July 16, 2019

NCSC thwarting of airport phishing scam “massively encouraging progress”

By Lucy Ingham

The news that the UK National Cyber Security Centre (NCSC) successfully thwarted an extensive airport email phishing campaign, revealed in the NCSC annual report today, has been welcomed by cybersecurity experts.

The phishing campaign used a fake gov.uk address to attempt to send 200,000 people emails that appeared to be from an unnamed UK airport. These were designed to scam recipients into paying a fee under the illusion that they would receive an increased refund.

However, the emails never reached their intended recipient, as the NCSC stepped in and blocked them from being sent. It also took the scammer’s real email address offline to prevent any replies from being received.

According to the NCSC annual report, it was one of 140,000 separate phishing attacks successfully blocked by the GCHQ-backed organisation.

NCSC annual report a strong sign of progress

For cybersecurity professionals, the news is extremely welcome, as it shows the benefits of having a government cybersecurity centre.

“This is a massively encouraging progress report we have received from the NCSC, and the UK is extremely wise to have invested in such a diligent dedicated cybersecurity centre in order to combat cybercrime,” said Corin Imai, senior security advisor at DomainTools.

“Phishing is one of the most common and sadly one of the most effective methods of extracting funds by nefarious means from the general public, so the NCSC being able to stop 140,000 separate phishing attacks is a step in the right direction.”

Airport phishing campaign shows attacks remain a significant issue

While the news is very positive, the fact remains that phishing is a significant and severe problem – and that more still needs to be done to combat the issue.

“Email attacks have so far cost $12bn to businesses and governments, and are one of the most common and dangerous methods to infiltrate an organisation,” explained Nick France, email security expert at Sectigo.

“Attackers use them to implant malicious software in the organisation’s networks, or trick employees into handing over funds or confidential information.”

For Imai, other countries need to take note of the successes outlined in the NCSC annual report, and invest in their own similar organisations.

“There is only so much that one organisation can do on its own – even a government funded one. With an estimated 1.5 million new phishing sites created every month, cybersecurity teams at governments all over the world need to be working as hard as the NCSC,” she said.

“In addition to this, organisations and educational institutions need to make a base level of phishing training available for everyone who has internet access.

“Taking the profitability out of phishing scams is ultimately how we can continue to build on the good work of the NCSC and move towards making phishing a thing of the past.”

Read more: How to spot spear phishing and protect your business from costly attacks