F5 Networks warns phishing season is open
Seasonal rise in phishing attacks predicted
Phishing attacks against consumers are expected to rise drastically, as more people go online for Christmas and other festive shopping, according to F5 Networks.
The company says that 2019 could be a record year for phishing, and warns that consumers have become too comfortable sharing information online that could be used by hackers.
According to F5 Security Operations Centre (SOC), fraud incidents for customers jump by 50% over the annual average in October, November, and December. The Anti-Phishing Working Group (APWG)indicates that global phishing incidents have risen a staggering 5,753% over the past 12 years, and phishing accounts for three-quarters of all websites taken offline by the F5 SOC in the past three years.
Salesforce predicts the 2018 holiday season ecommerce revenue will increase 13% on last year, and for the first time ever, more purchases will be made with mobile phones (68%) than any other device, increasing the potential attack surfaces.
Ralf Sydekum, Technical Manager, F5 Networks, commented: "Black Friday is on the horizon and excitement is building for the holidays ahead. Unfortunately, it is also a time when individuals frequently and carelessly relinquish credentials online or inadvertently install malware... we're on the cusp of a cyber-crimewave where fraudsters take advantage of people at their most distracted. This year, more than any other on record, phishing in all its incarnations is expected to hit unprepared retailers and individuals hard.
"Over time, we've become too comfortable sharing valuable information online and giving hackers a clear window into our lives. Don't let your personal data be the gift that keeps on giving this holiday season. Stay smart, stay safe, and don't swallow the bait!"
F5 Networks is recommending that users follow some simple tips to reduce the risk of falling for a phishing attack:
Take care before you share. It is easy to let your guard down when you're self-promoting or updating followers with engagement-stoking details. Even seemingly innocuous information can be weaponised by persistent hackers. Individuals need to be wary, alert and be responsible. Organisations on the other hand must run robust, continually evolving awareness-raising programmes to ensure all employees embrace a culture of appropriate social sharing. They should also double check the essential nature of business-related web content on third party properties, such as online directories and partner websites.
Think before you click. Treat any link with suspicion, particularly if you're unsure of its origin. Hover over hyperlinks to view the destination URLs because sneaky spear phishers will often hide their URLs in email body text or via online forms that appear credible.
Sound phishy? It probably is. Spear phishing has been honed to a fine art, including the incorporation of an impressive array of personal and circumstantial details to crank up the realism factor. Question everything and try to establish sender veracity before doing anything. Canny cybercriminals often use high-ranking figures within an organisation to accelerate carefree actions, such as sending sensitive details via email.
Interrogate Email headers. Attackers frequently send email inquiries to gather IP addresses, determine mail server software, and ascertain emails traffic flow. Do not let this happen. Check all email headers before opening content from unknown sources.
Adapt or die. There is no protective silver bullet. Any claims to the contrary are lies. Make sure any endpoint protection tools are behaviour-based to help ensure lessons are learned from successful attacks. Ultimately, the onus is on you to stay educated and sensible. Demand awareness-raising and preventative training if your employer doesn't offer it already.
Secure the network. In the business world, it is imperative that security teams regularly ensure network systems are optimally configured to withstand threats. It is also critical to note that some applications are not built with a "security by design" mindset, occasionally containing detail about the development team and organisational processes. Securing these is a priority. In addition, all domain and IP registries should be set up with generic role names and identifiers instead of individual names.
Test your limits. Businesses should consider periodically hiring a penetration tester to unearth the who, what, where, when and whys of attacker behaviours. Today's reconnaissance and social engineering tests can, and should, furnish you with invaluable defensive insights.