In this series of articles, MxD identifies the Top 7 cybersecurity threats and suggests ways that manufacturers can mitigate them.
On the Top 7 list are: equipment sabotage, insider threats, supply chain attacks, phishing attacks, data theft, malware, and ransomware. Earlier articles explored equipment sabotage, insider threats, and supply chain attacks.
Fourth in the spotlight: Phishing Attacks
One of the earliest cybercrimes, phishing remains one of the biggest cybersecurity menaces manufacturers face.
How big? According to Mimecast’s report on “The State of Email Security 2022,” last year was “the worst year on record for cybersecurity,” and “phishing was the biggest culprit, with 36% of data breaches due, at least in part, to employee credentials stolen through a phishing attack.”
Some 96% of those attacks — which trick people into revealing sensitive personal information, like a password or credit card number — come via email, Mimecast reported.
Email phishing, which arrived on the cyber scene in the mid-1990s, is the most common phishing attack, according to Microsoft. In these cyberattacks, messages and their perilous hyperlinks often land in inboxes looking like they came from large and trusted companies.
Today, companies must reckon with larger and more sophisticated phishing attacks, including:
- Malware phishing, which is also delivered via email and relies on attachments like phony invoices to unleash malicious software.
- Spear phishing, which is a more sophisticated attack. Criminals scour the web for personal or career information about a target and use those details in their message. Such information can lull the person into letting their guard down and clicking on a bad link. Or the information can be used to scare them, like claims about an injured colleague or family member. Amid that panic they may click on a link they would otherwise ignore. Spear phishing also can be aimed at groups within an organization, using a “spoofed” email address that resembles the company’s email format.
- Whaling, which goes after big targets, like company executives.
- Smishing and vishing, which follow similar tactics but use text, or SMS messages, in the first case and phone calls in the latter example.
Tactics to defend against phishing attacks include training, requiring employees to use multifactor authentication, and installing email filters to stop phishing messages from reaching inboxes.
Regular training programs are crucial. One easy way to do this is to utilize the “report phishing” button available on most email clients. Companies can send emails that mimic phishing attacks to employees and then see who correctly identifies the suspect email and reports it — and who opens it and clicks. Those who click on a bad link, get a popup box alerting them to their error and teaching them what to look for to avoid cyberattacks.
Companies should also teach workers to speak up when things don’t look right.
Did they just get an email from “Human Resources” but your company calls that department “Talent Acquisition and Development?” Training will remind them to pick up the phone in a case like that to find out whether the email is legit.
Multifactor authentication is another defensive strategy. With multifactor authentication, employees must verify their identity with more than a password. With this in place, even if a bad actor gets an employee’s login credentials, they are unable to use that alone to access company networks.
Filters are an additional shield. With employees often quickly going through emails, or just not paying careful enough attention, filters can be set up to recognize and block suspect domain names, preventing the phishing emails from ever reaching workers.
Above all, employers must recognize that cybercriminals are getting really good at making their emails look authentic. They use design services and even repurpose legitimate email shells. So while employees are getting smarter about what to avoid and filters are getting better at blocking, bad actors are getting better as well.
Additional resources to help prevent phishing attacks are available in the MxD Cyber Marketplace.
A complement to the MxD Cyber Marketplace, MxD’s Playbook for CMMC 2.0 Level 1 is designed to help manufacturers and their suppliers prepare to meet the Defense Department’s upcoming cybersecurity requirements. It’s available for free download.