Phishing: companies to be held liable?
29 10 2018
Email scamming, or phishing, is very widespread. To defend against these practices, companies must put in place security measures, which are easy to implement and quite often effective.
In a judgement of 28 March 2018, the French Court of Cassation acknowledged the gross negligence on the part of an individual victim of phishing. This individual was duped by fraudulent emails from the address “email@example.com” and disclosed his banking information. The Court decided to hold against the individual the obvious indicators that this was indeed a fraudulent email: spelling errors, different email address from that of the bank, etc.
If an uninformed recipient may now be accused of “gross negligence”, companies can expect to also be held liable in a similar situation. It is therefore in their best interest to guard against such an attack.
What is e-phishing, and just how widespread are these cyber attacks?
Phishing is a type of email scam that consists of impersonating a well-known company in the aim of convincing recipients to change or update their information (banking or email login, for example) on web pages imitating those of the company in question. According to a Vade Secure study, companies like Microsoft, PayPal, Netflix and others are at the top of the list for the most targeted companies. This pervasive threat takes advantage of the lack of awareness or naivety of certain people—sometimes company employees—to obtain confidential information. Worldwide, 1 email sent in 100 has a malicious intent, according to the Email Threat Report study by FireEye, which examined more than a half a billion emails sent between January and June in 2018.
Several types of phishing scams have made an appearance in cyber space. For example, so-called “spear phishing” targets a specific individual or group of people (i.e. employees of the same company). To this end, hackers start by assembling a baseline of relatively important information and data in order to contact these individuals in a more targeted manner.
How to protect yourself against phishing
Given the sheer volume of malicious emails, the lack of awareness among recipients is particularly concerning. In October 2017, the French Ministry of Economy and Finance in response created a fake phishing attack which managed to deceive 30,000 of the 146,000 agents. “Training employees, especially those in more sensitive positions, is the first step to defending against phishing. This is carried out through training sessions outlining guidelines to be followed and including examples of phishing emails,” notes Fayçal Daira, Endpoint Security Product Manager at Stormshield. The techniques for raising awareness are endless, ranging from fake attacks to quizzes and educational tools, such as the Twitter bot @isthisphish which helps to identify suspicious pages.
— is this phishing? (@isthisphish) 14 septembre 2018
Protection against phishing is also provided by tried and tested technical solutions. “The primary vector of phishing being electronic mail, the first security solution is anti-spam software which, thanks to geolocation or IP reputation checks, can be extremely effective”, explains Marco Genovese, Network Security Product Manager at Stormshield. Network security solutions can conduct more thorough inspections than integrated anti-phishing functions can, detecting attacks beforehand. For an additional barrier of defence, a security solution may be installed directly at workstations.
The primary vector of phishing being electronic mail, the first security solution is anti-spam software which, thanks to geolocation or IP reputation checks, can be extremely effectiveMarco Genovese, Network Security Product Manager at Stormshield
“At Stormshield, we have a detection service in the Cloud which is used as a sandbox and is capable of receiving information on phishing in real time. On average, one or two campaigns are detected each week, recent examples being Pony and Emotet. As these malicious programs generally tend to target the same vulnerabilities, our systems learn to detect more effectively from one campaign to the next,” emphasizes Marco Genovese.
The new threats of long-term phishing
Undoubtedly the trend is moving towards ever more sophisticated attacks, with the advent of long-term phishing. This attack mechanism aims to download an attachment that will ultimately install dormant malware on the user’s computer. “Today, we see cyber-criminals beginning with the first phase of installing a keylogger onto the target work station, which is capable of obtaining usernames and passwords. Only when the target is planning a transfer to a supplier, for example, will the phishing email be sent with different banking information,” describes Fayçal Daira. Because just one malicious file is sufficient to jeopardize the entire company, our Breach Fighter portal enables you to analyse any file that you feel may be suspicious and thus safely open attachments with full reassurance.
Final note of precaution: although email is the preferred vector for phishing, social networks have become unwilling allies in these cyber-attack campaigns. Indeed, cyber criminals freely collect vast amounts of data (first and last name, interests, old passwords, etc.) in order to personalize their malicious emails and make them more credible. In conclusion, everyone is a target for cyber criminals. This is why companies must keep themselves informed and communicate regularly with their employees to keep them up to date on the risks of phishing.