The directors of the Cyber Resilience Centre for Wales and the Eastern Cyber Resilience Centre, Paul Peters and Paul Lopez, got together with Mostyn Thomas, CEO of Astrix Cyber Security, to discuss how a recent phishing attack on a big-name brand reached the WCRC and the ethical issues facing those involved.

Immediate suspicions PP: This started with an email received in the WCRC enquiries mailbox. It immediately made me a little suspicious as it was from a food product company which is a household name. The email wasn’t addressed to anyone, and simply said “please find the file”, followed by ‘kind regards’, and a name with contact details. The email had an outlook file attached which it stated had been shared by the sender. When you consider the key elements of a phishing email, plenty were here, such as no addressee, an email from an unknown person, no explanation of why the email had been sent, a file which I wasn’t expecting, and a file with a title which included ‘limited project’, which was probably meant to pique my curiosity and encourage me to click on it! Because I recognised the company that the email claimed to have been sent from, I decided to see if that person existed. Some enquiries on LinkedIn revealed that they were in fact a real person, with connections in the same company. Further internet enquiries suggested that the email address was genuine, so from this point I feared that this was a genuine account that had been compromised. The WCRC is part of a network of centres there to support businesses improve their cyber resilience, so I passed the details to Paul Lopez, my counterpart in the Eastern CRC to make contact and establish whether the account was compromised and offer the support of the CRC and policing. Things the file could have contained MT: An Outlook file shared by email could potentially contain several types of malicious content, including:

• Malware - this can include viruses, Trojans, spyware, and other harmful software that can compromise the security of your computer
• Macro viruses - these are a type of malware that use macro scripts, often embedded in Microsoft Office files, to infect a computer
• Ransomware - this type of malware encrypts the victim's files and demands payment in exchange for the decryption key
• Links to malicious websites or resources (often disguised as genuine websites)

There are a number of precautions that businesses can take to guard against this sort of content:

• The person or company that maintains their IT systems can configure the email settings on the internet to greatly reduce the chance of these type of emails getting through
• There are many cost-effective email filtering systems that are now highly effective at detecting and removing these emails before ever getting to the user’s inbox
• Most importantly, effective and relevant training for uses of the systems to be able to spot phishing emails as you did Paul is always a great idea

Raising the alarm to help others

PL: I discussed the email with Paul, who had forwarded it on with a ‘Don’t open the attachment’ warning and then made contact with the company and the person whose email account we believed to have been compromised. It is worth noting that the email arrived in the ECRC inbox but was only quarantined by the anti-virus (AV) 24 hours later. Like most companies with industry standard anti-virus software, we were vulnerable to this phishing email and relied on the experience and knowledge of the staff to avoid becoming a victim themselves. I contacted the company and spoke with several members of staff, including the company’s head of IT. They apologised for sending the e-mail and confirmed that they had been victim of a cyber-attack. A member of staff’s email system had been compromised with the resulting email being sent out to the WCRC. They initially said they were happy to speak to police, and a referral was made to the regional and local cybercrime unit officers.

Unfortunately, the company then changed its stance and declined police involvement and have not as yet made a report to Action Fraud which is where cybercrime incidents need to be reported to in the UK. The company also claimed it was unable to identify where the malicious emails had been sent to and as such was unable to warn other recipients potentially at risk of compromise. Actions to take in this situation MT: When an email system is compromised in this way, there are normally clues left in the system as to what happened and how. If the company has an IT firm or internal team that manage this system they should be able to go through the log files (records of every type of action that has happened to the system) and ascertain who was compromised and how many emails were sent out from the system and to who. There is a procedure to follow here:

• Immediately change all passwords
• Look for rules in the email system that automatically send or forward messages to addresses that are not recognised
• Ensure that all accounts have multi-factor authentication enforced. This is a system that uses a device or phone to give two or more forms of identification to get into a system. It should be used as standard on any email systems for all users as it has been reported that more than 90% of email account compromises would be unsuccessful if implemented
• Once the email system is secured, then perform a complete scan of the system using the anti-malware that is in use, particularly focusing on the device of the user that clicked on the phishing email
• If a list of email addresses that had malware emails sent to are available, contact these people and inform them of the issue and ask them to delete these immediately
• Clearly there can be many more issues once a malicious actor has been successful on your system and too many checks to detail here. The point here is to immediately contact your IT provider or team and give as much detail as possible
• Once they have confirmed this is a cyber incident, you may wish to call your insurance if you have cyber risk insurance as they specialise in just this type of event and have the tools and expertise at hand to deal with this
• At this point inform the police also as Paul stated, they may be able to warn potential victims or indeed form an investigation to stop this attacker repeating this

Why alerting the authorities is crucial PP: So I was probably one recipient of thousands, so is there a problem with businesses hiding the fact that they have been compromised? We will probably never know how many businesses have now also been compromised by that email? I can understand businesses not wanting to damage their brand, but ethically does there need to be a change of mindset? By involving police an investigation can be commenced, and this could identify potential offenders, or disruption opportunities, it allows police to inform others of the methodology used, and they can also offer other support to the business during a cyber-attack. It seems that many businesses see police involvement as a negative, and one of our challenges as a CRC network is to change this mindset. MT: The fact is that there is a strong possibility that the original phishing email may have come from someone that was attacked previously and if they had reported this and been transparent, this company may never have been compromised. Supply chains mean that we all rely on other businesses to look after our data and have to trust them to be able to communicate effectively. A compromise or cyber-attack is not desirable, however, managed well, a company can recover and in many cases gain respect for being transparent and dealing with the issue promptly and effectively. To be able to do this though, effective planning and contingency has to be in place, risk assessments, disaster recovery plans, insurance and skilled technical resources. All of these elements are taken for granted when assessing health and safety and fire risk, the company’s data and IT systems need to be given the same attention. PL: The actions and behaviour of the company are not unusual and in fact represent what happens in the vast majority of cases involving cyber-attacks. Most organisations adopt a damage limitation mode where protection of reputation is seen as the most important issue; leaving the supply chain and the wider business community vulnerable. Most companies will also avoid reporting to the police, which frustrates law enforcement efforts to improve their understanding of the scale and nature of current cyber threats. PP: If the business community in the UK is serious about tackling cybercrime, then I think we need to move to a position where we are honest and transparent about compromises. If we flag a breach publicly, then that limits the impact to the wider business community, and allows others to safeguard their own businesses. Should you experience cybercrime, please report it to Action Fraud. If you would like support with protecting yourself, team and business, the Cyber Resilience Centres offer bespoke security awareness training which is tailored to those with little to no cyber security knowledge. Covering the basics of what a vulnerability is and how to mitigate the risk, the training will build confidence in spotting the signs of attack and how to challenge anything that appears untoward. Please contact us to see how we can help. Not in the East of England or Wales? You can find a regional centre near you, where the team will be able to assist with your business security needs.