Sumit Bansal, Director for ASEAN & Korea, Sophos
Phishing remains one of the most common attack vectors for hackers who exploit end-user behavior as the weakest link in a company’s cyber-defenses. Traditional online security training programs are academic, blind to the current attack landscape and disconnected from the rest of IT security management, making it burdensome for IT managers to effectively integrate anti-phishing into routine risk assessments.
To address this concern, Sophos launched in February Sophos Phish Threat, an advanced phishing attack simulator and training solution that is fully integrated with the company’s cloud-based security management platform, Sophos Central. With centralized management and automated campaign analysis, Phish Threat reduces the time and resources required to affect real change in employee behavior when faced with sophisticated and rapidly evolving cybercrime techniques, according to the company.
Sophos Phish Threat automates the entire training process and provides visual analytics to identify vulnerable users. The Sophos Phish Threat attack simulator and training platform is managed alongside other Sophos security solutions within Sophos Central to provide rapid risk detection and incident response.
“Over the years we’ve seen phishing scams imitating every retailer and organization imaginable, from iTunes to Bitcoin. The phishing campaigns keep growing as it is difficult to spot fake sites and emails,” said Sumit Bansal, Director for ASEAN & Korea, Sophos, in an email interview with UpgradeMag.com.
Bansal said that phishing has evolved in lockstep with the ‘Malware-as-a-Service’ phenomenon. “Today, we see phishing emails as a primary delivery method for ransomware payloads, which effectively latch on to organizations’ files to encrypt them, holding them ransom.”
In the interview, Bansal also talked about the how users and IT security departments can keep phishing scams from spreading, and how the Philippines is doing in the fight against phishing.
1. Despite all the education being given by security vendors and companies, why are phishing scams still a problem today?
Globally, phishing still remains one of the most common attack vectors for hackers who exploit end-user behavior as the weakest link in a company’s cyber-defenses. Phishing scams are also on the rise as the use of targeted phishing and “whaling” is growing. These attacks use detailed information about company executives to trick employees into paying fraudsters or compromising accounts. Phishing attackers are also increasingly targeting critical financial infrastructure, such as the attack involving SWIFT-connected institutions, which cost the Bangladesh Central Bank $81 million.
2. How has phishing evolved over the last 5 to 10 years? What are the biggest differences between today’s scams and the scams several years ago?
Traditionally, users receive a “spoofed” email that appears to come from a legitimate website they frequently have online dealings with, like their bank, credit card company, or ISP, or in some cases even their employer. The phishing email informs the user their account is somehow at risk, and that they may need a security update, or to reset their password. The phishing email may also direct the user to a spoofed website or pop-up window which looks exactly like the real site, but has been set up for the sole purpose of stealing personal information. Unaware that the site isn’t real, unsuspecting users are fooled into handing over credit card numbers, passwords, or other details.
Over the years we’ve seen phishing scams imitating every retailer and organization imaginable, from iTunes to Bitcoin. The phishing campaigns keep growing as it is difficult to spot fake sites and emails.
Phishing has evolved in lockstep with the ‘Malware-as-a-Service’ phenomenon. Today, we see phishing emails as a primary delivery method for ransomware payloads, which effectively latch on to organizations’ files to encrypt them, holding them ransom.
3. Can you give a list of common things (at least 5) to watch out for in phishing schemes?
- The message contains bogus links or mismatched URLs
- Poor spelling and grammar
- The message has uncommon requests
- Terrible formatting
- The sender is unknown and suspicious
4. What is the biggest red flag for users and IT security departments?
The biggest red flag is when you receive an email unexpectedly that is requesting information, money, or other actions in an unusually short period of time. It is recommended to analyze the email. By rushing or intimidating the user, email hackers are hoping that users won’t take time to scrutinize the email for flaws. Hence, it is important not to fall into this trap. Be alert, aware and thorough as you look for Phishing emails.
5. How is the Philippines doing in the fight against phishing? Are we lagging behind other countries?
The National Bureau of Investigation (NBI) has warned the public of the existence of “phishing” syndicates that are victimiZing clients of banks and financial companies. In this vein, they are also working on tighter filtering systems for banks’ internet transactions.
6. How much, on average, does a business lose to phishing scams?
It ranges according to the extent of the attack, but enterprises can lose up to millions in phishing attacks.
7. How can users and IT security departments keep phishing scams from spreading?
User education is definitely a key area to focus on, to empower employees to combat phishing. For the first time, with an aim to help organizations and staff understand phishing attacks, the Sophos Phish Threat Attack Simulator enables IT managers to create authentic phishing simulation and training sessions, and initiate course corrections for their employees. This approach exposes end users to automated attack simulations, quality security awareness training, and actionable reporting metrics; thus facilitating a positive security awareness culture.
8. What are the key enabling technologies behind the Sophos Phish Threat offering?
Sophos Phish Threat Attack Simulator provides rapid risk detection and incident response. It replicates the mindset of a real attacker, using the complicated methods and techniques in use today. This means assessments are modeled after potential attacks that organizations may face from real hackers.
With Sophos Phish Threat, IT managers now have sophisticated, integrated threat intelligence that combines the strength of Sophos security technologies with a product that tests, trains and analyses human vulnerabilities. This creates a very powerful solution for businesses struggling to keep ahead of organized cybercrime and unwary end-users.
