Colin McTrusty | October 17, 2017

Government official or C-suite – being publicly cyber-aware is everyone’s responsibility

All computer users, especially experts, should be trained and capable of recognising even targeted attacks like spear phishing.

Spear-phishing, or targeted phishing attacks, are becoming a growing problem for government officials, as advanced techniques mean that senior and influential members of staff are being publicly caught out for falling for these email-based attacks.

SINON_REBORN is an email prankster who is particularly adept at developing incredibly targeted and humiliating spear phishing emails to confuse and undermine high profile individuals. In August this year, posing as Jared Kushner, he succeeded in tricking US Homeland Security Advisor Tom Bossert into handing over his personal email address without even being asked. Ironically, Bossert was a cyber-security advisor at the time. The prankster then went on to trick UK home secretary Amber Rudd, also responsible for cyber-security, by posing as a senior Downing Street aide. He held a conversation with Rudd on her personal email address where she revealed that she was working on a series of announcements. Aside from the fact that Rudd was using her private email address via an external email system, which would be far more vulnerable to intrusion than her government email account - so definitely not the place to have a confidential conversation – this raises another important point. All computer users, especially experts, should be trained and capable of recognising even targeted attacks like spear phishing.

What exactly is spear phishing?

Spear phishing is a specific type of attack used by cyber criminals to harvest user information (like login credentials) or to infect networks and computers with malware. It is a type of “social engineering” attack which attempts to appear credible due to the accurate and relevant information the attacker uses in the email. Typically, spear phishing attacks appear to be from someone you know - like a colleague, or even a family member. This can make them much more effective than a generic phishing email.

Spear phishing attacks are usually orchestrated via email, though cyber-criminals sometimes also make use of text messages, apps, social networks, and phone calls. Despite advancements in phishing email filters, and even malicious website warnings, many of these attacks slip through because they are so incredibly targeted.

Whilst we found in our State of the Phish 2017 report that the number of spear phishing attacks had decreased by 10 per cent, we still discovered that 61 per cent of InfoSec professionals had reported experiencing these kinds of attacks every single day. The best cyber-security technology still allows these attacks to reach end user inboxes. For that reason you need to be able to rely on your users to recognise and report these attacks.

So, how do you spot a spear phish?

Never automatically trust any email message and don’t let the presence of familiar personal information in a message lure you into a false sense of security.

Don’t put your personal info on your social network sites. This means no birthdays, anniversaries or names and ages of your children, etc. One way of getting around this is rather than referring to family members by name, use their first initial or some other reference that would be obvious to anyone that knows you well.

Do your research on emails that demand immediate action. Google the company name, get a contact number to call and ensure you’ve received a valid request. Do not blindly trust contact information provided in emails because cyber criminals sometimes include phone numbers that actually dial the criminal directly.

Be extra careful of emails that relate to current events. For example, emails with links to photos of the royal baby, up to the minute coverage of sporting events, or a recent celebrity scandal are very likely to link through to malicious web sites. If you want to know more about the story, look for it on a reputable news site.

Don’t assume that emails from friends or colleagues have safe links or attachments. Just like SINON_REBORN, cyber criminals can easily gather your colleagues’ email addresses and send emails to you that look safe. When you receive a link or attachment from a friend or colleague, the safest approach is to actually call them so they can verify what they sent you.

Leading by example

Regardless of what industry they’re in, it is the duty of leaders to foster a top-down, and side-by-side, culture of security that puts an organisation (or country!) wide emphasis on cyber security best practices. Cyber-security should not just be something that’s relegated to IT teams or a footnote mentioned twice a year in board meetings. It needs to be top of mind all the time and not just internally, but also with your contractors, partners, and even the people in your business “supply chain” like cleaners and accountants. Cyber-security should be spoken about like any other business concern – if you think of it as an everyday part of your business this will aid a lot in demystifying it for your staff.

recent report from BT and KPMG about cyber-security maturity stresses that it is the duty of senior managers and executives to lead by example – they need to champion cybersecurity efforts and “walk the talk”. The report argues that “true leaders think differently about security” and that they see cyber-security as an opportunity rather than a cost or inconvenience.

The report argues that true leaders,“… help implement new services, tracking and monitoring their security, continuously adapting their defences to deal with the changing threat. They develop metrics of security which resonate with the business, and give senior leaders appropriate confidence in the organisation’s security stance. Most importantly, they realise that people are at the heart of security. It’s not just about teaching them, but about understanding  (your users) and their behaviour, so you can spot the unusual and the different.”

So, business leaders should be leading by example (this means knowing how to spot a spear phish attack and not falling for one) and incorporating cyber-security into the business, rather than regarding it as a nuisance only to be taken seriously after an attack has occurred. The C-Suite should be making cyber-security a top-down and side-by-side project where absolutely no one is exempt from contributing and being a part of an organisation’s defence strategy.