Phishing requires proactive prevention
Finance professionals rely mainly on firewalls
Finance professionals rely mainly on firewalls
There were recently two notable publications. First, the Anti-Phishing Working Group (APWG) published its figures for the first half of 2021. They included record numbers of recorded phishing attempts in January and June. The June figure topped a quarter of a million incidents worldwide. The week's other significant publication detailed the findings of a security awareness survey of finance professionals by AG Connect en Financieel Management. The report's central conclusion was that there's room for improvement.
Let's start with the APWG report. Its standout finding – that recorded phishing attempts have been at record levels this year – is noteworthy for a couple of reasons. First, because, following the first lockdown, the year's starting point was itself an incident rate double that seen in 2019, as highlighted in the APWG's report on 2020. Second, because, as malicious site detection systems improve, the average uptime of phishing sites is getting shorter all the time. However, the scammers are apparently undeterred. On the contrary, it seems they're seeking to compensate for faster shutdowns by putting up more fraudulent sites.
For professionals working in finance, the APWG report should serve as a wake-up call. Not only is the financial services sector the most popular target, but the incidence of CEO fraud within the sector is also rising rapidly. In 2020, 22 per cent of phishing attempts were aimed at the sector, but in the first half of 2021 the figure was 29 per cent, according to the APWG. And that figure doesn't even include attempted cryptocurrency hijacks, which are also up sharply.
Against that backdrop, it's interesting to learn about the levels of risk awareness and preparedness amongst finance professionals. AG Connect en Financieel Management has interviewed two hundred people working in the sector. Most were aware of the risks, but relied largely on passive, technical defences, such as firewalls, for protection. Proactive reporting of phishing attempts and awareness campaigns were significantly less popular. Yet people are often the weakest link in the prevention chain. Surveyed professionals confirmed that picture, with only half declaring themselves satisfied with security awareness within their organisations.
On the technical side, there is also room for improvement. Only a minority of surveyed businesses (41 per cent) used secure internet standards for mail verification, for example. That's a great shame, because such standards can be very effective in the fight against threats such as mail spoofing. The survey findings shed no light on the use of domain name monitoring.
SIDN recommends prioritising the implementation of the DMARC, DKIM and DANE e-mail security standards. On our website, you'll find a useful checklist and practical guides on implementing the standards in the most popular mail server software packages, Exim and Postfix.