As companies take more of their business processes online, and as individuals increasingly adopt e-commerce, phishing has emerged as one of the leading cyber threats in Kenya.
During the July-September period of last year, Communication Authority of Kenya data showed there was a rise in financial phishing targeted at e-commerce and e-payment platforms where cyber criminals sent fake alerts from financial institutions and e-payment systems for purposes of obtaining unsuspecting victims’ credentials and data.
How do companies tackle this potentially very costly threat?
Local experts say humans are the weakest link that cybercriminals regularly exploit to launch attacks.
The onus, they say, is therefore on individuals and companies to regularly train their staff to identify the seemingly harmless lurking threats.
Winnie Sergon, head of the IT department at Boresha Sacco says human errors that lead to phishing attacks are common since the human mind is limited to only what they know.
“If ‘James,’ a user tells you he got married in 2008, definitely the password is James2008. If he got his firstborn in 2012, his commonly used password will oscillate around the same," says Ms Sergon.
She adds that one way to combat this is by adding ' speed bumps' such as multifactor authentication to external email warnings to slow employees down.
While at first glance it might seem illogical, she says taking a few more seconds than normal to do a task could protect the company from losing data, customers, and money.
To avoid falling victim to human error phishing attacks, employees need to make sure that they understand the risks when opening email attachments or clicking on links from unfamiliar sources, for these can lead to malware or virus infection.
“A big component of protecting against phishing is employee training. Most security training delivered in the enterprise today is either a yearly event or held at employee orientation. If the training is given online the employees rapidly click through the content, ignoring most of the information. If actually given in person, the training is usually a deck of PowerPoint slides in small font narrated by an uninterested speaker for an hour. The enterprise really needs an effective Training, Education, and Awareness (TEA) programme for security,” says Ms Sergon.
It’s not surprising that phishing attacks target IT departments and professionals.
“In any organisation, the only admin password that can connect the other users to the system is the admin password which mostly is the ICT guy,” she says.
Ruth Mutua, a network engineer at Cop-Bank says businesses should be on the lookout for new types of phishing attacks so as to keep their data secure.
She identifies common types of phishing attacks against businesses including;
Company impersonation: This is one of the most common forms of phishing where attackers impersonate a brand, by connecting an email to a domain similar to the target company.
It is also a difficult attack for companies to look out for since it's hard to detect until a staff member falls for it or raises the alerts.
Spear phishing: This scheme keys details about the target. Phishing messages usually appear to come from a large and well-known company or website with a broad user base.
In the case of spear phishing, however, the source of the email is likely to be an individual within the recipient’s own company, generally, someone in a position of authority or someone the target knows personally.
Phishing e-mails: The scammer uses an email address that resembles a legitimate email address, person, or company.
The email will include a request to click a link, change a password, send a payment, respond with sensitive information, or open a file attachment.
Phone or voice phishing: Using Voice over Internet Protocol (VoIP) technology, scammers, again, impersonate companies.
This technique also employs other types of phishing including using personal details about targets and impersonating individuals of the company in order to get a higher take on the overall scam.
So, how do companies fall victim to phishing attacks and how can they prevent them?
The one mistake companies make that leaves them vulnerable to phishing attacks Ms Mutua says is not having the right tools in place and failing to train employees on their role in information security.
“If the ICT team in your organisation is treated as clerical staff, your company is under siege. ICT personnel are the only people other than the Managing Director or the Chief Executive Officer who have the 360-degree dimension view of the organisation. They can change the system parameters and understand how and why all the other departments contribute to the performance and how it can be accelerated even further, says Ms Mutua.
Aside from conducting regular employee training, companies should also keep a pulse on the current phishing strategies and confirming their security policies and solutions can eliminate threats as they evolve.
“Educate your employees and conduct training sessions with mock phishing scenarios, deploy a SPAM filter that detects viruses and blank senders, and keep all systems current with the latest security patches and updates.
"Convert HTML email into text-only email messages or disable HTML email messages, develop a security policy that includes but isn't limited to password expiration and complexity, deploy a web filter to block malicious websites, and encrypt all sensitive company information,” she says.