• Digital Transformation

Phishing—It’s More Personal Than Ever!

By: Renée Lahti |
Chief Information Officer

It’s Cybersecurity Awareness Month and I’m inspired to talk about the rising power of data and specifically new challenges and threats that we are all facing as a result. At last month’s NEXT conference, we described these as the “lights” and “shadows.” The “lights” give us opportunities for growth but the “shadows” lurk, presenting new threats such as cyberattacks, and security and data breaches.

For this very reason, cybersecurity continues to be top of mind—for me, my CISO Chris Jacquet, our COO, our CEO, our CFO and our Board Members—and it should be for you too, whatever your occupation. According to a Clark School study at the University of Maryland, a hacker attack occurs every 39 seconds. No wonder it seems that cybersecurity threats are becoming like a game of whack-a-mole and the more cyberthreats we whack, the more creative “the bad guys” become and the farther they stay ahead of the good guys. This is just a game for them, with some type of reward: financial, notoriety, or just bragging rights on the dark web.

Take phishing, for example. Phishing is a method of trying to gather sensitive personal or company information. Traditionally, phishing was executed using deceptive emails and websites. Initially effective, these attacks became less so over time, thanks in part to anti-phishing methods, tools, protocols and—most impactful—awareness training.

In other words, the good guys stepped up their game. But, as I mentioned above, the perpetrators are persistent and in response they quickly evolved their skills and tactics. Specifically, they learned to be much more specific and targeted while shifting their focus beyond email and the web to new media such as mobile applications, SMS and other social platforms.

But that’s just the beginning.

According to new FBI reports (link to source), cybercriminals have begun to contact potential fraud victims directly via telephone under false pretenses. Their goal? To obtain personal and confidential information such as names, email addresses, phone numbers and more. That’s right, they are calling YOU directly in an effort to increase the effectiveness of business email compromise (BEC) or personal compromise activity. They also robocall people, saying there is a critical situation with unpaid taxes. Again, with the goal to gain personal and confidential data.

Most likely you’ve already received a phishing call while you were in your office. In many cases the caller impersonates one of your customers and is looking to obtain sensitive and confidential information, such as employee names and their nonpublic contact information. With these details, the attackers can bypass established protocols that were implemented to flag suspicious electronic communication and were intended to stop them in their tracks. Armed with these very specific details, attackers then compose more sophisticated personalized malicious emails to these employees many of who fall victim to BEC activities.

At Hitachi Vantara we launched a fake phishing campaign that included six tests for employees. These tests involved sending “fake malicious” phishing emails to see how our employees reacted. Would they be tricked and possibly open harmful files? I’m happy to report that most did not. But, like all companies, some were tricked. As part of our test, these individuals were directed to an educational site where they learned this was a fake phishing test. The site then provided tips to avoid future traps. The results of such immediate education were instant. Our statistics on employees getting phished improved each time we sent out a fake phishing campaign.

In addition to this phishing effort, 18 months ago we installed more safeguards into our email system including software and hardware designed to protect users from the malicious effects of clicking on a suspicious link. We also took full advantage of various tools provided during Cybersecurity Awareness Month in 2017 and we continue to run cybersecurity awareness training, all with the goal of helping our employees become more cyberthreat-savvy.

Preventing, detecting and mitigating security threats for Hitachi Vantara and our customers is mission critical and, like the game of whack-a-mole, you must always be on your guard for the next one that pops up.

Leave a Reply

Your email address will not be published.