammers made a megabyte blunder when they cold-called Matt Horan of C3IA Solutions: Horan is one of the country’s top cyber security experts. Realising the crooks were trying to take control of his computer, Horan put the call on speaker phone and asked a colleague to record it, with hilarious consequences.

After stringing out the conversation for 35 minutes – during which time he was passed to more senior ‘helpers’ as he posed as an ignorant computer user – Horan then informed the caller that he had no Internet connection.

This prompted the fraudster to use an expletive before hanging up in anger. An edited video of the call has been amusing people across social media.

Horan is keen that the video is used to help people avoid falling for cyber scams. He told Risk UK: “One of the weakest parts of any business’ cyber security is the staff. They do nothing malicious, but can easily assist fraudsters. Along with ‘phishing’ e-mails, this type of phone scam is common and can cause huge amounts of damage.”

Matt Horan, director of C3IA Solutions

Matt Horan of C3IA Solutions

Horan continued: “The caller purports to be from Microsoft or a similar outfit and informs the person who answered the call that there’s a problem with their computer. They then instruct that person to look at the computer’s ‘systems and events logs’, which is simply a log of every action taken. They tell them that this is evidence of ongoing malicious attacks. After that, they try and entice them to log into TeamViewer or something similar which means they then can gain remote access and control of the target computer.”

In addition, Horan stated: “They then have all the information on a computer or network and can infect the system, read e-mails, steal passwords or encrypt the stored data. They can basically do anything they want. Obviously, this can cause massive harm to a business and may well lead to data loss, the theft of funds and the stealing of intelligence as well as cause acute embarrassment.”

C3IA Solutions trains staff at businesses to be ‘cyber-savvy’ and always to hang up on calls like this. If staff are in doubt they should contact their IT support.

“Firms such as Microsoft don’t make calls like the one I took, but they seem authentic,” explained Horan. “Often, the scammers work in pairs so the initial caller can pass over the call to a ‘senior supervisor’, as they tried with me. This gives an added authenticity. Caution should be the watchword when taking calls like this one.”

*The video can be viewed on YouTube: https://youtu.be/ncIehp0fBT8

Based in Poole, Dorset, C3IA Solutions is one of fewer than 20 companies certified by the Government’s National Cyber Security Centre. In addition to its work with Government agencies including GCHQ, the company operates a commercial section that works with businesses, assisting them with their cyber security.

C3IA (a military term) Solutions was set up in 2006 by Horan and Keith Parsons. It has 84 personnel on contract of whom 33 are employees and 51 are associates. The business operates in the defence and security sectors serving both SMEs and multi-national firms.

C3IA is a leading provider of secure ICT, technical programme management and information security services and solutions.

The company takes its Corporate Social Responsibility seriously, supporting serving and past members of the Armed Services. Indeed, the business sponsors those engaged in personal and team development through arduous sporting and other challenges.

Leave a comment

Filed under Risk UK News, Uncategorized

“Faster response times needed to combat cyber threat” finds BCI survey

Two thirds of respondents to a global survey carried out by the Business Continuity Institute report that they had experienced at least one cyber incident during the previous twelve months, while 15% stated they had experienced at least ten incidents during the same period.

The frequency of these cyber incidents demonstrates exactly why it’s so important for organisations to have plans in place to mitigate them or otherwise lessen their impact.

The Cyber Resilience Report, conducted by the BCI and sponsored by Crises Control, found that there was a wide range of response times for cyber incidents. Almost a third of organisations (31%) stated that they responded within one hour. However, one fifth (19%) take a worrying four hours or more in responding to a cyber event, while almost half (44%) take more than two hours to respond. This has clear implications for the time taken to return to business as usual, and the ultimate cost of the incident to the host organisation.

IntelligenceLedSecurity2

Even if businesses wish to respond immediately to a cyber attack, the nature of the attack may render them unable to do so. The research finds that phishing and social engineering are the top causes of cyber disruption, with over 60% of companies reporting being hit by such an incident over the past 12 months and 37% attacked by way of spear phishing.

