CIOs Want To Know: How Do Phishing Attacks Happen?

To stop a phishing attack, you need to know how they work
To stop a phishing attack, you need to know how they work
Image Credit: Pankaj Kaushal

Let’s agree on one thing: the people who work at your firm are smart people. Right? There’s no way that they would fall for one of those phishing attacks that we read about in the paper all the time. Or is there? As the person with the CIO job, one of your biggest issues is that the bad guys who are attacking your corporate network are getting more sophisticated, more prevalent, and more dangerous every day because they understand the importance of information technology. These bad guys come in all sorts of different forms. Organized criminals attempt to steal your financial records, terrorists try to encrypt your systems as a part of a ransomware attack, and even whole countries are trying to gain access to your systems so that they can lay there dormant until it suits them. What’s a CIO to do?

How Does A Phishing Attack Start?

As the person with the CIO position, you need to understand that in order to attack your company’s network, the bad guys use a mix of technology, patience, and social engineering techniques. The number of cyberbreaches that we are dealing with is increasing. The World Economic Forum has reported that in the past five years, the number of cyberbreaches has increased from 68 per business to 130 per business. All too often the bad guys plan an attack that takes advantage of one of the weakest points in your company’s cybersecurity system. The company’s employees.

An attack starts by the bad guys conducting some surveillance. The hacker is going to be looking to find a way to get into your company’s network through one of your employees. The soft spots that they are going to like will be new employees, especially new executive employees, because there is a better chance that they will be open to emails that come to them disguised as legitimate company business. The bad guys also like to go after IT staff members who have access to a wide range of corporate data. The bad guys can get the contact information that they need to pull off their attack from a variety of sources. These include news reports that talk about the arrival of new executives to kids sports teams rosters that may have a parent’s work email address.

After the first step in the attack, identifying who they want to go after, has been selected, the bad guys move on to launching the attack against your corporate network. What they are going to want to do now is to send the bait that will get your employee to do something that they really should not do. More often than not, the bait will be a phishing email that will contain either a link or a document that the recipient really should not click on. If the bad guys get just a little bit more sophisticated, they might send their unsuspecting victim a DVD and request that it be run on a company computer.

What Happens Once The Bad Guys Are Inside?

Ok, so let’s say that the worst thing has happened: the bad guy’s phishing attack has been successful. They provided one of your employees with bait, and they took the bait. This means that they clicked on the link or they opened the document or they ran the DVD. The result of this action is that a hidden software program was launched unbeknownst to the user. There are a number of different things that this software may have done. The first is that it could infect the user’s computer and allow the bad guys to collect information from that computer. Of course, once they are on one computer, this can provide the bad guys with access to all of the computers that are attached to the company’s network. Infected computers could become locked and thereby prevent their users from accessing parts of the company’s network. Finally, the company’s computers could become part of a larger botnet and be used to launch attacks on other company’s networks.

Once the bad guys have gotten into your network and settled in, the sky is the limit for them. They are now free to do as they please. One of the most damaging things that they can do is to capture and transmit usernames and passwords back to the bad guys computers. These transmissions can often be disguised as corporate data in order to fly under the radar. Passwords can be used to unlock user’s financial accounts and if any credit card information is found then it can be sold to identity thieves. Corporate secrets can be stolen once the bad guys are inside. They can also monitor internal communication and potentially release information that will embarrass employees. There is always the possibility that the bad guys will encrypt a hard drive and then demand money in order to provide the keys to decrypt it. Your corporate computers can be placed in the service of the bad guys who can then use them to launch attacks against other firms whose networks they are trying to gain access to.

What All Of This Means For You

CIOs spend a great deal of time and money attempting to secure their corporate networks. However, as much as they may spend, it is almost impossible to secure the weakest link in the system – the company’s employees. This is why the bad guys target employees when they decide to break into a company’s network. CIO’s need to understand what phishing attacks are and what kind of damage they can do to a company’s IT assets.

An attack starts by the bad guys conducting some surveillance. The bad guys like to target new employees and new executives because they won’t be able to tell fake corporate emails from the real ones. The next thing that the bad guys do is to send the bait to the selected targets. This bait may contain links to be clicked or documents to be opened. Once the employee has fallen for the bait a hidden software program was launched unbeknownst to the user. Now a program has been installed on their computer. This will allow the bad guys to collect usernames and passwords, monitor communications, embarrass employees, and set up remotely controlled botnets.

In order for a CIO to do a good job of protecting their company, the first thing that they have to do is to understand what the threats are. Phishing attacks are easy to do and so they are launched against the company all the time. Employees have to be trained to keep an eye open for suspicious emails and unexpected documents. It’s only by having a vigilant workforce that CIOs can fend off phishing attacks.

– Dr. Jim Anderson
Blue Elephant Consulting –
Your Source For Real World IT Department Leadership Skills™

Question For You: When you detect that a phishing attack is underway, what steps should a CIO take?

Click here to get automatic updates when The Accidental Successful CIO Blog is updated.

P.S.: Free subscriptions to The Accidental Successful CIO Newsletter are now available. Learn what you need to know to do the job. Subscribe now: Click Here!

What We’ll Be Talking About Next Time

When the bad guys go after a bank, because of the importance of information technology it is the responsibility of the Bank’s CIO to keep the bank’s networks and electronic assets safe. However, this is not something that they can do by themselves. Banks need to know what is happening at other banks so that they can learn from them and better prepare to defend themselves. In order to accomplish this, bank CIOs need to share data with other banks and this starts to raise some interesting privacy concerns.