Why UK charities can no longer afford to ignore growing phishing epidemic
Phishing attacks are continuing to grow in frequency, sophistication and cost. In fact, the UK Government’s Cyber Security Breaches Survey recently revealed that the average cost of an attack is now £1,000 higher than it was in 2018, and that email phishing scams are the most common type of attack.
When it comes to the charity sector, over a fifth of organisations have reported a cyber breach in the past twelve months – with email phishing attacks accounting for a massive 81% of this figure. And, it’s not just the direct cost of a phishing attack on the charity itself that poses a risk: if personally identifiable information is leaked as a result of a breach then the charity in question may find itself liable to a substantial fine as a result of GDPR regulation.
Yet, email clearly remains a vital means of communication for any charity today. In fact, when it comes to their preferred channel of communication, research by the Data & Marketing Association has revealed that around three-quarters of people place email at number one.
It’s clear that charities need to be able to utilise email to communicate effectively. This may seem a daunting prospect when we consider historic reluctancies of charities to embrace cyber security spending or new technologies like artificial intelligence. In fact, the Government’s survey revealed that over half of all UK charities are still not spending anything on cyber security.
This is a worrying figure and must be addressed: the growing cost of inaction is proving simply too great to ignore.
Weighing up the options
Recent findings as part of Charity Finance Week revealed that two thirds of charities believe their core functions (including IT and cyber-security spending) are under-resourced – further supporting the notion that charities remain susceptible to the phishing threat. When asked why this is the case, one of the most common responses was a lack of money.
With these budgetary constraints at the front of mind, any investments must (understandably) be carefully considered. So, while phishing attacks are proving more costly and remain frequent, any security spending must prove to be justifiable. In relation to phishing, any investment must be able to help significantly offset the risks faced.
For most charities, there is therefore a constant decision to be made around taking their chances or taking action, with the former proving a greater and greater risk every year.
Machine learning could hold the key
Thankfully, as phishing attacks are growing and evolving, so too are the defences put in place against them. Today, machine learning (ML) is proving to be a key tool for email providers by not only helping to stop any attacks in the mail flow but also speeding up the identification process (saving invaluable time).
By learning to identify patterns coming out of large sets of data collected, modern ML tools can calculate the likelihood that a given email is phishing. Certain patterns in particular have proven to be clear signallers – for example frequent grammatical errors and unusual ‘from’ address formats like @g0ogle or Yah00 (also known as cousin domains, which mirror legitimate providers). Using ML technology, such trends and patterns can be automatically detected and blocked in the mail flow.
As more mail is processed (and more data collected), the tools continue to become more intelligent and effective. This has meant such solutions have become increasingly effective in helping charities and organisations across the UK to restore trust in email communications.
Advertisement
The human element
Yet one consideration which cannot be overlooked here is the human factor. The effectiveness of ML tools is determined by the people training them and the corpus of data at their disposal. In the long run, human oversight to refine the ML models while intervening to decrease false positives ensures that the ML technology gets smarter and becomes better at separating future phishing emails from legitimate ones. What’s more, the systems can learn, adapt and respond more quickly to new attack vectors because the criminals are working as hard as the IT professionals to perfect their approaches.
.
Transparency is the final step
To see these tools working as effectively as possible, it is also essential that providers (especially those with self-service models) are transparent about the rate at which they are successfully preventing these attacks and share best practices.
By looking at compliance rates, charities can track their success and, crucially, the potential risks that they (and therefore their customers) face. Using the information collectively, judgements can be made on the potential impact to the digital messaging ecosystem overall. Twilio SendGrid, for example, has recently achieved an email legitimacy rate of 99.99 percent across all outbound mail flow (as of August 2019).
With such figures achieved, any charities and other organisations who choose to turn to these providers to support them in their efforts to stamp out this growing threat can be confident in the reliability and effectiveness of these tools.
What next?
Despite relatively high legitimacy rates achieved in the past (for example, 99.97 per cent), reaching the 99.99 figure is a really significant milestone – especially when you consider the growing devastation caused by these attacks. With no signs of this threat slowing down, we cannot rest on our laurels here. We must invest in the mechanisms that are proving so effective in combatting an issue that, at times in the past, has appeared to be growing out of all control.
Charities and the dedicated staff that run them need to partner with platforms that understand the threat landscape while providing guidance, best practices and proven technical solutions to combating socially engineered attacks like phishing. Charities rely on the good faith of their donors—that faith is rapidly eroded by cyber criminals using a charity’s brand in a phishing attack.
Email continues to be one of the leading communication channels, so cyber criminals will continue to target it and try to find new ways to outsmart ML tools. By investing in these tools, and being open about the results we see, organisations can improve their identification, response and resolution of incidents in the hopes of making the UK phish-free.
Len Shneyder is VP industry relations, Twilio SendGrid