Fighting Against Phishing
13 April 2018 |
Royal Bank of Scotland's Security Awareness Lead, Lesley Marjoribanks, tackled the fishy topic of phishing at TEISS2018. We’ve summarised Lesley’s top phishing tactics we should watch out for and her useful advice in protecting ourselves against them.
Phishing; a longer game
Lesley says that from a banking point of view, fraudsters are playing a longer game. "Previously it was a case of smash and grab, but now fraudsters will get a foot in the door and take two or three months to build up a relationship with their victim. They get little bits of information before going in for the kill," she explains.
Ransomware, Lesley predicts, will continue to be one of the biggest threats amongst phishing and will be directed at services where people can be significantly affected, such as hospitals.
Phishing as a distraction
"We have seen distraction techniques take place within DDoS attacks, where fraudsters make it look like they're taking the system down but actually they're going in and manipulating payment systems," Lesley states. She thinks we will see the same pattern in phishing – where phishing is used as a distraction for something more sinister that's going on.
A lot of information from LinkedIn is being used in phishing scams now. "We've seen a lot of emails at the end of 2017 where fraudsters have gone onto LinkedIn – getting RBS staff information, contacting customers and saying they work in security at RBS and to check their LinkedIn profiles if they don't believe them," she says.
"We don't see fraudsters having an inroad to banking mobile apps yet," Lesley states. She thinks mobile malware should be on our radar for 2018 because it's only a matter of time before phishing starts making its way into mobile channels too.
Good cyber hygiene: Lesley's tips
- Know what you put on social media profile
You're offering up a jigsaw for fraudsters. They get a little information from your LinkedIn profile, Facebook and Twitter feed and before you know it - they’ve got a good idea of where you live, what you do and have enough information for a compelling phishing email. Know what you’ve got out there.
- Don't be too specific with your job title on social media
This means removing anything which could be of interest to a fraudster whilst keeping your profile relevant and up-to-date.
- Hover over the sender's email
Make sure you hover over the sender's email. The email might say it's from John Smith, however if you hover over the sender's email and it reads as gobbledygook you know you it's a red herring and not to be trusted.
- Patch all your devices
Patches will be plugging security holes on all devices. If you haven't done that you're like a house on a street without a burglar alarm.
- Duo authorisation
"From an internal audit point of view, make sure that sure that your internal processes are safe. For example, if you are authorising payments – make sure that you have two people/duo authorisation involved," Lesley advises. Two minds and instincts are better than one when dealing with key processes.
- Free anti-malware from UK banks
Lesley says that all high street banks in the UK offer free anti-malware software for their customers. "Make sure you get this free software that will guarantee that you are connected with a genuine bank website," she advises.
- Trust your gut
Fraudsters are clever at knowing what piques human interest and what will attract humans to click on that link. Every facet of human nature is played upon and the fraudsters know how the human psyche acts.
However, there is hope. Lesley reveals that when speaking to people who've been victim to fraudulent abuse, 9 times out of 10 it did not feel right. Her advice is to trust your gut instinct – if it doesn’t feel right, invariably it isn't.
Lesley Marjoribanks is the Customer & Colleague Security Awareness Lead for the Royal Bank of Scotland. Lesley’s role involves helping customers and clients understand the fraud and security threats they face, and the steps they can take to help them stay safe.
The R3: Resilience, Recovery & Response Summit 2018 will take place on the 20th September 2018 at etc.Venues St Pauls. This conference is the #1 summit focusing on post-breach response including forensic and legal requirements, media communications, and tips for a fast recovery.
For more information, please visit the R3 website where you can currently take advantage of pre-launch discount.
Download the TEISS 2018 Slides
Latest posts by Anna Delaney (see all)
- “Cyber is a team sport, it’s not about the star player” – CSO of Bacs and Faster Payments, Craig Rice, on cyber resiliency - 20th September 2018
- “This is high gloss colour stuff and the security has to match that” – Nick Nagle, CISO of Condé Nast International - 17th September 2018
- Mental health and cyber security: do we have a problem? - 14th September 2018
- “You have to stick to your guns,” Mark Walmsley on life as a CISO at Freshfields LLP - 11th September 2018
- Tired of ‘cattle-fest’ conferences? Here’s an alternative you should know about. - 10th September 2018