The BCI has discovered that 45% of companies were hit by a malware attack and 24% by a Distributed Denial of Service episode. All these forms of attack will, in different ways, render an organisation’s own network either contaminated or inoperable. Their website may have been taken down and they may well have to switch off their Internet connection until they can secure themselves from further attack.

A detailed study of 369 business continuity and resilience professionals from across the world, the research also reveals that the costs of these incidents varied greatly, with 73% reporting total costs over the year of less than €50,000, but 6% reporting annual costs of more than €500,000.

David James-Brown FBCI, chairman of the BCI, commented: “This piece of research is one of the most timely, insightful and relevant the BCI has ever produced. Cyber attacks tend to target the weakest links of an organisation. That calls for a greater awareness of cyber crime. As the cyber threat evolves, it’s crucial to stay on top of it, building long-term initiatives and regularly updating recovery plans.”

Rickie Sehgal, chairman of Crises Control, added: “Rapid communication with employees, customers and suppliers is vital for any company in terms of responding effectively to a major business disruption event such as a cyber attack. When your business is at risk, even a one-hour delay in responding to an incident can be too long. Taking more than two hours to respond, as almost half of companies appear to do, is simply unacceptable.”

Leave a comment

Filed under Risk UK News, Uncategorized

YouGov poll finds millions leave themselves open to scams as banks launch awareness campaign

The British Bankers Association is launching a fraud awareness campaign at a time when YouGov polling reveals that millions of people in Great Britain are unwittingly leaving themselves vulnerable to scams perpetrated by fraudsters posing as their bank.

The YouGov poll assessed customers’ responses to some of the common tactics used by criminals over the telephone, via e-mail or via text. Based on the answers, the British Bankers Association (BBA) calculates that people all over the country could fall foul of the most prevalent frauds around.

*Eight million individuals are vulnerable to ‘vishing’ or voice phishing
*Four million might transfer money into another supposed ‘safe’ account if instructed to do so
*Three million could be willing to carry out ‘test transactions’ online
*1.7 million would pass their bank card over to a courier on their doorstep if that courier were carrying some form of ID card

To counter this situation, the UK retail banks – with the support of law enforcement bodies including the City of London Police and the National Crime Agency – have produced a new leaflet and are launching an awareness drive called ‘Know Fraud, No Fraud’ in order to help their customers spot the difference between a legitimate call and one received from a fraudster.

The leaflet includes eight things your bank would never ask you (but a fraudster might), advice on how to avoid becoming a victim and instructions on what to do if you are caught out. It will be available across the country in bank branches and police stations and also on the ‘Know Fraud, No Fraud’ website at: http://www.knowfraud.co.uk

The BBA is launching a fraud awareness campaign as YouGov polling reveals that millions of people in Great Britain are unwittingly leaving themselves vulnerable to scams perpetrated by fraudsters posing as their bank

The BBA is launching a fraud awareness campaign as YouGov polling reveals that millions of people in Great Britain are unwittingly leaving themselves vulnerable to scams perpetrated by fraudsters posing as their bank

The leaflet sets out eight things your bank will NEVER ask you to do:

(1) Ask for your full PIN number or any online banking passwords over the phone or via e-mail
(2) Send someone to your home to collect cash, bank cards or anything else
(3) Ask you to e-mail or text personal or banking information
(4) Send an e-mail with a link to a page which asks you to enter your online banking log-in details
(5) Ask you to authorise the transfer of funds to a new account or hand over cash
(6) Call to advise you to buy diamonds, land or other commodities
(7) Ask you to carry out a test transaction online
(8) Provide banking services through any mobile apps other than the bank’s official apps

Tactics used by the scammers

Anthony Browne, CEO of the BBA, said: “Being defrauded is a devastating experience for anyone which is why we are launching this campaign. The more people know about fraud, the less likely they are to become victims. Our ‘Know Fraud, No Fraud’ initiative will help you spot some of the tactics used by scammers. Your bank would never send someone to your home to collect your cash or ask you to transfer funds to a new account.”

Browne added: “If you suspect you’ve become the victim of fraud please contact Action Fraud and your bank as soon as you can. Specially-trained staff will be able to advise on what to do next.”

