By Nuno Cândido, IT Operations, Cloud & Security Associate Director
We live in times of digital acceleration. The last few years have brought us a tremendous technological evolution, with a drastic increase in mobile devices and the democratization of Internet access. We live in times when everything and everyone is connected, devices and people, where data sharing, sometimes critical, is increasing.
Every day, more users connect online. A recent study indicated that in January 2020, 4.5 billion people accessed the Internet, representing about 60% of the world's population, and is illustrative of this digitization.
Digital evolution has facilitated people's daily lives and the day-to-day activities of organizations. Still, it has also increased the complexity of systems, applications, networks, devices, leading to a degradation of the organization's security perimeter. To further deepen the criticality of this context, the COVID-19 pandemic, with the consequent adoption of teleworking, added even more significant difficulties in companies' information security, also constituting a window of opportunity for cyber-attacks.
Between February and March 2020 alone, for example, there was an 84% increase in the number of security incidents reported in Portugal, with more than 150% in 2020, compared to the previous year.
Phenomena such as the cloning of websites or phishing scams are recurrent forms of intrusion attempts and improper capture of access credentials and personal/payment data, among other critical data.
The transmission of personal data without prior supervision is the first step towards becoming victims of phishing.
What is Phishing?
Phishing is a social engineering technique associated with computer piracy that seeks to deceive users and obtain confidential information, such as the user's name, passwords, address, and even credit card details. This concept derives from the English word "fishing" (in Portuguese 'fishing') since its objective is precisely to try to "fish" all user data.
The most common types of phishing:
1. Fake emails or fake messages
To commit these frauds, hackers use real messages and images to persuade the user to take specific actions. If the user does not realize that it is a phishing email, they may click on a fraudulent link or change their account password. By entering this fraudulent link, we allow the hacker to gain access to our data.
2. Attacks on Cloud Data
Employees and organizations increasingly store confidential documents in the cloud, using applications such as Google Docs or One Drive, which makes these platforms increasingly attractive for cybercrime, stealing files and professional information and sensitive data of organizations, and personal information of a different order. The modus operandi attack plan is like the one mentioned in the previous example, often sending fake emails that try to impersonate the entities that manage these platforms and asking the user to perform a "banal" operation, such as, for example, reset your password.
3. Phishing by ransomware
This type of phishing is slightly different from the examples above. The user also receives a malicious link; however, instead of being directed to a fake website, this link installs malware on the computer. The attack's intent involves not only the theft of information but also the virtual hijacking of the computer itself or a "silent" entry into an organization's network. They allow it to remain incognito on that same network for months, steal gigantic amounts of data, or take control over other platforms, systems, even machines, and spaces.
Some steps that help organizations and their employees to reduce the risk of phishing:
• Education and awareness
Organizations can and should carry out phishing simulations with their employees. This type of initiative and tests allow not only to assess the level of preparation and attention of employees to possible attacks but also allows everyone to prepare themselves in the best way to deal with real threats. On the other hand, it is also essential that some internal communications and training/awareness actions are created, explaining the several types of phishing to the teams, making them aware of this issue, and preparing them to act appropriately in the event of an attack.
• Betting on security solutions with Artificial Intelligence
From a more technical perspective, the security and IT teams of companies must focus on the Security Architecture through an integrated approach that includes "smart" technological capabilities, and that includes standards, guidelines, processes, and practices, which guarantee mechanisms of safeguarding the security and privacy policies of information and access.
It is necessary to change the paradigm – looking for anomalous behavior instead of looking for malicious behavior through artificial intelligence algorithms. These are some of the fundamental pillars for the automation of cybersecurity and an answer to the limits of human capacity.
Artificial intelligence is a strong ally in the service of cybersecurity and an essential investment these days to increase security in organizations, not in terms of detecting threats but also in real-time resolution and cancellation.
Phishing is a very present threat, increasingly sophisticated, and problematic in the new digital world. It is, therefore, important that all organizations, regardless of their size or sector of activity, are increasingly attentive and prepared. Also, extra attention is required when responding to emails and complying with the most basic (and fundamental) security rules at the individual level.
Is your organization prepared to face this threat?
Published (in Portuguese) in Dinheiro Vivo