Cyber-security and phishing
An increasing number of high-profile organisations have fallen victim to sophisticated cyber attacks as Matt Rhodes from Quiss Technology explains.
Contents |
[edit] Introduction
An increasing number of high-profile organisations have fallen victim to sophisticated cyber-attacks, such as WannaCry back in May 2017 and the more recent ‘Petya’ malware which formed the second major global ransomware attack in just two months.
It is believed that both attacks exploited vulnerabilities within operating systems, having seeded themselves through hijacked software and via phishing emails.
Despite the clear risks, it is reported that around one in ten individuals will still fall victim to a phishing attack, causing disruption to further organisations as a result.
[edit] Constructing a facade
Cyber criminals are well practised in the execution of sophisticated phishing attacks. Creating fake email addresses, criminals are able to impersonate familiar contacts in a credible-looking way, so that they are able to dupe their victim and bypass any security measures that are in place.
Oblivious to an attack, the recipient believes they recognise the email address and opens the email, which contains innocent-looking links. They are prompted to click links which direct them to a convincing, yet fake, website where sensitive information can be extracted.
The email may include toxic attachments containing malware or ransomware. If opened, the device becomes infected and grants criminals access to an organisation’s data.
Criminals continue to find new ways to exploit the weakest point in any system — the people that use it.
[edit] Phishing bait
Even when an email seems to have been sent by a known contact, determine:
[edit] The sender
Are you sure you recognise the sender? Is their email address legitimate or just similar to one you’ve seen before?
[edit] Subject
Does the subject line correspond to the body of the email? Does it look unusual? Is it poorly written? Any subject lines that seem out of the ordinary could be an indication of fraudulent or spam email so look out for spelling mistakes or an excessive use of punctuation.
[edit] Content
Be cautious if an email asks you to enter personal information, requests a reply or encourages you to visit a website.
[edit] Links
Links in emails can easily be disguised to look genuine but may take you to a malicious website, so think twice before you click.
[edit] Attachments
If there are any documents attached to the email, were you expecting it? Is the attachment mentioned in the email? Do you recognise the format? Only open attachments when necessary and do so with caution as they can easily transmit viruses.
Trends in attack methods change frequently so it would be foolish to assume you know what to expect. Anyone can be outwitted by a criminal so don’t get complacent; the outcome could be disastrous.
[edit] The odds are against you
Phishing is favoured by criminals as it has a high success rate whilst being low in risk, and:
- 10% of people targeted fall for a phishing attack.
- 23% will open the message.
- 11% click on attachments.
- 250% increase in the total number of phishing sites from October 2015 to March 2016.
- 91% of hacking attacks begin with a phishing or spear-phishing email.
- 55% increase of spear-phishing campaigns targeting employees.
[edit] Phishing for flaws
Replicating real attack methods, specialist service providers can identify weaknesses in company security systems and train its employees on how to protect themselves from falling victim to phishing emails.
Responses and actions taken are recorded to reveal who opened the emails, clicked links or downloaded attachments, etc.
An email is sent to anyone who interacts incorrectly with the ‘phishing’ email, making them aware of their error and reminding them to be more vigilant in the future. Weaknesses are revealed in a report, enabling businesses to concentrate training where it’s needed most.
Initial failure rates of around 33% will fall to approximately 5%. Unfortunately, a 0% rate is unlikely to ever be achieved as we are dealing with humans.
[edit] Conclusion
Introducing more technology is unlikely to help reduce the risks posed by a phishing attack. The only reliable solution for any organisation is to regularly test defences and to work on changing its security culture.
Targeting employees with ‘fake’ phishing attacks is an effective way to reveal weak links and help resolve them, but businesses should act fast — it’s only a matter of time before the real criminals show up.
This article was originally published here in AT Journal edition 124. It was written by Matt Rhodes, Quiss Technology.
Matt’s primary role is to expand the hosted solutions division of Quiss Technology and to liaise with software vendors to help them develop their Software as a Service (SaaS) offering. He is a regular commentator on industry topics, covering subjects as diverse as cyber security, hybrid cloud solutions, new technology and the Code of Connection (CoCo).
--CIAT
[edit] Related articles on Designing Buildings
- Articles by CIAT on Designing Buildings Wiki.
- Cyber hygiene.
- Cyber resilience.
- Cyber security and engineering.
- Cyber threats to building automation and control systems.
- Digital communications and infrastructure dependencies.
- Engineering resilience to human threats.
- Infrastructure and cyber attacks.
- Information and communications technology in construction.
- Mitigating online risk.
- Protecting against online crime.
- Security and the built environment.
- UK organisations encouraged to review cyber security in response to situation in and around Ukraine.
Featured articles and news
Boiler Upgrade Scheme and certifications consultation
Summary of government consultation which closes 11 June 2025.
Deputy editor of AT, Tim Fraser, discusses the newly formed society with its current chair, Chris Halligan MCIAT.
Barratt Lo-E passivhaus standard homes planned enmasse
With an initial 728 Lo-E homes across two sites and many more planned for the future.
Government urged to uphold Warm Homes commitment
ECA and industry bodies write to Government concerning its 13.2 billion Warm Homes manifesto commitment.
Places of Worship in Britain and Ireland, 1929-1990. Book review.
The emancipation of women in art.
CIOB Construction Manager of the Year 2025
Just one of the winners at the CIOB Awards 2025.
Call for independent National Grenfell oversight mechanism
MHCLG share findings of Building Safety Inquiry in letter to Secretary of State and Minister for Building Safety.
The Architectural Technology Awards
AT Awards now open for this the sixth decade of CIAT.
50th Golden anniversary ECA Edmundson awards
Deadline for submissions Friday 30 May 2025.
The benefits of precast, off-site foundation systems
Top ten benefits of this notable innovation.
Encouraging individuals to take action saving water at home, work, and in their communities.
Takes a community to support mental health and wellbeing
The why of becoming a Mental Health Instructor explained.
Mental health awareness week 13-18 May
The theme is communities, they can provide a sense of belonging, safety, support in hard times, and a sense purpose.
Mental health support on the rise but workers still struggling
CIOB Understanding Mental Health in the Built Environment 2025 shows.
Design and construction material libraries
Material, sample, product or detail libraries a key component of any architectural design practice.
Construction Products Reform Green Paper and Consultation
Still time to respond as consultation closes on 21 May 2025.
Resilient façade systems for smog reduction in Shanghai
A technical approach using computer simulation and analysis of solar radiation, wind patterns, and ventilation.