How can we foster a company culture that allows us to effectively defend against them?
Phishing is a huge problem for organisations and individuals across the world. In fact, a recent piece of research from Beaming revealed that almost 1.3 million UK companies were hit by phishing in 2016, which highlights just how significant the threat has become.
With today’s fast-paced, multi-tasked workplace culture, it is easy for phishing emails to slip through the cracks and gain entry through even the most careful employees. This is why, despite more than a decade of experience in researching and combating phishing, it continues to be the biggest security threat many organisations are faced with today.
Due to the success of phishing, cybercriminals are working around the clock developing new phishing techniques to ensnare more victims. As a result, there are many, many different species of phish, some which are harder to detect than others.
So the questions for organizations to ask themselves are simple; How do we identify the various types of phishing attacks, and how can we foster a company culture that allows us to effectively defend against them?
Different Species of Phish
The ability to effectively seize the phish every time, and help employees become more successful at identifying and thwarting phishers starts with a clear view into the types of campaigns that are used.
These can be categorised as untargeted or targeted:
- Untargeted (Amateur): This type of campaign sits on a blurred line between spam and phishing. Most of the emails are caught by email filters, and those that make it through rarely fool the average user.
- Untargeted (Sophisticated): The distinction between this kind and the amateur untargeted approach is that it is designed to look more realistic and trick users into clicking on a malicious attachment or link. These are still mass, widespread campaigns, but can be harder to detect.
- (Targeted) Spear Phish: Spear phishing is targeted at a specific individual, usually to either harvest credentials, drop malware, or both. These types of attacks are often not caught by email filters and can be much more dangerous than mass campaigns.
- (Targeted) Business Email Compromise (BEC): This type of phish is evolving quickly – the FBI’s Internet Crime Complaint Center noted a 1,300 percent increase in exposed losses from these attacks since January 2015. It is also the most dangerous species as it involves spoofing the domains of a target’s trusted colleagues and partners, through emails usually directed at high-ranking executives or officials with the aim to steal money or IP. The growing number of BEC incidents shows us that phishers are creative, motivated and will not be deterred even as mainstream cybersecurity awareness improves.
The Key Motivations for Phishers
Phishers have many motivations. They are typically financially driven, but we have also witnessed targeted phishing campaigns with geo-political or espionage intentions. A spear phishing or BEC attack could be used for any purpose aimed at stealing something of value from a specific victim. Common goals include:
- Credential harvesting: Campaigns trick targets into inputting their username and password on a phony login page.
- Malware injection: A phisher lures victims into clicking on a malicious attachment or link that prompts a malware download.
- Taking a specific action: Targeted, typically sophisticated emails requesting the transfer of funds or sensitive information to phishers posing as a trusted source.
Approach and Defence
Remaining one step ahead of the steady stream of phish swimming into the organisation may seem like an impossible task. However, companies that are successfully dealing with these challenges take a holistic approach that includes a strategic combination of people, training, email filters and other technology to bolster defences.
Training: Phishing is without a doubt largely a human problem. Therefore, the solution starts with educating your people, and building security in as part of the company culture. Gamification of training processes that make learning about threats fun, along with positive reinforcement for successfully identifying incoming threats, is a great way to ensure long-term participation from employees. Organisations can also offer rewards for employees that catch real or training-based phishing emails without clicking on them.
Proactive Monitoring: Domain spoofing is at the root of BEC campaigns, and organisations will see a much higher rate of success in thwarting these attacks if they do proactive domain monitoring. In the massive Anthem data breach in 2015, hackers used the domain we11point.com – a spoof on Anthem’s former company name, Wellpoint – to launch targeted attacks that tricked employees into entering their internal corporate credentials, which gave the attackers a foothold inside the protected network. Proactive domain monitoring could have enabled Anthem to identify and block this domain proactively, before the breach succeeded. This type of tracking is an emerging anti-phishing tactic that adds to an organisation’s overall defence.
Employees are often viewed by information security teams as a liability, especially as so many cyberattacks result from employee negligence or misconduct. However, with well-trained employees that understand their important role and the impact sound security has on the health of the organisation, it is possible to keep pace. The addition of technology that monitors domains and ongoing phishing activity is the final piece that rounds out a sustainable and continuous security strategy that can stay ahead of the threats.