In recent years, phishing has evolved from a mere nuisance into a global epidemic. In 2016 alone, the SANS Institute revealed that 95 percent of all cyberattacks began with spear-phishing; the Ponemon Institute reported 86 percent of all phishing campaigns/attacks contain ransomware, and, just recently, the Anti Phishing World Group (APWG) discovered a 65 percent increase in phishing attacks compared to the previous year, totaling 1,220,523 events wordwide.
The supply chain, of course, isn’t immune to cybersecurity threats. Since analysts first proclaimed increased cyber risk to the supply chain as inevitable, regulatory bodies such as the Europen Union’s General Data Protection Regulation (GDPR), non-regulartory agencies such as National Institute of Standards & Technology (NIST), and industry-specific organizations such as North American Electric Reliability Corporation (NERC), have prioritized supply chain security into their frameworks, guidelines and standards.
The number of attack vectors in the supply chain is indeterminable, yet attackers commonly only use only a handful of attack techniques to infiltrate a network. According to a report by Trend Micro, spear phishing is among the most popular. And as you likely know, it was a spear-phishing attack that facilitated the most publicly damaging supply chain event to date: the 2013 attack on Target.
Supply Chain Transactions: Who & What Are Vulnerable to Phishing?
While not all supply chain cyber attacks begin with phishing, financially-motivated attackers can use phishing to deliver ransomware, malware and other forms of business email compromise (BEC) to disrupt and defraud the transaction process. Within the supply chain, both Point of Sale systems (POS) that manage real-time transactions and the more popular electronic invoicing systems that automate manual payment processes for better accuracy and efficiency are at the greatest risk from phishing.
According to Symantec, POS specific malware kits are “widely available online.” As with any spear-phishing campaign, it only takes one employee within the supply chain to click on a malicious email link or download a dangerous attachment for an organization’s corporate network to become compromised. Once network access is obtained, attackers have limited obstacles to finding and accesing the POS system database, which stores credit card and other sensitive information from companies within the supply chain.
The same is true for electronic invoicing systems. In many organizations, employees in HR, procurement, finance and other business groups have access to electronic invoicing. They facilitate these invoices, after all. Similarly, if just one employee were to click on a suspicious link or email, than attackers could gain access to the network and, in turn, the invoicing software; enabling them to falsify invoices, change addresses of where checks are sent and discover banking information for fraudulent withdrawals and transactions. Because electronic invoicing is automated and payment cycles are typically greater than 90 days, businesses may not even notice the abnormality until months after the attack took place. By that time, the attacker is likely long gone.
Phishing Mitigation for the Supply Chain
For supply chain vendors, a defense-in-depth strategy in which various security tools are used to harden the perimeter and maintain the integrity of devices is advisable. At the same time, organizations should understand that employees are the front line of protection, but they’re also the individuals most likely to voluntarily turn over information.
As such, here are a few ways supply chain executives can help mitigate phishing threats to transactions systems:
- Create organization-wide cybersecurity standards that hold employees accountable for proper IT usage
- Share intelligence between supply chain members so that partner organizations can protect their digital assets from trending attacks
- Define reasonable levels of security and controls that all partners and employees? must adhere to and penalize those who do not comply
- Mandate phishing education and awareness training for all employees and incentivize workers to repeatedly improve their skills
- Avoid using POS systems for anything other than transactions. Deny web searches, social media access, etc.
- Ensure Wi-Fi is highly protected and access electronic invoicing software on a network not available to guests
Unfortunately, phishing is not going away anytime soon - and neither is electronic payments. For financially-motivated attackers, in particular, phishing, spear phishing, BEC and other social engineering attacks against supply chains are high on reward and low on risk. As organizations independently and supply chains collaboratively explore new ways to reduce cyber risk, phishing mitigation should, and will, continue to play an important role.