Insight

Under cyber attack – and you don’t even know it

10 August 2017 | By Matt Rhodes

Matt Rhodes, commercial services manager at IT support specialist Quiss, explains what action you need to take to protect you and your company from the alarming rise in phishing attacks.

An increasing number of organisations across the world have fallen victim to cyber-attacks recently, with construction materials company Saint Gobain being hit by the most recent Petya malware – the second major global ransomware attack in just two months.

Similar to the WannaCry attack in May, which exploited vulnerabilities within operating systems, Petya is understood to have been seeded through a hijacked software update built into a Ukrainian accounting programme, and via phishing emails.

Whilst this reinforces the dangers of phishing attacks via email, one in 10 individuals will still fall victim and cause untold damage to more organisations worldwide.

Cyber criminals often begin by targeting smaller businesses as their systems and processes can be less secure and easier to access. This then enables the criminals to attack larger organisations that deal with the SME, exploiting credibility in the relationship to launch a successful phishing attack.

Hiding in plain sight

Criminals create fake, though seemingly credible email addresses to impersonate those of recognisable contacts. As the phishing email appears to come from a trustworthy source and is usually personalised, it is likely to bypass security and arrive in the target inbox.

“Cyber criminals often begin by targeting smaller businesses as their systems and processes can be less secure and easier to access. This then enables the criminals to attack larger organisations that deal with the SME.”

Matt Rhodes, Quiss

The recipient, believing they recognise the email address, will be oblivious to an attack and will open the email. Expertly crafted emails prompt readers to click on innocent-looking links where they will be directed to a believable, but malicious, website and be asked to re-set passwords or enter pin numbers.

Alternatively, emails include toxic attachments containing malware or ransomware which will infect the device and spread across the entire system, thereby granting hackers access to confidential information such as customer contact details, credit history checks or even banking details.

More worryingly, more commercially-sensitive materials such as quotes, planning applications or design details and so on, can be accessed.

Criminals know how valuable this data is and will use it to divert funds from accounts, or they will encrypt and hold it to ransom until the business pays a substantial fee for its release.

Criminals are constantly improving their methods and each attack is becoming more sophisticated, making it easier to breach the weakest point in any system – the people that use it.

The lure of phishing emails

Regardless of whether an email appears to come from a familiar contact, the recipient should always assess:

Phishing in numbers

Phishing is a low-risk attack method with a high success rate, making it a favoured approach for criminals. Worryingly:

  • 10% of people targeted fall for a phishing attack
  • 23% will open the message
  • 11% click on attachments
  • 250% increase in the total number of phishing sites from October 2015 to March 2016
  • 91% of hacking attacks begin with a phishing or spear-phishing email
  • 55% increase of spear-phishing campaigns targeting employees

Trends in attack methods are difficult to pinpoint as they change frequently. Assuming you know what to expect or believing you’re too clever to be outwitted by a criminal will only lead to complacency. This could spell disaster for the future of your business.

Phish for weak spots

As construction companies tend to require a high turnaround of resources as projects start and finish, subcontractors and temporary specialised labourers are often spread across numerous project sites.

This and the use of various phones, laptops, mobile desktop trailers and different access points makes these companies an attractive target to cyber-criminals, who know there is likely to be at least one individual who is too distracted to spot an attack.

To help combat the risks of phishing, specialist service providers can conduct simulated attacks on your staff.

“Fake” phishing emails are created to appear as though they have been sent by recognised contacts, like colleagues, customers or suppliers. The emails will replicate real attack methods, using fake website links and toxic attachments, and will target specific groups at different times.

Responses and any actions taken will be recorded to reveal who opened the emails, clicked links or downloaded attachments, etc.

Anyone who interacts inappropriately will be advised by email that they have been caught by a phishing test and will encourage them to be more vigilant.

Comprehensive reports will identify any weaknesses within a business and will enable them to focus training where it is needed most.

Online defences

You could be the subject of an attack at any time so be vigilant when engaging in any online activity and:

Technology in construction is unavoidable – it can not only be an asset but a necessity to every company within the industry. However, to avoid technology working against you, you must tackle the weaknesses of everyone using it.

Image: Alexgeiger/Dreamstime

Leave a comment