So Long and (No) Thanks For All the Phish
You’re probably familiar with phishing, a common form of social engineering fraud in which a scammer tries to gain the trust of his or her targets using email or other digital means. By digitally masquerading as a trusted third party, scammers seek to pull personal information, like passwords, bank account numbers and credit card numbers, out of their victims. Phishing is also a particularly effective method for inserting bots or malware into enterprise networks.
While you might think that only a fool would fall for a phishing ploy, consider this: Phishing attacks were among the top malware delivery mechanisms in 2017. And each year businesses lose half a billion dollars because of phishing attacks.
Part of the reason that phishing is so successful is that the messages are contextually-relevant. For example, you probably received quite a few “New Year” themed phishing emails this month, promising you too-good-to-be-true “deals of the century!” By using true-to-life events and themes, phishing attacks often fly under the radar. And while this lack of awareness is problematic -- to say the least -- for individual email users, it becomes catastrophic when phishing succeeds on a corporate level.
Phishing in and of itself can cause quite a lot of damage but an even more insidious variant of phishing is spear phishing. While attackers may send millions of generic phishing emails, spear phishing is addressed specifically to a particular individual or company. Often, it’s directed to a CEO, CFO, or someone with access to financial or highly sensitive systems.
Spear phishing attacks are quite serious and have been responsible for a number of very large data breaches, including Target, Sony and the Democratic National Committee. Even Facebook and Google have had unconfirmed spear phishing incidents. Clearly, this is not a security problem that is going away anytime soon, so organizations must take heed and develop an action plan to deal with the issue.
With that in mind, what are some actions you can take to keep your users from becoming phishing victims?
- End-user education - First off, forget about security awareness. The old awareness paradigms simply don’t work when dealing with new and aggressive phishing techniques. When it comes to phishing, you need user education. This is a much stronger and more formal approach to the topic. A single PowerPoint slide isn't enough to stop a determined scammer who has his or her sights on your organization. Users need to be educated to truly and deeply understand the threat of phishing. Help them understand what to look out for in order avoid becoming victims.
Train your users to never click on legitimate-looking links that ostensibly lead to known retailers, banks and payment sites. Instead, teach them to enter the site manually or use a trusted bookmark. In addition, show them how to recognize wonky and dangerous URLs and domains that lurk inside an otherwise convincing phishing attempt or other malicious email.
- ‘Spearhead’ intensive training for every CxO – Sophisticated social engineering, efficient data reconnaissance, software exploits and targeted spear phishing are popular and effective tactics for attacking organizations. While training for end-users may be conducted in larger groups or via on-line training, every CxO or senior executive, and anyone with access to accounting and finance systems, must have individual, practical education on how to recognize and parry phishing attacks. Because these people are singled out for the most sophisticated and convincing spear-phishing attacks, they are particularly vulnerable and need correspondingly rigorous training.
- Hardware and software solutions – Solutions such as anti-virus software, firewalls (both at the perimeter and personal firewalls), email and spam gateways and the like are designed to prevent the majority of attacks by preventing suspicious traffic, files and even fileless threats from getting onto your network and endpoints. While it’s true that no known technology can detect and prevent every single attack, having the right setup does go a long way in stopping phishers.
- Implement a layered defense – Place multiple layers of security controls throughout the organization to ensure that there’s no single point of failure that exposes the network to a broad scale attack. Advanced technology such as remote browser isolation, for example can proactively shield endpoints against even undetected browser-borne threats, preventing phishers and other cyber criminals from gaining entry through this popular threat vector.
When it comes to training your users (and yourself!) to recognize and avoid phishing threats, there are no shortcuts. But Don’t Panic: While no single solution is completely foolproof, a combination of multiple security controls along with comprehensive security education and awareness can keep your organization safe and secure in the face of ever-changing attack methods.