13/10/21

EU Cybersecurity Month: Hybrid working makes phishing attacks harder to spot

The EU Cybersecurity Month (“ECSM”) is the EU’s annual awareness campaign that takes place every October across Europe. Through this initiative, European institutions aim to raise awareness about cybersecurity threats, promote mitigation action and share good practice.

CMS Belgium fully supports this campaign. We are a proud partner of the Centre for Cyber Security and the Cyber Security Coalition for Belgium’s national campaign on phishing. As phishing is the most common entry point for ransomware, this type of cyberattack is a significant threat for enterprises, in terms of both financial impact and productivity loss.

The ECSM represents a good opportunity for practising your cyber-hygiene. This article provides you with tips and tricks on how to identify and avoid phishing.

Background

Remote or hybrid working environments make it harder for IT teams to prevent security incidents (including data breaches) caused by malicious email attacks. Indeed, companies are constantly subject to sophisticated phishing attacks, with targeted campaigns that use clever social engineering tricks to gain access to your most confidential data.

Unfortunately, it is easier to hack a remote employee than someone sitting inside your corporate environment. As a result, companies need to adapt their security risks and find new ways to protect their dispersed workforce from phishing attacks. This article provides you with tips and tricks on how to identify and avoid phishing.

What is phishing?

Phishing is a fraudulent attempt to steal user data such as login credentials, credit card information or even corporate money using social engineering techniques. Email remains the primary business communication tool in most organisations.  The perpetrators are fully aware of this and are able to use email as a gateway into a business.

This type of attack is usually launched via an email that appears to be sent from a reputable source, with the intention of persuading an employee to open a malicious attachment or click on a fraudulent URL (for a compromised website containing ransomware).

This type of cyberattack will often appear modern and contemporary, its forms changing and adapting, making phishing emails appear more and more real. It is important to be cautious and aware that cybercriminals knowingly use methods based on fundamental and basic human emotions and traits such as fear, trust, curiosity, habit, secrecy, urgency and flattery to obtain company (sensitive) data.

Entry point for ransomware attack

Phishing attacks are one of the most popular entry points for starting ransomware attacks. It is malicious software that infects a computer and restricts users’ access to it until a ransom is paid to unlock it. 

All organisations are at risk of falling victim to a ransomware incident and are responsible for protecting sensitive and personal data stored on their systems. Such an attack can have negative consequences, including temporary or permanent loss of sensitive or proprietary information; disruption to regular operations; and financial losses incurred to restore systems and files.

Impact and risk – why does it matter?

Phishing is the number one threat for companies and can be extremely expensive.

Indeed, many successful phishing attacks lead to substantial losses in productivity for the target organisation, which, in turn, may impact the organisation’s reputation.

Moreover, phishing is a tool used to exploit networks, potentially resorting to blackmail, identity theft, extortion, acquiring information selling sensitive data and secret information, etc.

Finally, your company will also have to maintain its compliance with data protection law, including notifying the competent supervisory authority.

Make your staff aware

Cybersecurity awareness training is a key priority in a hybrid working environment. Enrolling your staff on cybersecurity training or e-learning courses will lead to more highly skilled employees who are unlikely to expose sensitive information. Campaign posters are also great supplements to training courses. Simulating a phishing attack, and monitoring how your staff respond, is also a good test.

Cybersecurity tips and tricks

Apart from installing anti-virus and other computer defence software (such as strong spam filters), here are some tips and tricks to identify and avoid phishing:

  • Think Before U Click! (the official motto of the ECSM campaign). Do not click on links or download attachments if you are not confident about the source of the email (the same applies for short links on social media).
  • If in doubt, it is always best to not click or download. Call and ask the sender.
  • Ask yourself these questions: Do I know the sender and am I expecting an email from them? Does it seem strange or inappropriate? Does it feel like the sender is trying to spark my curiosity?
  • Never send passwords, bank account numbers or other private information in an email.
  • Apply multi-factor authentication across the network, which can help stop intruders from breaching accounts (see our previous Law Now article).
  • Pay attention to the domain name. Where does the link lead? (A domain name is what precedes the “.com”, for example: “CMS.phishing.com” will lead you to “phishing.com” and not “CMS.com”.)
  • Identify and prioritise timely patching of vulnerabilities, as well as software.
  • Implement a cybersecurity policy detailing best practice for your employees to follow while hybrid working and ensure they take the necessary steps to keep your business information secure.

Thomas Dubuisson, Senior Associate, Brussels

Tom De Cordier, Partner, Brussels

dotted_texture