Written by Simon Langton, VP of Professional Services, Avecto 

The General Data Protection Regulation (GDPR) came into effect on May 25^th, bringing about a new era of compliance reporting for any company that manages data on EU citizens. Organizations are now required to log a data breach within 72 hours of it occurring, facing serious fines if they fail to comply. And with new high-profile phishing attacks being reported every day, it has never been more critical for enterprises to protect themselves from hackers.

And while the GDPR is bringing about stronger compliance laws, it's also encouraging new tactics from hackers who are taking advantage of the regulation. Earlier this month, hackers attempted to steal personal data by posing as well-known companies and sending fake emails warning about imminent changes to privacy settings. For example, a GDPR-themed scam disguised as an email from Airbnb asked victims to accept new privacy policy based on the regulation before further bookings can be made.

Targeted phishing schemes and malicious URL's continue to plague enterprises and consumers and we can expect more organizations to take advantage of the GDPR by posing as opt-in customer communications. In order to remain secure and compliant, we've outlined some examples of how to spot phishing attacks and prevent them.

Spotting event related phishing attacks

According to a recent report from Wombat Security, 76 percent of information security professionals revealed that their organization experienced phishing attacks in 2017. Modern phishing campaigns are becoming increasingly difficult to spot, especially with an uprise in the class of phishing attacks that are event driven and temporal in nature. Most commonly, they take form in the exploitation of emergencies or natural disasters in which attackers create schemes that look like requests for charitable donations. Just this past summer, hackers used Hurricane Harvey-themed messages to trick people into opening phishing emails and links on social media sites, which resulted malware infections or conning victims out of money.

In an effort to combat this, users should be careful about what they click on. Make sure the charities you are trying to donate to are legitimate and have authentic URL's. Reflect before you click on whether you have donated to the organization before or if it's the first time. If it's their first contact with you, can you think of why they would suddenly be reaching out? If not, it should raise your suspicion and don't click on the link. Examining the URLs within the email is another key way to spot phishing attacks. If the organization has sent emails to you before, check if the addresses match communication you have previously received.

Do a thorough read of the communication before you click as well. Is it a high-quality message or do you find that it reads poorly? Hints that it's coming from a less than reputable source include old logos, the use of several different font types that are inconsistent with the charities current branding.  An example of inconsistent branding was the recent Adidas phishing campaign that offered a "free" $50 per month subscription via all under the promise of free shoes. However, those who looked closely at the phishing email would have spotted a homographic link spoofing the appearance a legitimate Adidas website albeit a vertical line with no dot in place of where the "i" would be. Additionally, the message should typically be free of grammatical errors and also be formatted with a sophisticated HTML code. Producing high-quality communications is hard and legitimate companies have teams of professionals on staff who work hard to ensure communications come off professionally. If you find the communications don't meet these requirements, don't click on them.

It also goes without saying but keeping your software up to date will play a large part in preventing hackers from finding security holes.

Preparation is Everything 

Users are often the weakest link regardless of how good your security is in your organization. That's why it's key to prepare your users with regular training in how to spot cyber-attacks. Training programs should regularly be implemented to show the possible scenarios of violations and the risks to the company. The training should also be frequently assessed to measurement its effectiveness. IT leaders should also implement email phishing assessments to evaluate how well employees have internalized the training. This involves developing an email that has the same look and feel as a legitimate organization email that will be sent out to all employees in the organization. Key metrics should be tracked from this campaign including who opened the email, clicked o the link, entered credentials, or submitted any information through the links. After clicking through, the employee should receive a message indicating they have been ‘phished' and that this is meant as an educational tool.

Another way to stop cyber-attacks is to remove user admin rights through a policy of least privilege. For example, the ransomware attack, known as WannaCry or WannaCrypt0r shut down IT systems in NHS hospitals and GP surgeries in the UK as well as many large global organizations including Telefonica, FedEx and Renault. The attack originated via an extensive email phishing campaign with emails posing as messages from a bank concerning a money transfer. When these emails are opened a payload is dropped to disk causing the victim's data to be encrypted.

A year later after WannaCry first debuted, many organizations still have not learned the lessons and assumed they aren't a target; everyone is a target. It is crucially important to reduce the attack surface on your endpoints rather than relying on detection. Preventing users from making unwanted desktop changes without restricting them from performing their job function continues to be a serious challenge for almost all organizations. Striking a balance between providing users with a degree of control over their desktop configuration and protecting the standard desktop build is difficult, as this control often results in granting admin rights to a user.

From Internet-connected thermostats to cloud services, attackers are seeking more ways to disrupt business operations and charge a ransom. The adoption of Windows 10 is an important move for organizations because there are improved security features and a faster patching. Running the most secure operating system, implementing least privilege and whitelisting applications is a solid security baseline for any organization to build on.

Conclusion

The best defense against all types of phishing attacks is implementing technology that can adapt to various attacks and knowing what to watch for. For businesses worried about their employees putting systems at risk, training and education is essential. Ensuring that appropriate controls and procedures are in place to swiftly detect and respond to attacks is also helpful.

However, it all comes down to human intuition and insight. Scammers may be cunning, but so are you.

##

About the Author

Simon Langton, VP of Professional Services, Avecto