Network Security
Vulnerability Management
Privileged Access Management
Endpoint Security
Threat Hunting
Unified Endpoint Management
Email & Collaboration Security
Contents:
Pepco Group, a leading European retailer, recently disclosed a significant financial loss due to a phishing attack on its Hungarian operations.
The incident, which led to a €15 million setback, sparks a conversation about the sophistication of cyber-attacks and the measures companies must take to protect themselves.
What happened to Pepco?
Pepco, operating across 21 countries with a vast network of 4,800 stores, fell victim to a “sophisticated fraudulent phishing attack,” resulting in a cash loss of approximately €15.5 million before any potential recovery efforts.
“The attack has resulted in a loss of approximately €15.5 million in cash, before any potential recovery.
It is unclear at this stage whether the funds can be recovered, although Pepco is pursuing various efforts through its banking partners and the police.
At this stage, the incident does not appear to have involved any customer, supplier or colleague information or data.”
Pepco Group’s security notice (Source)
Spear phishing, Phishing as-a-service and generative AI
According to Statista, in 2022, over half of the surveyed organizations worldwide encountered malware infections due to a spear-phishing attack.
Spear-phishing is a tactic that involves sending emails from seemingly trusted sources to dupe recipients into transferring money or divulging sensitive information.
Its success largely depends on its personalized approach and the psychological manipulation of its targets.
Phishing-as-a-Service
In addition, Phishing-as-a-Service has significantly lowered the barrier to entry for cybercriminals, simplifying access to phishing tools and techniques.
This model, similar to legitimate software-as-a-service offerings, provides everything an attacker needs — from phishing kits to fake websites — for a fee.
This accessibility has led to an uptick in phishing attempts, with attackers no longer needing advanced technical skills to launch successful scams.
LLMs and phishing
Large language models can tailor phishing emails and messages with a level of personalization and sophistication previously unattainable for the average cybercriminal.
By analyzing and mimicking the communication style of specific individuals or organizations, LLMs can produce content that appears legitimate to unsuspecting recipients.
This not only raises the success rate of phishing attacks but also makes it harder for people to distinguish between genuine and malicious communications.
Anti-spear-phishing measures
To protect against spear phishing attacks, companies should implement a comprehensive security strategy that includes:
Employee training
Employees need regular training to understand spear phishing. Phishing courses and tests are a good way to practice spotting these threats.
Multi Factor Authentication (MFA)
Use MFA for access to data and systems that are sensitive. With multifactor authentication (MFA), even if credentials are stolen, unauthorized access is still stopped.
It also significantly enhances security against credential stuffing, brute force, man-in-the-middle attacks, and session hijacking.
Multi-layered security solutions
Investing in comprehensive cybersecurity solutions can help you prevent spear-phishing attempts. Your “anti spear-phishing stack” should include endpoint security products such as:
- DNS filtering to block access to malicious sites
- email fraud protection to counteract deceptive emails
- an EDR solution to actively monitor, analyze, and respond to endpoint threats in real-time.
- Next-gen Antivirus & Firewall which stops known threats;
- DNS traffic filter which stops unknown threats;
- Automatic patches for your software and apps with no interruptions;
- Privileged Access Management and Application Control, all in one unified dashboard
If you liked this piece, follow us on LinkedIn, Twitter, Facebook, and YouTube for more cybersecurity news and topics.
Madalina, a seasoned digital content creator at Heimdal®, blends her passion for cybersecurity with an 8-year background in PR & CSR consultancy. Skilled in making complex cyber topics accessible, she bridges the gap between cyber experts and the wider audience with finesse.
