Phishing attacks are growing more sophisticated, and spam filters aren't effective against every kind of attack. Old-style spammers sent the same message to multiple people, hoping some of them would take the bait.
The newer, more dangerous approach targets individuals. It's called spearphishing, whaling, or high-stakes phishing.
A spearphishing message is built on knowledge of the person it's aimed at. It includes personal details, and it pretends to be from someone the victim knows. It's typically aimed at high-ranking executives or other people who control valuable assets. The messages are cleverly tailored, and they can fool people who would laugh at a traditional attempt to trick them.
The aim may be to get account passwords by tricking the target into using a fake login page. The attack could also be designed to place ransomware or spyware on the victim's computer. Some messages urge the target to make a monetary transfer, which goes to the perpetrator's bank account and can't be recovered.
Filters and anti-malware software will reduce the risk, but they don't eliminate the problem. This is why it's so important for employees, including top executives, to get training in spotting those messages and avoiding their traps.
The Importance of Training
The leading cause of computer security incidents is human error. Breaking into a network by exploiting software weaknesses is hard. Tricking people into unlocking the door is a lot easier. Criminals focus on that, more than any other method, for taking control of systems and getting at private data.
They keep making their deceptions more elaborate and subtle.
When people fall for these tricks, expensive breaches may result. For example, a company could immediately lose confidential information and monetary assets. Furthermore, fixing the problems takes time away from productive work as systems could be unusable for a while.
Ransomware attacks are among the worst. If a user receives a fraudulent email message and opens its attachment, the malware in it could encrypt important files on the machine. The company then has to pay to get the files restored (which often doesn't get anything back) or spend time recovering them.
As spearphishing messages become more clever, more people fall prey to them. If they don't have training in recognizing the latest tricks, they may mistake a fraudulent message as one from a manager or customer and throw caution away.
Senior management needs to receive training along with everyone else. They're the most lucrative targets. A message to them might seem to come from a person they regularly work with. "Some unexpected expenses came up. Please wire $5,000 to bank account 12345678. I need this right away if possible."
To a busy executive who trusts the employee, this could seem like a simple matter to be squared away later. But, unfortunately, the bank account belongs to a criminal, and any money sent to it will disappear for good.
Training Promotes a Culture of Security
There is good training, and there's bad training. The creators of effective training packages understand people and how they learn. Explaining mistakes leads to improvement; making people feel bad leads only to frustration. Employees need to understand that phishing is a serious matter, but they should feel encouraged to improve, not lectured for their stupidity.
Promoting a culture of security gives the best results. Employees should consider themselves partners in keeping their systems safe. There should be a sense of satisfaction in deleting or reporting a deceptive message.
How managers use email is part of the picture. If they write sloppy messages, employees will get used to them and not question badly written phishing mail. If they claim everything they write about is urgent, they'll desensitize employees to fraudulent messages insisting on an immediate response. If they complain when employees ask for verification of unusual requests, employees will learn not to be skeptical.
People who get email need to be encouraged to think about every message they get and to ask questions if something doesn't seem right.
The Latest Phishing Tricks
Today's phishing email uses tricks that were rare or unknown a couple of years ago. Training courses are essential in keeping employees up to date as these tricks continue to evolve.
Secure websites: A few years ago, a link to a secure (HTTPS) website was an indicator that the message came from a trustworthy source. The situation has vastly changed. Anyone can get a TLS certificate for free and set up a secure site without much effort. All that an HTTPS link proves is that what you're seeing is what the server sent you and that no one can intercept the communication.
It says nothing about the safety of the content.
Social media and other channels: An increasing amount of phishing goes through channels other than email. It can come through SMS messages, messaging applications, and social media communications. People aren't as used to getting fraudulent requests from those channels, and they aren't always on guard about what they get.
URL impersonation: This is a very old trick, but some variations of it have become more common lately. Lookalike characters are one method. The Greek letter omicron (ο) is hard to distinguish from the letter o, but some registrars allow it in a domain name.
Using a subdomain that looks like a well-known domain, such as microsoft.com.crookedsite.com, is another way to fool people. On a cell phone screen, users may only see the start of the domain and not realize it's a trick.
Redirection in attachments: Attachments in an untrusted email are dangerous in several ways. One of the latest tactics is to put a meta redirection header into one. When the victim opens it in the browser, it will take the victim to a malicious website. Since the message doesn't link directly to the rogue site, filters that look for dubious links won't catch it.
Security Software Helps But Isn't Enough
Email filters will keep many phishing messages out. Anti-malware software reduces the chances that opening one can cause harm. Authentication with SPF, DKIM, and DMARC catches impersonation attempts. However, these protections won't stop all spearphishing messages.
Content that is clever enough to fool people will fool software as well. Dangerous links can be disguised. Not everyone uses authentication. Lookalikes won't look alike at the bit level, but obfuscation can make it hard for code to catch them. Anti-malware software won't always catch zero-day exploits.
Human judgment is needed as well. If something doesn't look right about a message, the recipient should know what to do. A request by a different channel for verification can clear up the situation, and usually, it isn't necessary to act instantly.
Training will help employees, including executives, to spot messages that don't look right. Test messages will help keep their skills sharp and identify types of phony messages they weren't previously aware of. When everyone adopts good email safety practices, a business has fewer security incidents and operates more confidently.
Cyber Security Awareness Training
At VC3, we understand that the best defense includes both technical and non-technical layers. Contact us to learn about the training options that are available to your business.