To fight phishing, focus on changing behaviour

Preventing phishing attacks requires more than just security awareness efforts. Vocalink CSO Andrew Rose explains how to change employee behaviour when confronted with phishing email.

presentation / meeting / speaker / leadership / teamwork
PeopleImages / Getty Images

All the network defenses in the world won’t help you if you’re company is successfully phished. Companies can improve their technical controls, but tricking people is often be the quickest and easiest way into an organization. According to the 2019 Verizon Data Breach Investigations Report, 32% of breaches involved phishing and 29% of breaches involved use of stolen credentials.

Speaking at Cybersecurity Connect UK, Andrew Rose, CSO at Vocalink, a Mastercard company that operates payments infrastructure in the UK, explained the threat of phishing and how to drive better employee behaviours around defending against phishing.

Phishing is a people-centric problem

While phishing emails inevitably reach the inboxes of almost everyone, not all targets are created equally. Some cybercriminal groups specialize in targeted attacks on executives and other specialized roles. The UK-based London Blue phishing group, for example, compiled a profile database of 50,000 potential victims, mostly with the role of CFO, for business email compromise (BEC) attacks.

Rose said his team recently pulled apart a phishing campaign that had targeted the company, and on the attackers server found 200,000 email addresses of people they were targeting, including a separate list of VIPs they were targeting with different types of attacks. These BEC attacks, where criminals hijack legitimate accounts relying on social engineering, often involve little to no actual hacking and bypass controls security teams put in place.

To continue reading this article register now

The 10 most powerful cybersecurity companies