Backdrop: Proofpoint’s The Human Factor 2022 report reveals that more than 20 million messages attempted to deliver malware linked to eventual ransomware attacks. That is not to say that 20 million messages all ended as ransomware attacks. Or did they?
At a media briefing, Alex Lei, senior vice president for Asia-Pacific and Japan at Proofpoint some details from the global report that are specific to Asia, with a view toward offering options for CIOs, CISOs and CTOs to grapple with the alarming threat that the connected world presents.
Is there anything unique about cyber attackers in Asia?
Proofpoint has found that the occurrence and frequency of cyberattacks are not consistent across the Asia Pacific landscape.
The 2022 State of the Phish report found that cyber-attacks in Australia and Japan were vastly different although they were both within the Asia Pacific
- 80% of organisations in Australia experienced high incidents of ransomware compared to the global average of 68%, whereas Japan saw lower-than-average effects for most threats.
- 92% of Australian organisations dealt with cyber-attacks (highest of any region surveyed), while only 66% of Japanese organisations experienced successful phishing attacks (lowest of any region surveyed).
While not all cyber-attacks are created equal and may not target the same countries, they can be just as damaging
- All it takes is one successful phishing attack for organisations to face consequences such as financial losses and credential compromise.
There could also be risk factors that cyber attackers can exploit
- Long-term hybrid work and the influx of incoming and outgoing employees from the ‘Great Resignation’ has exacerbated the risks posed by insider threats.
- There is a lot more uncertainty around the proper protocol, what data is or is not off limits, and what the proper channels one should use.
- In Singapore, Proofpoint research has shown that remote working has enabled an increased risk of cyber-attacks.
- 44% of CISOs in Singapore surveyed reportedly saw more targeted attacks in 2022 since enabling widespread remote working, an uptick of 13% from 2021 according to Proofpoint’s Voice of the CISO report.
- A DMARC analysis also found that more than half (59%) of SGX 200 companies do not have the necessary email authentication protocols in place, leaving their customers, partners, and employees open to higher risks of email fraud.
How significant of a threat is smishing in Asia and what is driving this?
SMS phishing or smishing has risen, jumping more than 80% globally in 2021
- It is a significant threat as smishing lures usually prey on human bias towards urgency and loss aversion, and these psychological triggers are especially powerful in the context of mobile phones.
- People tend to be more responsive to mobile messages than to email or computer messaging, and still have a high level of trust in the security of mobile communications.
While it is different from traditional phishing, smishing employs the same types of lures, and one of the main differences is in people’s susceptibility to attacks
- Click rates on URLs in mobile messaging are found to be eight times higher than email globally.
- Prevalence of links over attachments is another factor that threat actors leverage, where they often make use of embedded links.
- We believe that the success rate for smishing attacks is expected to be substantially higher than traditional email phishing although the volume of email attacks may be higher.
In Asia, increasing digitisation is the likely driver of smishing, with many organisations going online and sending their customers updates via SMS
- Some common drivers and lures of smishing include parcel/package deliveries, banking and finance, government, consumer brands and telecommunications.
- Additionally, SMSes are also being used to send over one-time passwords (OTPs) when logging into online services.
How are enterprises countering attackers? Name one or two successful tactics.
To combat today’s threats, organisations need a people-centric approach to prevention, and leveraging the tools available is the first step to making a people-centric security program work
- CISOs need to look across their vendor and product portfolio to evaluate where their information and data can be better used to spend resources.
- By leveraging that information to make smarter decisions about resource allocation and risk, CISOs can better tackle these problems at scale.
In many cases, human factors can matter more than the technical specifics of an attack.
- Most cyber-attacks cannot succeed unless someone falls for them.
- Cyber criminals are often looking for relationships that can be leveraged, trust that can be abused and access that can be exploited.
To address this, companies need to start with security awareness and implement risk-based controls
- Training users to spot and report malicious emails, links, and documents can stop attacks and help identify people who are especially vulnerable.
- Having a solution that can neutralise threats by applying additional security layers can protect even the most vulnerable users, as organisations should assume that users will eventually click on some threats.
- Isolating risky websites and URLs can be a critical safeguard against URL-based threats.
Another way is to also ensure appropriate security policies and regulations are up to date.
- Recently, a large financial institution in Singapore saw one of the largest smishing attacks in December last year, with over 470 customers losing S$13.7million, with 80% of the amount lost during the year-end festive period.
- Cyber attackers impersonated the bank through spoofing, a technique used to clone a legitimate sender’s name and shortcode. By spoofing the bank’s name, threat actors were able to enable their SMSes containing malicious links to appear in the same thread as legitimate SMSes from the bank.
- In response to this, the Singapore government has introduced an SMS Sender ID Registry (SSIR) that merchants and organisations will need to register using their Unique Identity Numbers (UENs). This will help to ensure that only verified organisations are able to use the correct Sender IDs.
