At The European Information Security Summit (TEISS) 2018 Lesley Marjoribanks, head of ethical phishing, Royal Bank of Scotland, reflected on the key phishing trends observed in the last year and their impact on phishing risks for the future.
The first notable phishing pattern of last year was impactful ransomware, Marjoribanks said, with attacks like WannaCry and NotPetya making mainstream media. “What we will see going into 2018 is attackers really going after the end-user to have the most impact, so you’re talking about hospitals, air traffic control” etc. The big news for ransomware is that it’s not going anywhere, she added; it’s going to get slicker and “we will see ransomware delivered by ‘smishing’ in the very near future.”
Another pattern is that of changing subject matter, she continued, explaining that successful phishing relies on current, timely subject matters to catch the target's attention. “For the last couple of years they [phishing subjects] were fairly innocuous (invoice attached, DHL delivery) but in the last quarter of last year we saw a real influx of more ‘grizzly’ subject matters.”
Marjoribanks then referred to the trend of distraction and its emerging use in phishing techniques. “I guarantee that at some point this year there will be a large-scale ransomware attack on our bank that will act as a distraction” to the SOC, she said, with another attack coming in through the back door.
Next was what Marjoribanks called ‘long-term phishing’, which describes the time and effort fraudsters go to to gather as much information on a target as possible to maximize their attack. “Phishing is going to explode in this way,” she warned, “and we’ve already seen phishing cases that have had a lapse time of four months.”
LinkedIn is also something that is causing companies problems when it comes to phishing, Marjoribanks added, as “if there’s a rich stream of information out there – such as LinkedIn – you can bet that’s the first place fraudsters will go to mine information.”
Lastly is the growth of mobile malware in phishing attacks, something that Marjoribanks warned was likely to explode with more and more businesses offering mobile services to their customers. “It’s almost like a disaster waiting to happen, and fraudsters are clever, clever people; they always surprise us.”
To conclude, Marjoribanks said that for best phishing defense, a layered security approach is imperative and must include:
- Awareness and education
- Gateways
- Secure internal processes: 2FA, patching and social media guidelines
- Malware software