To illustrate how valuable people are in preventing phishing attacks, Cofense’s Andy Spencer tells the story of a marble statue purchased by the J. Paul Getty Museum about 35 years ago.
The museum was told that it was an ancient Greek kouros, one of only a handful still intact. High-tech tests seemed to bear that out, so the museum bought the statue for about $10 million.
At the ceremony to unveil the statue, Spencer said, one art historian told museum officials, “You purchased a forgery. I can’t explain why, but I look at that statue, and it’s a fake.” Today, the statue is dated “about 530 B.C., or modern forgery.”
There’s a lesson for organizations looking to battle phishing, Spencer said: “We must arm our users with the knowledge, with the experience — with the intuition — to judge an email for what it’s worth. We put technology in place, of course, to solve this problem, but at the end of the day, no matter how good that perimeter technology is, some email is going to get through.”
Since January 2015, phishing attacks have touched more than 78,000 organizations and have resulted in more than $12 billion in direct losses to companies, according to FBI statistics. But as more companies adopt anti-phishing training and tools, such as those provided by Cofense and Proofpoint, the attacks are growing harder to spot.
Organizations Must Protect High-Value Users from Phishing
Ryan Kalember, senior vice president of cybersecurity strategy for Proofpoint, described one attack where the link embedded in the email looked benign to the gateway technology monitoring incoming traffic. But once inside the system, the link redirected to a malicious site.
Another involved the hack of a CEO’s Office 365 calendar; the attackers were then able to spoof an email from him to his CFO saying correctly that he was caught in a meeting, and could the CFO wire money to a particular account?
“You have a tough time blaming the CFO,” Kalember said. “Everything about the email was correct.”
New defenses focus on protecting such high-value users — people with access to critical information and company cash. At an Italian automaker, an executive assistant based in China was the main target of phishing attacks because of her proximity to top-ranking executives.
“Every single one of those attacks had been blocked,” Kalember said. “Over a six-month period, she’d gotten about 2,400 of them. But she had absolutely no idea. Giving her that understanding made it a whole lot easier to better protect her.”
Those protections can seem onerous at first: limited web browsing, tougher whitelisting, stronger screening of incoming mail, more attention to email in general, reporting anything that looks suspicious. But simple courtesy can often help a company get over this hump.
“It’s so important to get back to the users and say, ‘Thank you very much for reporting this, it was important,’” Spencer said. “And then give them some piece of information: ‘Don’t worry about that particular email, it was just general spam.’ Or, ‘Thank you very much, this was a previously unrecognized threat, and you have helped protect the company.’”
How to Create Stronger Cybersecurity to Mitigate Phishing Attacks
Here are other ways to close the loop and prevent phishing emails from wreaking havoc on a company:
- Re-credential any user who may have clicked on a malicious link or attachment.
- Monitor more closely where email originates; if there’s no reason for a company to get email from a Nigerian location, for example, that should raise a red flag, Kalember said.
- Limit the number of login attempts permitted before the user is logged out. This will prevent brute-force attacks, where hackers simply try endless password combinations until they hit the right one.
- Adopt preventive tactics, such as Domain-based Message Authentication, Reporting and Conformance. DMARC enables email servers to determine whether a message is actually from the sender, then deletes forged emails or marks them as spam.
Federal agencies are required to have most of the DMARC requirements in place by the end of the year, but the private sector has been slower to adopt it, Kalember said.
Anti-phishing training remains valuable, although not always for the reasons companies expect, said cybersecurity expert Brian Krebs, who writes the Krebs on Security blog. While training does teach employees what to watch out for, it also uncovers which employees need to be watched.
“The bad guys are in there all day, penetration-testing your users, and you might as well be doing the same thing,” Krebs said. “At the end of the day, you’re probably not going to move the needle much in terms of how many people click, but at least you get a much better idea of the users in your organization that need specific, granular security controls around them.”
>>Download CDW’s Cybersecurity Insight Report to learn more about how organizations are implementing security measures.