This article was originally published in CSO.

Cybercrime costs the Australian economy $1 billion per year. In 2019 alone, the ACCC has already received 2,229 phishing scam reports, with women losing more money than men to phishing scams and Victorians losing more money than their compatriots north of the border.

The Notifiable Data Breaches scheme that came into effect a year ago has truly uncovered the impact phishing scams are having on Australian businesses and private citizens. According to the most recent quarterly statistics report, the majority of cyber incidents are caused by phishing. From October to December 2018, 262 data breaches were reported, of which 64 percent were criminal or malicious attacks, and more than two-thirds of those (68 percent) were phishing scams, malware or ransomware, brute-force attacks, compromised or stolen credentials, and social engineering or impersonation.

Phishing began with a scatter-gun approach of generic, poorly formatted emails with obvious spelling errors sent to millions of people with the expectation of a low percentage of hits. This approach has now evolved into high-quality, convincing emails combined with targeted campaigns designed to exploit a select few higher-value targets. This type of targeting is usually founded on intelligence mined from social networks, news and through social engineering.

Nationwide email scams still occur and manage to lure people in due to the increased sophistication of the method. A notable recent attack in Australia occurred in January 2019, and involved a convincing email from an energy provider encouraging customers to view their bill online.

This email used the same colour scheme, branding and format of real communications from the energy provider. With over a million customers nationwide, even if only 10 per cent of those contacted fell for the scam, it would cause a significant amount of damage to repair – not to mention damage to a brand’s reputation.

How to get out of hot water
The first line of defence needs to be technology that filters email to reduce the volume of attacks getting through. However, no technological solution is 100 percent effective. Security awareness training is another key element in a business’s defence strategy. With 55 percent of workers not being able to remember security training, the security community has quite rightly called its effectiveness into question.

More effective approaches focus on contextual awareness and simulated attacks by the security team acting as an adversary, in a ‘red team’ fashion to test awareness and identify staff who need further training and incident response preparedness.

With our clients, we’ve seen the greatest success using a combination of methods to turn staff into a human firewall, from gamified security awareness training to simulated attacks. It all depends on the context of the organisation so no one-size-fits-all approach exists.

The weakest links
Malicious actors know that people are the weakest link. We are overloaded, prone to making mistakes and easier to trick; that’s why phishing continues to be the most popular and effective way to get into a network and systems.

Technology can be leveraged to mitigate some of the impact of us being tricked and making mistakes. Email threat protection such as provided Microsoft’s Office 365 Advanced Threat Protection (ATP), screens emails for malicious content preventing them from being delivered in the first instance. Should a zero-day attack occur another layer of protection exists. Safelinks and safe attachments both protect against unknown malware/viruses and link scanning in real-time.

The higher licenses of ATP also provide a framework and capability for the security team to operate simulated attacks to test employees’ performance.

A combination of regular training to spot malicious emails, thorough attack simulation or awareness training and technical controls can help reduce the phishing problem and will go a long way to making our workplaces safe and secure.

Discover the 5 imperatives every CISO must follow to up their security game