Phishing: The 'sophisticated' Snare

15 March 2017

Recent reporting on the Russian hacking group APT 28 (Advanced Persistent Threat 28) – also known in cyber security circles by a range of other names including “Sofacy,” “Strontium,” and “Fancy Bear” – highlights the fact that while the group’s technical expertise is “top level” the thing that distinguishes their work from other attackers is their use of intelligence. 

Drawing on human and open source intelligence, as well as their knowledge of human behaviour, the group has been able to execute highly-successful cyber-attacks, by focusing on social-engineering attack vectors like phishing. Through these campaigns they have acted against a large number of highly-sensitive military, political and diplomatic organisations.  

Attacks like these highlight the urgent need for organisations to recognise that when it comes to cyber warfare, technical expertise is only half the battle. The sophistication of a phishing attack lies not in its technical execution. It is more subtle than that. Rather, it is in convincing someone inside a target organisation to take the bait. Up-to-date technical security controls can be highly successful defending against standard, automated cyber-attacks. However skilled attackers have started to circumvent these defences by directly targeting the person in front of the monitor.

It is also worth stressing that because phishing attacks are not technically difficult to execute they are becoming much more common, with hacking groups increasingly aware that a little investment gathering intelligence on a target can make the most of an opportunistic attack. As a result, organisations who feel comfortable with cyber risk because they don’t think they are in anyone’s crosshairs are naïve at best, and, at worst, could be considered negligent.

With data breaches becoming more and more frequent and opportunistic hacking on the rise, resilient organisations will be those which recognise that human behaviour – which can be exploited by hackers to your detriment – is also your best defence:

Three tips to defend against a phishing campaign: 

Know your weaknesses

Where are you or your organisation vulnerable? Would your employees act without thinking if they thought they might be locked out of your systems? Would an attachment promising bonus figures be too tempting not to click? This may be where an antagonist targets a strategic attack. If an unexpected email seems to know too much about your business, your family or even your hobbies and interests additional caution is advised.

Ensure you are educated

Is your entire workforce educated on phishing attacks and the risks that they pose? Can they identify the signs of a cyber-attack? Are they encouraged to report suspicious behaviour?

Have a rapid response plan in place

If you are the victim of a phishing attack or another data breach, your response time can make all the difference. Don’t just have an idea on how you will respond – know exactly who will provide support and have concrete measures like an NDA in place so that you can move quickly and seamlessly to respond to the threat.

If you’re not prepared you are exposed. With fast-moving, opportunistic threats more present than ever, risks cannot be avoided, but pragmatism and preparation can make all the difference.

Receive our monthly newsletter

About the Author

Lily Kennett

Partner

Lily works closely with corporate leaders and prominent individuals to help them identify and address critical gaps in their knowledge.

+1 646 934 6219
Our 24 hour number
+1 646 934 6219
Legal information

© 2020 Schillings International LLP. SCHILLINGS is a trading name of Schillings International LLP and Schillings International (USA) LLP.

Schillings International LLP is a limited liability partnership registered in England and Wales with registration number OC398731. A list of members of Schillings International LLP is available for inspection at our registered office 12 Arthur Street, London, EC4R 9AB. Schillings International LLP is an Alternative Business Structure regulated and authorised by the Solicitors Regulation Authority.

Schillings International (USA) LLP is a registered limited liability partnership organised and existing under the laws of the State of Delaware, United States of America, whose principal place of business is at One World Trade Center, Suite 8500, New York, NY 10007. Our New York based attorneys are registered as a foreign legal consultant in the State of New York.


ATTORNEY ADVERTISING