A couple weeks back, we introduced a series on cyber threats by detailing the warning signs and best practices hedge funds could implement when protecting themselves against socially engineered cyber-attacks. This week we continue our series by going a bit further to break down five key facts on phishing attacks, which can be a type of socially engineered cyber threat. Read on to learn more about the signs, symptoms and best practices for keeping your firm protected.
Phishing attacks are the most common type of cyber-attack method today, with new mutations and versions appearing every day. Hedge funds and other investment management firms have become prime targets for attackers based on the vast amount of assets and wealth of investor information they can hold at any one time, and the constantly evolving mutations make these attacks even more difficult to detect. Over time, these phishing scams have evolved to appear highly authentic- in the past, pending attacks were easy to detect and thwart due to the poor grammar and unlikely scenarios described in the phishing emails.
Because the amount of phishing attempts and types has grown exponentially over the years, attackers pose a very grave threat to hedge funds. Spear phishing, which is a type of targeted attack against a company, is often the most risky threat. Spear phishing attacks typically target individuals within a particular company as opposed to the organization on a whole, and contain curated, specific information that can make them appear extremely realistic. Furthermore, spear phishing emails will often appear to be sent from someone that the potential victim knows, such as a coworker.
When it comes to phishing attacks, it’s also important to remember that the attack methods now go beyond email- victims are also being targeted through telephone calls in a type of attack called voice or v-phishing. V-phishing attacks can appear in a variety of different forms, often utilizing a combination of both email and telephone, further confusing victims. A common v-phishing scenario will include the victim receiving an email from what appears to be their IT department, stating that harmful activity has been observed on their PC, and that a member of their IT department will contact them through telephone to resolve the issue. In this case, the person calling is actually a cyber-criminal, and will use the phone call to coax critical, private information out of the victim and gain access to the computer remotely. Once the criminal gains access to the computer remotely, the criminal will plant dangerous and destructive malware on the victim’s computer.
The impact of one phishing attack on just one employee can have extremely negative consequences for an entire organization. Falling prey to phishing attacks opens a company up to a wide array of other attacks, such as APT’s and Cryptolocker, due to the company network being compromised. Additionally, the impacts of spear phishing attacks can cost firms an average of several thousands of dollars in damages.
There are several steps that firms can take in order to minimize the risks of phishing attacks and keep their vital assets protected. The first step is to implement formal internal policies and procedures on security best practices, in addition to leading employee training sessions to educate on the potential warning signs of cyber threats, including phishing attacks. While human error can never be completely eradicated, conducting regularly scheduled training sessions on security best practices can greatly minimize the chances of an error leading to an attack. If your firm is particularly small and does not have the resources to manage internal security processes itself, virtual CISO services are becoming a more cost effective option. Virtual CISO services go beyond providing scans, reports and assessments by providing a highly trained security professional to explain and manage security practices from both a technical and operational perspective. You can learn more about the benefits of CISO services here.
Be sure to stay tuned for a future post in our security series on APT (advanced persistent threats).