28 Oct Phishing: why companies should not underestimate it

The rapid increase in information and communication technologies has brought about immense social, economic, and political progress. In saying that, however, its implications have often spilled over into the field of crime whereby attackers are able to circumvent the most advanced technologies and security measures through the adoption of social engineering tactics like phishing.

Phishing is a form of social engineering which relies on manipulating human behavior rather than finding a loophole in a computer system. The idea behind a phishing attack is that a malicious actor will send, what looks like a legitimate e-mail, to an individual which requires them to click on a link to a fake page.[1] The fake page will then require the individual to enter their credentials (e.g., password, etc.) which will ultimately allow the malicious actor to gain access to their account and steal their sensitive information. Phishing emails are quite effective in the sense that they take advantage of people’s inclination to open them without looking at them too closely.

These phenomena seem to have no impact on the company offering the legitimate web service, instead, case law has created different precedents in this regard, condemning the provider for inadequate security measures.[2]

As Verizon’s Data Breach Report (DBIR) 2021 explains: phishing is the leading type of malicious action among breaches in the last year, and 43% of data breaches involved this type of attack. This highlights the need to make people more aware of social engineering tactics like phishing.[3]

The DHL case: three different phishing campaigns 

Three phishing campaigns have recently been identified with the DHL service, each of which is done in a different language, namely Italian, German and English. The first campaign sends out a message stating that the recipient’s data cannot be found and requests them to send new credentials to allow for the delivery of the parcel. The second campaign forces the recipient to pay a customs fee for their parcel to be delivered while the last campaign requires an attachment to be printed.[4]

To remedy the problem and therefore, be aware that even legitimate web services are responsible for inadequate security measures, DHL has designed a page dedicated to fraud awareness on the world wide web.[5]

Solving problem from within

There are several ways you can combat the uprise in phishing attacks. One method of reducing the number of victims who have been the subject of phishing attacks is to offer security training wherein employees are taught how to filter their spam and identify a phishing email. To prove that such training is effective, a company can adopt the so-called “fake phishing” technique wherein the IT team of a company will send fake phishing emails to all employees for the purpose of identifying those who are aware of such malicious tactics as well as identifying those who need more security training on the subject.

Another tool that companies could use is “password alert” which is a Chrome extension from Google that detects when you enter your password into a site that is not a Google page, thus detecting potential phishing compromises. Furthermore, one can also use a specific form of two-factor authentication whereby the employee uses a password in conjunction with a physical security token (e.g., stand-alone device, USB). By doing this even if the password is compromised by a phishing attack the attacker would need to steal or clone the physical token which is much less likely to happen. [6]

Implementing a strategic and effective program with executive support is possible: basic training can help both to prevent company resources from being deceived by modern deception techniques, and to direct complex operations aimed at implementing appropriate technical and organizational measures to neutralize threats of access, use, modification, loss, destruction of personal data as required by privacy legislation in Article 32 of the GDPR.[7]

It is ultimately up to the company to ensure that adequate policies and security training courses are put in place to explain to employees, in an easily understandable manner, how to combat phishing attacks and social engineering tactics in general. The lack of such understanding will put the company’s data at a higher risk of being exploited/breached.

[1] C. Gallotti, Sicurezza delle informazioni, pp. 114 ss.

[2] v. Tribunale di Firenze, III sez. civile, sentenza del 20 maggio 2014

[3] For further information on this disquisition, we recommend reading 2021 Data Breach Investigations Report | Verizon

[4] For a clearer view see v. Phishing: tre campagne colpiscono DHL, nel mirino anche l’Italia (cwi.it)

[5] La pagina web dedicata è disponibile sul sito Prevenzione delle frodi | DHL | Italia

[6] Information on phishing is essential for running a fake phishing campaign see v. Come rilevare e rimuovere pagine Web di phishing (false) (sensorstechforum.com)

[7] Regulation (EU) 2016/679, Art. 32