We all know what bank robbers and burglars do. Understanding their common tools and techniques helps us to design appropriate defence mechanisms. Cyber crime is no different. Recognising the different tricks of the trade empowers us to implement the cyber equivalent of locking the door or fitting an alarm.
How many of the following 8 common tactics employed by cyber criminals have you heard of?
Phishing
An attempt to acquire sensitive information by masquerading as a trustworthy entity in an electronic communication, typically an e-mail. Often, these e-mails will contain links to bogus websites or attachments which unleash viruses onto your systems if opened.
Phishing has some close and equally unsavoury relatives:
- Smishing – using SMS (text messages) as the means to fool you into parting with valuable information or clicking on malicious content.
- Twishing – using Twitter as the medium to defraud you.
Vishing
A form of Phishing, but using voice rather than written electronic communication. Criminals use social engineering over the telephone to gain access to valuable personal data, for example pretending to be from your bank in order to trick you into transferring money.
Spearing / Whaling
These are derivatives of Phishing and Phishing’s relatives. Using the angling analogy, Phishing tends to be the equivalent of trawling rather than line fishing. The criminals cast a large net and see what turns up in the catch. They target quantity over quality.
Spearing is a more focussed campaign, targeting specific individuals or organisations. Whaling is so-named because it targets senior executives – a deliberate attempt to snare the big fish. These tactics aim for reward through quality rather than quantity of victim.
Spoofing
The creation of e-mail messages with a forged sender address. In many cases it is likely to be an innocent third party infected by malware that is sending the e-mail without the owner’s knowledge.
Spoofing can be used to enhance the effectiveness of Spear Phishing. E-mails may appear to be from someone you know and trust. As a target, you become more likely to click on a bogus link or open an apparently innocuous (but in reality, malicious) attachment.
Pharming
A cyber attack intended to direct users to a fake website. Often starting by opening a link from a Phishing e-mail, you may be lulled into entering data such as credit card details into a web site which looks legitimate but is in fact an imitation of the real thing.
Sniffing
The process of intercepting and logging traffic over a digital network. An example would be hackers sat in a coffee shop monitoring and capturing data passing over the public wireless network from people using their Smartphones. Whenever possible, avoid the use of public wifi networks to limit your exposure.
DDoS
Distributed Denial of Service – an attempt to make a machine, network or website unavailable to intended users. Typically this is done by flooding a system with so much traffic that it becomes overloaded.
Ransomware
Ransomware is malware which cyber criminals use to deny you access to your systems. They demand a payment in return for removing the malicious software. A well known example is Cryptolocker which encrypts your files, making them unreadable. Ransomware can find routes into your systems through techniques such as rogue attachments within Phishing e-mails.
Practical steps to protect yourself
There are two principal approaches to help defend your business:
- Human defences
- Technical defences
Human defences should start from the top. Ensure your directors and board members are trained on the business risks of cyber security and that you have a strategy to improve and maintain your resilience. In parallel, ensure all your staff also have regular training, including building it into your induction process.
Understanding and investing in your technical defences should form a key part of your cyber security strategy. There are schemes to help businesses do this, including the government backed ‘Cyber Essentials’. This helps organisations achieve a solid level of protection, which not only defends your company but can also be used to demonstrate your robustness to potential customers.