The Treacherous Waters of Phishing

Drifting in Digital Tides

According to the Luxembourg House of Cybersecurity (LHC)[1], the primary danger concealed by the digital waves is phishing. Cunning pirates on the cyber seas weave intricate nets, baiting unsuspecting victims into their trap, to obtain sensitive information or compromising accounts, systems, and/or other personal or organizational Information Technology resources. This serves as the initial foothold that cyber attackers exploit to initiate a cascade of various other assaults.

The term “phishing” was first recorded in the annals of hacker lore^[2] in the nineties but may have been used earlier in the hacker magazine 2600^[3]. The first phishing email may have surfaced around the year 1995^[4].

Then came the storm – Covid-19. According to virtual private network provider Atlas VPN, active websites used for phishing bristled with a 350% surge between January and March, coinciding with the pandemic’s uprising. California-based Barracuda Networks revealed a staggering 667% spike in phishing emails all within February’s short span^[5]. Phishing lures thrived in the pandemic’s shadows, disguising themselves with Covid references, deceitful apps, and other malware variations^[6].

The tempest may have receded, but the waters remain treacherous. Phishing, now a flagship of cyber threats, mostly affects emails. But attackers have broader horizons – extending their reaches to SMS, social media, and other communication platforms such as WhatsApp. Unsuspecting individuals are the first targets, with their email addresses becoming the primary conduit for cyber breaches.

Phishing’s Siege on Financial Bastions

Charting the Digital Deception

“Today, the assessment that a major cyberattack poses a threat to financial stability is axiomatic— not a question of if, but when.” International Monetary Fund^[7]

Navigating the treacherous cyber seas, the financial sector often finds itself at the mercy of digital pirates, largely driven by its inherent value and vulnerabilities and enticed by the daily high-value transactions managed by the sector.

Moreover, their favored target happens to store sensitive customer data, easily traded if compromised or used to plot further attacks.  Interconnected digital systems, although ensuring seamless operations, also provide numerous openings for attackers, magnifying these lurking risks.

“Phishing” has indeed emerged as a significant threat to all financial institutions, including banks, investment firms, and insurance providers. A 2018 report by PhishLabs noted that the financial sector was their preferred hunting ground even before the pandemic, accounting for 41% of all their relentless attacks^[8].

Around the turn of 2019^[9] attackers came to refine their strategy. Rather than merely casting wide nets for the unsuspecting, they set their spyglasses on larger vessels – large corporate entities. Accountants and bank employees therefore became the prime catch, a mean not only to plunder individual accounts but to breach the very infrastructure and the payment systems. These ambushes cunningly use social engineering tactics^[10], tricking users into revealing login credentials and other sensitive information.

A direct assault on the fortified bulwarks of a bank’s IT defenses remains unlikely, as pirates prefer the art of deception to first gain a foothold in their target. Their favorite ruse, phishing, often serves as the first step in a multi-stage attack. The aim is to lure an individual into taking an action, such as clicking a link, downloading an attachment, or surrendering sensitive information. This misstep, once taken, leads to more intrusive and damaging cyberattacks.

Furthermore, the virtual workforce, relying on unprotected personal devices and unsecured home networks, unwittingly beckons cyber attackers.

 

Preparing the Sirens’ Song

Anchoring Fake Domains

Like crafty pirates mapping their course to hidden treasure, cyber attackers meticulously chart their attacks. They hoist domain names that mimic those of companies closely linked to their targets, making the phishing emails they send appear genuine.

A proactive defense strategy involves scanning the horizon for newly registered domain names – searching for tell-tale signs or keywords – then monitoring for their flags within incoming email traffic.

Navigating Through DNS Hijacking

In the murky depths of the internet, DNS hijacking is an insidious form of attack where the DNS queries are manipulated to divert unsuspecting users into dangerous waters filled with harmful websites.

The attackers may deploy malware on individual computers, seize control of routers, or tamper with DNS communications to achieve this. This tactic serves various nefarious purposes – from phishing scams and counterfeit websites to outright data and identity theft.

Reports from the LHC, the Luxembourg National Cybersecurity Competence Center[11] (NC3) and the Computer Incident Response Center Luxembourg[12] (CIRCL) indicate a rising tide of such hijacking incidents in 2021^[13].

Watering Hole Techniques: The Pirate’s Cove

This technique is notable for its tactical finesse. Attackers lace popular websites with hidden exploit codes, lying in wait for their prey. Timing is key – attack activities often peak during lunch hours when employees are likely browsing, or late afternoon when their guard may be down.

