The cyber threat landscape is bigger than ever in 2015, with social engineering methods such as fake emails becoming more sophisticated, according to Kris McConkey, head of PwC’s cyber threat operations practice.
Speaking at PwC’s business forum on cyber security, Mr McConkey said cybercriminals have long used phishing and fake email scams to trick people into handing over money and data, but these are becoming harder to identify.
Fraudsters are sending legitimate looking phishing emails to employees of the company from the heads of the company, which will often contain links, or requests to transfer money.
Irish company PageFair fell victim to this kind of social engineering technique last month. As a result, some hackers got malware to spread over part of the PageFair analytics network, affecting 501 online publishers which use the service, including The Economist.
PageFair chief executive Séan Blanchfield said the attack started with a very convincing email not flagged by Gmail as suspicious. "It was faked to look like it came from me to members of staff. It was short, but the subject and content were plausible. It contained a link that appeared to point to a YouTube page, but which actually linked to a faked Google authentication screen customised to the target user with a pre-filled email and avatar."
Mr McConkey said information security infrastructure such as firewalls and antivirus software aren’t enough when it comes to mitigating the risk of social engineering attack.
“Social engineering attacks such as CEO emails are an emerging trend. Anti-virus and malware tools won’t detect them,” he said.
Speaking after the business forum, Mr McConkey said malware is the most common cyber security threat, despite the trend of social engineering attacks. “The most prevalent threat is opportunistic malware, which looks for passwords, credentials and bank details. It is done on such a massive scale, that even if they (the hackers) only have a 0.5 per cent success rate, they end up earning tens of millions or hundreds of millions of pounds.”
He said organisations are getting better at identifying attacks and breaches, but the majority of identification is still done by third parties. A survey of the 600 business leaders in attendance at the PwC forum found 39.7 per cent had experienced a cyber attack in the last year. Just over 25 per cent said they didn’t know if their business had been the victim of a cyber attack.