More companies are falling victim to ransomware attacks, with a large South African healthcare group becoming a target last week. While attacks on larger corporations are the ones that hit the news, small and medium sized businesses are also falling prey. They just aren’t publicised.
A lot of small businesses still believe that they are too small or insignificant to be targeted. In reality, smaller companies become victims because they are easy targets. They tend to have less robust IT security in place to spot and block threats, and there is also low security awareness among staff.
Douw Gerber, Business Development Manager at South Africa-based managed IT security services company Securicom, says that increasingly, ransomware is a product of phishing scams. Phishing is the fraudulent process of acquiring information such as usernames, passwords, banking details, credit card numbers and other sensitive information by posing as an entity or company that the person trusts.
“Low security awareness among employees is a factor ransomware attacks. Phishing mails, messages and SMS are only a problem when recipients respond by clicking on a URL link which leads them to a spoof website where they are tricked into revealing personal details, bank account details and other confidential information. That’s why phishing is a human problem. People need to know how to spot a ‘phish’,” says Gerber.
He explains that ransomware is a type of malware that encrypts data and either prevents or limits users from accessing their systems. Victims are then forced to either lose their data or pay a ransom through online payment methods to get it back.
Computers can be infected with ransomware through a variety of ways. The malware can be downloaded unwitting by users when they visit malicious or compromised websites. It can also arrive as a payload, either dropped or downloaded by other malware. Some ransomware are delivered as attachments in spam emails.
The ransomware download begins automatically via a macro function or when the victim enables macros in the document, which triggers the ransomware download. Once the ransomware is installed, companies are shut out of their systems, data is held to ransom and business grinds to a halt.
“What we mostly see is the malware entering a system via email. Untouched, these do not pose a threat. It is what happens after a phishing mail lands in an inbox that matters. People shouldn’t open statements, invoices and remittance advice documents from people or email addresses they don’t know. Unfortunately, curiosity and naivety often take over.
“Yes, it is essential to have all of the technical interventions such as antivirus, two-factor authentication, and managed patching. However, the human factor will always create vulnerabilities unless it is also addressed. This makes end user education an important part of protecting companies, their data, their people and their money.”
Here are some tips for spotting a phish:
- Are you being encouraged to act now? Phishing emails are designed to create a sense of urgency to urge you to respond with information. Don’t open or respond to messages that insist on immediate action such as “Buy now”, “Reply now”, “Click here now” etc.
- Has the sender greeted you properly? Emails from legitimate senders will typically use your name in the greeting. Look out for generic greetings such as “hello there”, “Good morning sir/madam”, or “Hi”.
- Are you being asked to give up personal information in an email, SMS or online? Don’t do it. No legitimate company will ever ask you for banking details or other sensitive information in this way.
- Does the senders email address look strange? Legitimate companies will have a domain email address. Scrutinise the email address for discrepancies and slight alterations such as an extra letter or number. For example email@example.com instead of firstname.lastname@example.org
- Are there spelling or grammatical errors? You can be certain that messages from legitimate sources will not contain errors.
- Are you being asked to open an attachment? Legitimate companies will usually direct you to visit their website to download documents rather than send them to you in an attachment.
- Is there a link that you are “meant” to click on? Hover your cursor over the link to see where it leads. If the email appears to be from a legitimate company but the hyperlink is an address for unrelated webpage, don’t click on it. If you really want to check the site out, copy the link into your browser and view it that way.
- Does the webpage you’ve been led to have “https” in the URL at the top of the page? The “s” at the end of “http” indicates that the website offers some level of security. If there is no “s”, don’t transact on that site.
While much of this might seem like commonsense, people still get caught. Research suggests that 91% of successful cyber attacks are the result of a phishing scam.
Gerber says the best way for companies to test the vulnerability of their workforce is a phishing simulation test. Simulated phishing emails emulating real phishing messages are sent to end users, and their reaction to them is tracked and reported. Statistics like open rate (how many end users open the email) and compromise rate (how many users actually give up their details) are essential to find out just how vulnerable an organisation’s workforce is to phishing scams.
With uSecure – a new managed service offering from Securicom – cyber attacks can be simulated regularly to help identify most at-risk users and learn how susceptible they are to ultra-targeted spear-phishing campaigns.
uSecure is a user focused cloud-based security training platform to help drive secure employee behaviour. The intelligent training platform identifies users’ individual cyber security knowledge gaps and then, crafts personalised programmes that address their unique learning needs. Retention is measured and future training modules are deployed to fill knowledge gaps. Offered on a subscription basis, it is suitable and affordable for companies of all shapes and sizes.
Securicom is offering a complimentary Employee Risk Assessment (ERA) to companies to get them started. The ERA report identifies employees’ current risk level to internal and external threats through calculating reality-based metrics, including their current susceptibility to targeted phishing attacks as well as identifying data that is stolen or exposed on the dark web.