Europol has hosted a meeting with 70 industry experts to discuss ways to tackle the growing problem of phishing and business email compromise attacks.
According to the 2018 Verizon Data Breach Investigations Report, a single spear phishing attack costs a business an average of $1.6 million to resolve. The FBI reports that business email compromise attacks have resulted in losses of more than $12.5 billion since October 2013. To tackle the problem, a collective and collaborative effort is required from law enforcement agencies and the public and private sector.
At the joint meeting of the EC3 Advisory Groups on Financial Services, internet Security, and Communication Providers, Europol spoke with 70 industry representatives to find out how phishing attacks were affecting different industries, and the steps that should be taken to combat phishing, spear phishing and BEC attacks. In addition to keynote speeches on the threats, group discussions were held to discuss possible technical, operational, and awareness-related solutions to the problem. At the meeting, several recommendations were made to help with the collective effort to combat the threat.
To combat phishing, it is necessary to start with basic cybersecurity measures to make attacks more difficult. Those measures include secure authentication, blocking of common exploits, and the blacklisting of known phishing domains.
Information sharing needs to improve across different industries as well as with law enforcement and appropriate public sector organizations.
Machine learning should be embraced to help with the automatic detection of phishing campaigns and regular reviews should be performed to make sure that anti-phishing solutions remain effective against the constantly changing tactics used by cybercriminals in phishing attacks.
Since phishing attacks target individuals in an organization, it is essential for end users to receive security awareness training to teach cybersecurity best practices and ensure all users know how to identify potential phishing attacks. Training cannot be a one-time session. It needs to be an ongoing process.
Europol will be producing further guidance and will be making recommendations from a law-enforcement perspective about measures that can be adopted to improve defenses against phishing and limit the harm the attacks cause. The guidance will be issued later in 2019.
“Phishing is the engine and enabler of many cybercrimes and can be used to cause significant harm to European citizens and their organisations. Only by working closely and across key industries with some of the leading experts in their field, can we ensure that we are able to counter this threat and keep the EU safe,” said Steven Wilson, Head of the European Cybercrime Center.