Anthony Browne: CEO of the BBA

Anthony Browne: CEO of the BBA

City of London Police Commander Steve Head, the Police National Co-ordinator for Economic Crime, explained: “Fraud and cyber crime is costing the UK tens of billions of pounds each year, in turn causing significant damage to big businesses, destroying smaller businesses and ruining many individual lives. Criminals are also exploiting the technological and Internet revolution to target people of all ages and from all walks of life with ever more sophisticated and convincing scams. These scams are increasingly delivered directly into the home via telephone, mobiles, laptops and tablets.”

Head went on to state: “The key to creating a safer society and stopping the fraudsters in their tracks is law enforcement working in close collaboration with Government and the public and private sector to raise awareness of current and future threats and disrupt and dismantle the networks and enablers directly facilitating much of this criminality. The BBA’s campaign to flag up the most prevalent scams against bank customers and to provide advice on how to avoid becoming the next victim is another important step in the right direction and is fully supported by the City of London Police in its role as the National Policing Lead for Fraud.”

City of London Police Commander Steve Head

City of London Police Commander Steve Head

Nigel Kirby, deputy director of the Economic Crime Command, commented: “Prevention is vitally important in the UK’s fight to cut fraud, and the National Crime Agency fully supports this campaign which gives people the information they need to protect themselves. If you’re familiar with the ways in which criminals try to scam you, then you are far less likely to become a victim of the fraudsters.”

Vishing and ‘safe accounts’

In vishing cases, a fraudster will say they are from the bank or police, and that a fraudulent credit card payment has been spotted or a card due to expire needs to be replaced. To convince the intended victim they are genuine, the caller will suggest the customer hangs up and calls the bank back on the number printed on the back of their debit or credit card. However, the fraudster never actually disconnects the line so that when you call the real number you are still speaking to them.

Often, the fraudster will then ask for the customer’s PIN and then send a courier to the victim’s home to collect the bank card, promising to provide a new one. By now the assailant has obtained the victim’s name, address, bank details, card and PIN – enough to make large bogus payments.

If you receive a suspicious call, if possible use another phone or wait at least two minutes for the line to disconnect before picking up and dialling again.

When it comes to ‘safe accounts’, criminals posing as bank officials will instruct a customer that their account is under threat (usually from a corrupt bank employee or cyber criminals). They will be instructed by the ‘bank’ to transfer money into a new ‘safe account’ which is actually the fraudster’s account.

Your bank will NEVER ask you to authorise the transfer of funds to a new account or hand over cash.

Test transactions and courier fraud

In some circumstances, criminals pretending to be from a bank might e-mail a customer asking them to perform a ‘test’ transaction online, sometimes claiming there is some technical issue on their account. Rest assured that your bank will NEVER ask you to carry out a test transaction online.

Often a follow-up to vishing, having posed on the phone as a fake bank employee to extract key security information – such as a customer’s full PIN code – the criminal may also say that they are sending an official courier to your home in order to collect the corresponding card. These couriers will have ‘official’ identification.

In the year ending March 2014, 211,344 fraud offences were recorded in England and Wales

In the year ending March 2014, 211,344 fraud offences were recorded in England and Wales

Another courier fraud ruse is for the criminal to pose as the bank in order to ask the victim to participate in a fake police investigation, usually involving a corrupt bank employee who has been stealing from customer accounts. Typically, the customer will be asked to withdraw substantial sums of money over the counter at their bank without arousing the suspicion of the staff. They are then told to wait at home for it to be collected by a courier for safe keeping.

Your bank will NEVER send someone to your home to collect cash, bank cards or anything else.

Top line facts about fraud

In the year ending March 2014, 211,344 fraud offences were recorded in England and Wales. This is equivalent to four offences recorded per 1,000 members of the population. This represents a volume increase of 17% compared with the previous year.

In 2012, the UK Government fraud indicator suggested that fraud against UK individuals costs £6.1 billion per annum. This total is based upon estimates on the scale of mass marketing fraud, identity fraud, online ticket fraud, private rental property fraud and electricity scams.

Leave a comment

Filed under Risk UK News