EDITOR ’ S QUESTION

Phishing is one of the most used methods by cybercriminals . Phishing acquires a legitimate user ’ s credentials by obtaining sensitive user information such as the PII ( Personally Identifiable Information ), usernames and password hashes . The most effective method for phishing is spear phishing using emails targeting user email addresses ( private or corporate ) and encouraging users to click on links to deliver malware or other types of malicious files .

Social engineering allows attackers to gather valid private or corporate email addresses and target individuals with personalized and believable emails . This enables attackers to log in to an organization ’ s internal network using valid credentials instead of breaking into an organization ’ s perimeter security with the risk of raising alarms and being detected .

Phishing must be top-of-mind for cybersecurity leaders as it ’ s the first step in an attack for cybercriminals to perform further reconnaissance and steal highprivilege credentials by deploying and executing the ransomware to critical systems and backups .

Phishing toolkits also support the deployment and maintenance of phishing websites and drive even non-technical scammers to join the phishing adversary landscape and run and execute phishing scams . The reusing behavior of phishing toolkits is evident that phishing continues to scale , moving to a Phishing-as-a-Service ( PhaaS ) model and utilizing Internet-free services .

PhaaS removes many technical barriers novice hackers face . These include designing and coding phishing emails , spoofing websites , and , in some cases , finding buyers for the ill-gotten data . In return , the sellers get a percentage of the take . During holiday and shopping season approaching , phishing attacks are always anticipated to spike . We are seeing phishing kits being reused – with them not only succeeding the first time but continuing to take victims .

There are a number of things consumers and enterprises can do to improve their defenses against phishing attacks :

• Consumers should remain vigilant throughout holiday periods and beyond as phishing toolkits become more sophisticated . They must be mindful about only clicking links from trusted senders and ensure they check that the address an email is sent from is legitimate before clicking any links .

Enterprises should :

• Ensure phishing training is ongoing and protections are constantly reviewed to ensure attacks can be mitigated effectively and are adapted while being vigilant about consumer-based attacks . Organizations should implement a strong phishing awareness program and be more disciplined in their social media content posting , PII disclosure and how they access emails ’ links .

• Review existing phishing incidents , as phishing is no longer just an email problem . Attacks are increasingly being launched via social media and messaging apps , so looking at approaches to mitigate these attack vectors is key . Organizations should conduct phishing attack simulation and mitigation drills to identify areas of improvement .

Consider tools that can identify and block requests to brand-new phishing pages in real-time and at the point of request , even if the page has never been seen before . These tools provide an additional layer of realtime protection . p

DEAN HOUARI , DIRECTOR

OF SECURITY TECHNOLOGY AND STRATEGY , APJ , AT AKAMAI TECHNOLOGIES

www . intelligentcio . com INTELLIGENTCIO APAC 35