Spear Phishing: Targeted Cannon Fire

Unlike aimless cannon volleys across the cyber sea, spear phishing is targeted and precise. Attackers often go to great lengths to study their victims, crafting even more convincing scam emails. Variants like CEO Fraud are the broadsides of this world, where the attacker masquerades as a top executive to issue deceptive orders for urgent financial transactions. There are also voice-based (Vishing) and text-based (Smishing) variations, where the attackers pose as authoritative figures over phone calls or text messages to elicit sensitive information.

Clone Phishing: Ghost Ships

In this tactic, attackers repurpose a legitimate email that a user has previously received. They swap out its content or attachments to include malicious elements – attachments or links – and resend it from a falsified email address, hoping to pass unnoticed clothed in familiarity.

Other actors in the financial sector are vulnerable. According to a Black Kite report, insurance carriers could easily run aground, susceptible to phishing attacks. A staggering 82% of top insurance carriers are at risk of phishing attacks. Supply chain attacks often originate from software vendors, responsible for one-quarter of all attacks through third-party channels in 2021^[14].

Battening Down the Hatches

Steering towards Cybersecurity Maturity

Enter the post-COVID era, where cybercrime syndicates have become the scourge of the underworld. No longer lone pirates, these groups have turned cyber assaults into a thriving black-market trade, outfitted with an arsenal of financial weapons of plunder. This is not a skirmish with rogue hackers but a full-fledged strategic contest of organized crime. The call for financial institutions is clear: adopt robust, adaptive, and forward-thinking cybersecurity strategies.

According to the guidance of the National Institute of Standards and Technology (NIST), there are four cybersecurity maturity levels to guide companies.

 

• Leadership accountability: Company board members must chart the course for safe navigation. They ought to review their company’s strategy on a regular basis and delve into the nitty-gritty: budgets, roles, and tactical advances in fortifying their cybersecurity.
• Crew cohesion: A company runs best when responsibilities are shared. A hybrid command, blending a centralized approach with execution capabilities at business unit or region levels, is more strategic.
• Multi-layered defenses: In this ever-shifting seascape, companies need to be versatile and deploy at least two distinct lines of defense (front-line unit security and organization-wide cyber risk management).
• Insurance as a lifeboat: Companies should keep a well-stocked cybersecurity insurance ready to deploy for the worst-case scenarios, under the constant threat of digital piracy.

Organizational Solutions to Phishing Prevention

Employees are the heart of the ship but keelhauling them with a “blame and shame” approach will likely ruin morale. Instead, better ways to defend the company against cyber-attacks abound. Here’s a non-exhaustive list of countermeasures:

• Employee education, awareness campaign, and training: Regular drills on spotting phishing emails and treacherous URLs keep everyone alert. Communication on emerging cyber threats should also be a constant.
• Financial transaction protocol: Any transfer initiated by email should go through a two-man rule – a verbal or authenticated confirmation.
• Financial transactions tracking: Complement the regular AML/KYC compasses with increased vigilance for unusual patterns or amounts, which might indicate a successful phishing attempt.
• Designated devices: For high-value transactions or sensitive tasks, use devices or secured platforms far removed from general web browsing or email to minimize exposure.
• Email filtering and inspections: Employ advanced nets that sieve through emails for malicious links, attachments, and common phishing indicators.
• Multi-Factor Authentication (MFA): If an intruder does manage to swing aboard, MFA adds an additional layer of security by requiring another form of verification.
• Regular software updates: Keep your email software and other critical systems up to date against the latest pirate weaponry.
• Threats alerts: Install anti-phishing toolbars that serve as vigilant lookouts, flagging any suspicious phishing sites for employees.
• DMARC, DKIM, and SPF: Implement Domain-based Message Authentication^[16], Reporting and Conformance (DMARC), DomainKeys Identified Mail^[17] (DKIM), and Sender Policy Framework^[18] (SPF) to prevent sender address forgery and validate email authenticity.
• Incident response plan: As part of the Disaster Recovery and Business Continuity Plan, a fast-response unit should already be drilled and prepared when a phishing attack is successful, to contain/mitigate the threat and cut losses.
• Regular backups: Consistently back up data to restore systems from a potential ransomware situation, without paying tribute.
• Quarantine deck: Only allow approved/whitelisted applications to run, preventing malicious software from executing.
• Segmentation of networks: Ensure sensitive information is segmented from the broader network, to confound any attackers who make it aboard.
• Security software deployment: Fortify the decks with a combination of firewalls, anti-virus, anti-malware, and intrusion detection/prevention systems to guard against various cyber threats.

The Crucial Helm and The Lighthouse Ahead

As we have sailed through the dangerous seas of phishing and cyber threats, one truth emerges: In the financial sector, the onus of securing the ship cannot rest solely on the shoulders of the staff. Given the financial services’ role in the global economy, the responsibility is a shared endeavor involving not just institutions but also regulators, suppliers, and clients.

