Phishing gets subtle, more worrisome

BitDepth#1335

MARK LYNDERSAY

ON DECEMBER 1, PrivSec Global, which hosts a series of forums examining issues of digital privacy, cybersecurity and identity protection, hosted a webinar on “Deepsea Phishing.”

Phishing is the practice of creating false digital artefacts, e-mails, websites and social media posts that direct a casual browser to click on links that may direct a browser to an unexpected website or install software that locks out entire computer networks for a ransomware attack.

While there are different kinds and classes of phishing in this evolving system of exploits, they are all versions of social engineering masquerading as something benign or desirable to effect damage.

Chris White, head of cyber & innovation, Cyber Resilience Centre for the South East, England, explained in the webinar that, "Most successful cyberattacks are the result of someone clicking on a phishing e-mail link and the software gets infected in the system.

"It's most successful when it can deliver a payload. Phishing e-mail campaigns are getting much better and more advanced.”

"The structure of phishing has changed to adapt to the kinds of messages that get exchanged with people who work from home and are doing more shopping online, particularly messages about packages being delivered," explained Prof Mark Button, director of the Centre for Counter Fraud Studies, School of Criminology and Criminal Justice, University of Portsmouth, England.

"Concerns about health issues, including vaccines and tests, also provide cover for phishing attacks.

"We've got all the weaknesses we've always had, but we've got all these new areas which are providing scammers and fraudsters with a whole new range of options to attack us with enticements, and that's quite a lethal combination."

"These e-mails align with seasonal sales pitches with discount and coupon offers that are, apparently, just one click away," White said.

"Now there are 'isolation style' campaigns promising help getting compensation and offering companionship or friends online.

"If it's too good to be true, it's time to do some due diligence before clicking that link."

So how are these evolving challenges to be met?

"Only 23 per cent of UK businesses had a work-from-home cyber policy. Obviously that doesn't protect you, but it does show that you've thought about it and that you have strategies in place," Button said.

That challenge has only been amplified by fractured working conditions during the pandemic and the associated lockdowns.

"Phishing has become more active across devices, particularly since individuals are working remotely," said Yin Mei, director of strategy for PerScholas.org.

"They aren't necessarily at work using a work computer, they are home using their own personal devices.

"They are mixing browsers, which exposes more information that is on their computers if they are ever compromised in a digital attack."

Dr Vasileios Karangiannopoulous, reader in cybercrime and cybersecurity, University of Portsmouth, the webinar's moderator, advocated creating an environment in which errors are part of the learning experience.

"Sometimes people will click on a link, realise they have done something wrong and then try to cover up or ignore the mistake, which is one of the worst things that can happen," said Karangiannopoulous.

"(But) if they are afraid of getting fired or penalised in some way, that's probably exactly what will happen."

Taking action

"Verify, verify, verify," said Yin Mei.

"If it's possible, individuals should use separate devices for work and for home use. Failing that, use spam e-mail detection and ensure that work e-mails always go to work e-mail addresses and not personal e-mail accounts.

"Try to move away from the honour policy of asking people not to do something," said Chris White.

"As far as possible, the technical implementation should prevent them from doing that thing."

Mark Lyndersay is the editor of technewstt.com. An expanded version of this column can be found there.