Today Marriott announced its Starwood brand database was hacked and breached over the last several years, and possibly up to 500 million customer records were stolen or compromised. That stolen data includes not only names and addresses, but also email addresses and credit card information, and other personal information. We hear about these attacks more and more, but the scale of this breach is virtually unprecedented. And it means that millions of email addresses and personal information will most likely become available on the black market for cybercriminals to leverage.
Imagine this scenario: you have a cybercriminal who knows your name, address, credit card account and email address. Even if they just have the name of your card, they can use that in a targeted email providing you a link to verify a balance or charge, or change a password due to the breach. Then route you to a spoofed site and deposit malware on your network, or compromise the user in some way. This is serious stuff.
Take key steps to stop attacks now, before they hit.
Phishing preys on a combination of human psychology and technological vulnerabilities. Cybercriminals realize it’s easier to fool a distracted worker in an email environment than to hack a server or bull rush a domain URL. Today’s workforce is used to working at warp speed, and not paying much attention to email addresses or the “from” fields.
Organizations don’t need large budgets to effectively defend against phishing attacks. However, they need to change their mindset and recognize that it’s no longer if you will be attacked, but when.
A good starting point is making sure your employees 1) understand the threat landscape and that they may be prey for this Marriott vector of attack, 2) know what sensitive data should and should not be shared and 3) what could likely cause your business harm. If the Marriott breach is any indication, it’s likely that Marriott information in an email in any way, shape or form should trigger an alarm with every user.
Start by Understanding the Nature of Phishing Emails
- Always be on your guard. While obvious issues like grammatical errors and spelling mistakes still exist, modern phishing emails leveraging the Marriott breach will look very legitimate. Treat anything from the internet as suspicious, especially any information regarding these hacked brands.
- Be cautious of individuals or organizations that ask for personal information or transferring of funds. Don’t click on any links — verify directly with the company itself via trusted methods to avoid any potential issues.
- Take a close look at the sender’s email address (not the display name – this can be easily spoofed) when checking the legitimacy of an email. Would you normally get an email from Marriott asking you to check balances or confirm a reservation? Be suspicious!
- Don’t be frightened or intimidated by messages that have an alarmist or urgent tone. “We need your reply immediately” isn’t a statement you should ignore, but often signals a false premise. Contact the company or individual directly if uncertain about the status of accounts or the request.
Build a Cyber Aware Corporate Culture
- Make cybersecurity a priority for all employees, not just the IT team, and provide a written cybersecurity policy that all employees must read and acknowledge
- If your business works with third parties and systems are integrated (e.g. retail POS), make it a policy to ensure their applications are secure – ask them about their security policies before deploying.
- Set formal, explicit security policies to stop BEC or CEO Fraud. For example, all wire transfers or movement of company funds requires verbal and written approval.
Don’t expect traditional email security to stop these attacks. Look to new technologies and tools.
Deploy a multi-layered email security posture including email gateway, anti-phishing postdelivery detection and incident response technologies. Adding Postdelivery Detection and Incident Response solutions to your existing email gateway not only greatly reduces your risk, they also dramatically reduce dwell time for threats that get into inboxes. The faster these threats can be deleted across the organization, the less costly the attack. Our company, EdgeWave, currently offers all these solutions to provide a modern email security platform.
Because phishing criminals continue to innovate, we all need to be on guard at work and at home with a data breach this size. You need to enhance your security vigilance to stay ahead of these attacks. Although there is no silver bullet, a combination of employee education to increase awareness, formal cybersecurity policies, and specific, anti-phishing technologies like EdgeWave’s Postdelivery Detection and Incident Response can drastically reduce the risk of successful phishing attacks occurring in your organization.