Cybersecurity can’t be an afterthought for actors such as banking, insurance, and investment firms managing assets that form the bedrock of individual wealth and global financial stability. The strategy must be proactive and embedded in the very framework of daily operations. A lapse in cybersecurity isn’t merely a loss for the targeted institution; it ripples through economies, affecting trust and economic stability.

Compliance should be looked at not as a checklist but as a living strategy that evolves to outsmart malicious actors; for this reason, regulators must provide dynamic guidelines that adapt to evolving cyber threats, allowing for real-time response and protection. Suppliers and clients too, have a part to play in this collective journey. The first line of defense often starts at the user level – meaning that education and vigilance are as essential as any high-end cybersecurity software. Individuals must take it upon themselves to be well-informed, capable of spotting a scam’s tell-tale signs and navigating away from danger.

Financial institutions must lead the charge, but they can’t sail this ship alone. Staying one step ahead of the ever-adapting cyber threats requires an all-encompassing, forward-looking strategy. Through united efforts from all parties – organizations, regulatory bodies, and individual users – we can hope not just to weather the storms but also chart safer, more secure courses toward a horizon of global financial stability and security.

 

 

 

Featured image source : Midjourney

 

[1] Official website: https://lhc.lu

^[2] “AOL Underground – Interviews with hackers and staff of America Online (AOL), covering the 90’s/Early 2000’s” By Steve Stonebraker (last accessed: 31 August 2023) https://podcasters.spotify.com/pod/show/aolunderground/episodes/Da-Chronic–Creator-of-AOHell-and-Automated-Phishing-e1ic74b/a-a7tfsc3

^[3] “The Phishing Guide (Part 1) – Understanding and Preventing Phishing Attacks”, by Gunter Ollmann (last accessed: 31 August 2023) http://www.technicalinfo.net/papers/Phishing.html

^[4] “The History of Phishing Attacks”, CoDefense (last accessed: 31 August 2023) https://cofense.com/knowledge-center/history-of-phishing

^[5] “Email, text message attacks surge during COVID-19 crisis” by Thomas Daigle for CBC (last accessed: 31 August 2023) https://www.cbc.ca/news/science/phishing-messages-surge-coronavirus-1.5513315

^[6] “DoppelPaymer: The latest ransomware innovation is all about distribution”, by David Strom (last accessed: 31 August 2023) https://blog.avast.com/doppelpaymer-ransomware-resurgence-avast

^[7] “The Global Cyber Threat”, by Tim Maurer and Arthur Nelson (last accessed: 31 August 2023) https://www.imf.org/external/pubs/ft/fandd/2021/03/global-cyber-threat-to-financial-systems-maurer.htm

^[8] “Phishing Attacks Target The Financial Industry”, RB Advisory (last accessed: 31 August 2023) https://www.rbadvisoryllc.com/phishing-attacks-target-the-financial-industry

^[9] “Banks Under Attack : Tactics and Techniques Used to Target Financial Organizations”, by Trendmicro (last accessed: 31 August 2023) https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/banks-under-attack-tactics-and-techniques-used-to-target-financial-organizations

^[10] Social engineering tactics refer to manipulative techniques that trick individuals into divulging confidential information or performing specific actions, usually by exploiting human psychology rather than technical vulnerabilities. For more information: “Existential Angst in the Cyber Realms”, by Oriane Kaesmann https://www.linkedin.com/pulse/existential-angst-cyber-realms-oriane-kaesmann

[11] Official website: https://nc3.lu/#:~:text=National%20Cybersecurity%20Competence%20Center%20Luxembourg%20-%20nc3.lu%20The,strategic%20autonomy%20of%20the%20European%20Union.%20OUR%20MISSION

[12] Official website: https://www.circl.lu

^[13] Cybersecurity Threat Landscape Luxembourg, by Cybersecurity.lu (last accessed: 31 August 2023): https://api.cybersecurity.lu/public/get_public_document/RAPPORT%20CTL_pages.pdf

^[14] “New Data Finds Phishing Attacks Could Impact 82% of the Largest Insurance Carriers”, by Business Wire (last accessed: 31 August 2023): https://www.businesswire.com/news/home/20220405005306/en/New-Data-Finds-Phishing-Attacks-Could-Impact-82-of-the-Largest-Insurance-Carriers

^[15] “The state of cybersecurity at financial institutions”, Deloitte Insights (last accessed: 31 August 2023): https://www2.deloitte.com/us/en/insights/industry/financial-services/state-of-cybersecurity-at-financial-institutions.html

^[16] For more information: https://dmarc.org

^[17] For more information: https://www.techtarget.com/searchsecurity/definition/DomainKeys-Identified-Mail-DKIM

^[18] For more information: http://www.open-spf.org/Introduction