Recent phishing attacks shatter confidence in cybersecurity controls

CISO perceptions in Singapore have been influenced by highly publicised phishing attacks. Despite huge cybersecurity investments and full compliance with regulations – including those from the Monetary Authority of Singapore – some of the island state’s largest and best-known companies have recently succumbed to phishing attacks. This was the case in December last year, when customers of a leading bank lost $13.7 million in an SMS phishing scam.

By far the most common attack vector around today, phishing is not new and has been used as a gateway for disruptive attacks and data exfiltration for decades. According to Proofpoint’s report, indiscriminate ‘bulk’ phishing attacks increased by 12% in 2021, with targeted attacks even higher. Spear phishing/whaling and business email compromise (BEC) increased by 20% and 18% respectively in 2021.

What is phishing?

Phishing is a type of social engineering attack, generally delivered by email, but increasingly via SMS and any other channel used to communicate with employees and customers. In fact, the 2022 State of the Phish report also highlighted the rapid increase of telephone-oriented attack delivery (TOAD).

See also: 80% of AI projects are projected to fail. Here's how it doesn't have to be this way

The typical objective is for recipients to believe a message is legitimate and respond by clicking a link, opening an attachment and/or sharing credentials. The recipient is then redirected to a fake replica site where they are asked to log in to change a setting. When this happens, the attacker steals the victim’s credentials and uses them to log into the real website. These attacks are often used as entry points for malicious payloads or as ways of stealing identities and valuable data, or to easily transfer money out of bank accounts.

Why are people still falling for phishing attacks?

In short, people are still falling for phishing attacks because attack techniques have become more sophisticated and difficult to detect. Emails and SMSs are crafted in such a way that they impersonate trusted entities like banks, utility providers, or a trusted person such as a work colleague, a lawyer, a real estate agent, or a spouse. For instance, finance teams frequently receive emails appearing to be from senior management requesting that fake invoices be paid. Scammers also send emails impersonating lawyers or real estate agents, directing home buyers to transfer money into the bank accounts of criminals.

See also: Responsible AI starts with transparency

As more work is done in cloud environments, new opportunities have emerged for attackers. Proofpoint has identified a significant increase in the abuse of Microsoft and Google infrastructures which are used to host and send threats across their products. The 2022 State of the Phish report reveals that 30% of working adults think that emails with familiar logos are safe and 35% believe all files stored in a public cloud service are safe. People are also using more devices to access more company resources, creating even more opportunities for attackers.

What can be done to mitigate the phishing threat?

In response to the avalanche of phishing attacks, most organisations use multiple approaches to protect themselves against the risk of an employee or stakeholder falling for a phishing attack. This typically includes multiple layers of cybersecurity controls, such as a secure email or a cloud-based email security service.

Despite these measures, phishing attacks are still highly successful because organisations fail to recognise that people are the greatest cybersecurity risk. Awareness of risk, risk mitigation behaviours, and the ability to identify attacks rapidly remain woefully inadequate. To address the growth in the frequency and impact of phishing attacks, organisations must:

• Increase cyber security awareness with company-wide behaviour change programs that include frequent phishing simulations. This will make users more resilient and provide metrics on how vulnerable an organisation is to phishing. Consequence management programs can be implemented which identify the least resilient users and focus attention on them in terms of further training or additional controls.
• Use actionable threat intelligence to identify vulnerabilities and to make simulated attacks more relevant. This intelligence can also identify likely tactics, techniques, and procedures (TTPs) enabling organisations to adjust their controls accordingly.
• Implement zero-trust controls. No amount of protection will stop all phishing attacks from being successful. Organisations need to assume that some breaches will occur and implement zero-trust controls which limit the amount of damage that can be caused by a breach. Every attempt to access resources must be treated as though it could be an attacker, and privileges must be kept to an absolute minimum.
• Enhance detection and response controls. The sooner a breach is detected, the better. Too many attackers lurk within systems and networks for substantial periods of time. More rapid detection and response can limit the damage caused by successful phishing attacks.

These measures are not a panacea. Phishing attacks will likely become more sophisticated and difficult to detect, and some attacks will inevitably be successful. However, organisations must use a range of controls – most importantly, people-centric controls – to ensure that such phishing attacks are rapidly detected and if they are successful, the damage caused is limited.

Being able to detect and respond to these attacks more rapidly will most certainly help to counter negative publicity, keeping organisations out of unwanted headlines.

Alex Lei is the senior vice president for Asia Pacific & Japan at Proofpoint