Why are we still getting caught by the ‘Phisher’men?

Posted on : 26-09-2019 | By : kerry.housley | In : Cyber Security, data security, Finance, Innovation

Tags: , , , , , , ,


Phishing attacks have been on the increase and have overtaken malware as the most popular cyber attack method. Attackers are often able to convincingly impersonate users and domains, bait victims with fake cloud storage links, engage in social engineering and craft attachments that look like ones commonly used in the organisation.

Criminal scammers are using increasingly sophisticated methods by employing more complex phishing site infrastructures that can be made to look more legitimate to the target. These include the use of well-known cloud hosting and document sharing services, established brand names which users believe are secure simply due to name recognition. For example, Microsoft, Amazon and Facebook are top of the hackers list. Gone are the days when phishing simply involved the scammer sending a rogue email and tricking the user into clicking on a link!

And while we mostly associate phishing with email, attackers are taking advantage of a wide variety of attack methods to trick their victims. Increasingly, employees are being subjected to targeted phishing attacks directly in their browser with highly legitimate looking sites, ads, search results, pop-ups, social media posts, chat apps, instant messages, as well as rogue browser extensions and free web apps

HTML phishing is a particularly effective means of attack where it can be delivered straight into browsers and apps, bypassing secure email gateways, next-generation antivirus endpoint security systems and advanced endpoint protections. These surreptitious methods are capable of evading URL inspections and domain reputation checking.

To make matters worse, the lifespan of a phishing URL has decreased significantly in recent years. To evade detection, phishing gangs can often gather valuable personal information in around 45 minutes. The bad guys know how current technologies are trying to catch them, so they have devised imaginative new strategies to evade detection. For instance, they can change domains and URLs fast enough so the blacklist-based engines cannot keep up. In other cases, malicious URLs might be hosted on compromised sites that have good domain reputations. Once people click on those sites, the attackers have already collected all the data they need within a few minutes and moved on.

Only the largest firms have automated their detection systems to spot potential cyberattacks. Smaller firms are generally relying on manual processes – or no processes at all. This basic lack of protection is a big reason why phishing for data has become the first choice for the bad actors, who are becoming much more sophisticated. In most cases, employees can’t even spot the fakes, and traditional defences that rely on domain reputation and blacklists are not enough.

By the time the security teams have caught up, those attacks are long gone and hosted somewhere else. Of the tens of thousands of new phishing sites that go live each day, the majority are hosted on compromised but otherwise legitimate domains. These sites would pass a domain reputation test, but they’re still hosting the malicious pages. Due to the fast-paced urgency of this threat, financial institutions should adopt a more modern approach to defend their data. This involves protections that can immediately determine the threat level in real-time and block the phishing hook before they draw out valuable information..

  • Always check the spelling of the URLs in email links before you click or enter sensitive information
  • Watch out for URL redirects, where you’re subtly sent to a different website with identical design
  • If you receive an email from a source you know but it seems suspicious, contact that source with a new email, rather than just hitting reply
  • Don’t post personal data, like your birthday, vacation plans, or your address or phone number, publicly on social media

We have started to work with Ironscales, a company which provides protection utilising machine learning to understand normal behaviours of users email interactions. It highlights (and can automatically remove) emails from the user’s inbox before they have time to open them. They cross reference this information with a multiple of other sources and the actions of their other client’s SOC analysts. This massively reduces the overhead in dealing with phishing or potential phishing emails and ensures that users are aware of the risks. Some great day to day examples include the ability to identify that an email has come from a slightly different email address or IP source. The product is being further developed to identify changes in grammar and language to highlight where a legitimate email address from a known person may have been compromised. We really like the ease of use of the technology and the time saved on investigation & resolution.

If you would like to try Ironscales out, then please let us know?


Phishing criminals will continue to devise creative new ways of attacking your networks and your employees. Protecting against such attacks means safeguarding those assets with equal amounts of creativity.

Scammers Go Phishing For Fake News

Posted on : 31-05-2017 | By : richard.gale | In : Cyber Security, Uncategorized

Tags: , , ,


Fake news is everywhere these days. It may seem like a new phenomenon, but the concept of propaganda is not a new one. Stock markets thrive on the latest headlines and traders throughout history have attempted to manipulate markets by releasing information to influence prices. Today fake news combined with social media has changed the game with powerful consequences. This potent combination of false and misleading information online flooding the internet can cause devastating effects to your company and should be something that Information Security departments take seriously. During the US Presidential campaign a false story was propagated which said that Pepsi refused to serve Trump supporters at a rally. The story did a huge amount of damage to Pepsi’s brand and reputation which can be a costly business!

Tackling the fake news problem and controlling the flow of fake information in and out of an organisation is a huge task. There are tools already available that can monitor traffic so it could possible to extend this to include external activity on social media sites such as Twitter, Facebook and LinkedIn. There are companies and technology products available in the market which can trawl these sites looking for malicious or misleading links. But technology is only one way of looking at the problem. More important are the other influences that drive our behaviour. It is critical to look at people and the processes that drive our behaviour.

Trust is a key feature which allows fake or misleading news into an organisation. Take a scenario where a friend or colleague sends you a link, you instinctively trust the information and click on the link. The same applies to brands that we trust. If you take the Microsoft pop up which is a favourite with scammers. They send a fake pop up to your screen. Most people trust this established branded name see the Microsoft Badge and click thinking this must be true. These unsuspecting users click on the box or call a fake hotline number thereby generating a malware event opening the door for scammers straight into your organisation.

Email is another example of a very trusted way of communication, making it a hot spot for scammers looking to retrieve your information or get you to click on a malicious link. A popular route for scammers is to send emails that pretend to be from the IT Department asking employees to do a certain task such as reset your password. You click the reset button and the scammers are in.

Phishing scams are one of the most commonly used ways in which your organisation can be infiltrated. User training which includes sending out a phishing email will find that 10-20% of emails are clicked on each time the test is run. Even after training this stays fairly consistent so alternative ways of dealing with the problem need to be investigated. Some technology firms such as Menlo Security isolate the user from the internet and can capture most of these types of issues.

These technology options offer some valuable tools to protect organisations but ultimately there is no magic piece of software that can filter out the fake news and ward off the scammers. The only way to deal with the problem is education. Companies need to invest in proper cyber security training for all their employees. The traditional annual training update is not enough. Training needs to be done on a more regular basis with a more modern approach that can produce long term behavioural changes.

It is crucial to remember that staff are the front-line defence against the fraudsters and we need to ensure that they are armed with the right knowledge to combat the threat. In a week where we have seen the Governor of the Bank of England fall prey to a fraudster who emailed the Governor impersonating a Bank of England colleague this is no easy task!