“Email your biggest problem” says security expert Grant Revan in warning over growth of phishing

Embedding best practice early on is key to stemming the tide of phishing attacks, says Red Sift executive.

“All the problems everyone has come down to phish. Everything is phish, it’s all about the phish,” said Grant Revan, Head of Strategic Engagement at Red Sift at the DTX Expo in London. “At some point, everyone will get caught by a phishing attack.”

Revan said it was clear that “email is your biggest problem”. In fact, 90% of all data breaches start with a phish email, statistics from the FBI state. And data-related leaks increased 82% between 2020 and 2021.

Conti, the biggest ransomware group, collected around $180m 2021 from attacks, data from the Chainalysis ‘2022 Crypto Crime Report shows. Ransomware payments grew 34% from 2020 to 2021, with the average payment per attack rising from from $88K to $118K. Phishing was the number one form of attack.

Pretending to be NHS

One new phishing theme that Revan highlighted is the rise of emails pretending to come from the NHS, asking people to sign up for their Covid-19 vaccination for example. Or more recently, emails regarding test and trace or covid passes.

One spoof email he received in 2021 looked like it was coming from the sender ‘noreply@nhs.gov.uk on behalf of NHS digital’, but when he looked closely, there was more text following, and then a spoof address at the end. Grant stated that “even with training, this was not easy to spot”. 

By June 2020, Action Fraud, the UK’s national reporting centre for fraud and cybercrime, had received a total of 12,323 reports of coronavirus-related phishing emails. And 2,378 victims had lost a total of £7,099,441 (approx. $8m) in relation to coronavirus-related scams.

Action Fraud also received a lot of reports of phishing emails pretending to come from the HMRC, tricking people into giving away information or money.

Some other types of phishing include:

  • Vishing: accomplished through a voice call. 
  • Whaling: targeting C-suite leaders. An example of a whaling email could say ‘that the company is facing legal consequences and that you need to click on the link to get more information’.
  • Smishing: an attack that uses text messaging or SMS to execute the attack.

How to look for phish

Revan showed some tools which can help businesses find ‘look-alike websites’ that are trying to imitate them. But there are a few things that Grant explained that can be done without the aid of tools to prevent yourself from getting phished via emails. First of all, don’t click on anything before knowing it’s a genuine email. There are a lot of things to look for in emails, for example:

  • The name and mail address, do they match the company website?
  • Look at links, does the link match the URL of the website?
  • Check for typos. Are there any misspellings in the text?
  • And never ever open an attached folder if you aren’t sure that the email is legit.

Even if it takes time giving the email an extra check to make sure it is genuine, it’s still “better to prevent than to cure” Revan stated.

And as most leaders and speakers said during the Expo, the key factor for good data use and management is to start educating people from an early age.

This is not a complete reproduction of what was said at this conference – it is an edited version based on the reporter’s understanding of what was relayed. This content has not been approved/endorsed by the speakers.