Phishing Attacks in the Communications Industry
Some people would say one of the most precious commodities humans have is their ability to communicate. It keeps them connected to one another through myriad different processes from decision making to discussion to conflict resolution. On a larger scale, mass communications have existed since the 15th century, when the printed word was used to spread information and form a universal narrative among the populace. Of course, this development led to improved roads, faster ships, more effective laws, and a way to communicate with those in far off lands. In essence, communication has become one of our most valuable assets, and for that reason, it also represents one of society’s biggest vulnerabilities in the digital age.
By definition, the communications industry is best understood as a rapidly changing industrial sector focused on the production and distribution of informative and entertaining content. When characterized more generally, this industry is estimated to have contributed more than $457 billion to the U.S. economy in 1999 alone through the production, storage, and transmission of many information goods and digital services. In fact, modernity has seen increased growth in the communication sector precisely because regulatory barriers have been reduced and participation in domestic communications markets has been encouraged. This evolution has led economists and historians of technology to agree that these technological communication systems now have tremendous social and economic impacts on society. And with such power also comes risk, as phishing schemes attempt to capture the “information economy” in the form of data and access.
Why Phish the Communications Industry?
The reasons to phish the communications industry are as plentiful as they are devious. As a global pursuit, this industry connects the entire world through a comprehensive system of data, voice transmissions, and digital trails, all of which generate massive amounts of sensitive data. This makes them a top target for hackers, who are simply looking to gain access. Successful phishing in this industry could potentially jeopardize telephone, internet, and other services for endless subscribers and businesses, all of whom could also be victimized through the leakage of sensitive customer information.
According to the Global State of Information Security Survey, IT security incidents in the communications sector increased 45 percent in 2015 compared to the previous year. While this threat intelligence can help the industry prepare itself with increased knowledge and updated security strategies, the threat remains present and formidable.
Through access to public websites, hackers can gain email addresses for influential employees in all sorts of major telecommunications companies with market values over $50 billion, like Verizon, AT&T, and the U.K.’s Vodafone Group. And with this tidbit of information, they can then bait these megalodons of the business world into giving away sensitive information without even realizing it’s been done. When phisher-men approach these companies under the guise of a benevolent force, they are hoping to glean data in the form of usernames, passwords, and money in the form of personal details. They are also hoping to disrupt one of the world’s most trusted and utilized systems. By posing as a trusted entity, these spoofed emails have the ability to net data from the world’s wealthiest and most powerful industries. For that reason alone, the reasons to phish the realm of communication are obvious.
As humanity continues to hurtle itself towards the future, more and more people are inevitably signing up for telephone and internet contracts, while new telecommunication technologies in developing nations are expanding the customer base of providers. In other words, it’s a behemoth business in the midst of a major growth spurt.
For example, take the leading provider of telecommunications in Asia, China Mobile Ltd.—it has approximately 849 million customers and is considered the top company in its field. To successfully phish a company like this could mean access to millions and millions of valuable information in the form of customer information, payment details, and passwords. As we know, an adept hacker is much like a ray of light which, when shined on any sort of porous surface, will invariably find a way to penetrate the darkness—it uses whatever hole, crack, or tiny chink it can to break through the wall of privacy and gain entrance to the other side.
How are Communication Industries Phished?
As one of the most popular hacking strategies, phishing is about targeting juicy enterprises in an attempt to steal credentials, information, and access. Regardless of who they are trying to bait, phisher-men tend to use the same basic method in their digital expeditions, namely through spoofed emails to the right people. It is not particularly brilliant, but it is particularly effective in some situations. When people read messages they believe are coming from legitimate sources—communications that often raise some sort of alarm or fear in the reader—there is a moment that lies between their initial panic and a more rational response where they may be inclined to click the link provided to supposedly help them solve the problem or learn more. Ironically, this split second when people are trying to protect themselves is typically the time when they hand over the keys to the castle.
In terms of the communication industry, a phishing plot might target the provider itself with simulated traffic and regulatory loopholes, or it might include defrauding subscribers through a breach of their information. This second approach can also be done through SMS phishing, often known as smishing, which operates similarly through the use of baiting text messages. These threats also include Distributed Denial of Service (DDoS) attacks, the exploitation of vulnerable networks, compromising of subscribers, and the possibility of insider participation. Communications companies also face targeted attacks on poorly configured access controls in places where interfaces are publicly available to any internet user.
A good example of this threat becoming reality happened in 2015 when a cyberattack on the U.K. company TalkTalk, allegedly put together by two teenagers, resulted in the loss of about 1.2 million customer emails addresses, including names, phone numbers, and financial information. Although the forensic investigation revealed the hackers had used a smokescreen DDoS to conceal their nefarious activities, the possibility of an equally successful phishing attack is not farfetched.
Three Steps to Prevent Communications Phishing
Understand the Landscape
The first step to effectively protecting the information of any industry, including communications, is two fold—understanding the value of the existing assets and assessing the capabilities of those who would seek to steal them. All communication companies in both public and private sectors need to remain aware of modern threats and the countermeasures available to them. These protective methods may come in the form of security programs, threat detection, incident response, and investigative resources.
Test, Test, And Test Again
The reality is, phishing attacks have only gotten worse. They seem to grow and change in sophistication along with each passing year and continue to pose a problem for those looking to safeguard their systems, customers, and data. This fact can only be countered through a rigorous and constant counter effort where mock drills are used to access their security posture and test their defense mechanisms. With the help of agencies like the Anti-Phishing Working Group (APWG), communications companies can gather phishing emails and spoofed website locations to help them analyze the threat more closely and learn from the successes (and mistakes) of the enemy.
Sound the Alarm
When phishing scams are discovered, reporting becomes essential to increased protection. Customers, professionals, and anyone else involved with the industry should feel supported and encouraged to report any suspicious attempt as soon as they are detected. For this reason, companies need to provide convenient and accessible ways for individuals within the business to share these findings with security experts, who can ultimately use this information to deter and defeat future threats. This reality should not be hidden from the public, as their participation is equally as important in preventing the spread of successful phishing plots.
Although the communications industry is a powerful and influential piece in human contact, its security can be assessed and guarded in much the same way as any big business—through education, collaboration, vigilance, and effective intelligence sharing. A well-conceived, multilayer security system will not only strengthen the fortress of data, it will also give hackers the message that there no gaps for them to pursue. Once this message is received loud and clear, they will hopefully move on to easier targets. But if they don’t, they will find the iron wall is just as impenetrable and forbidding as it looks.