This post is an abridged version of a post that originally appeared on ITPROPortal
Targeted phishing remains one of the most frightening threats out there today. Nearly 400 businesses faced targeted phishing attacks in 2017 every day! BEC costs businesses in the billions every year. There have been cases with impacts of every degree, like the Washington couple who lost a million dollars to someone impersonating a title company or the Lithuanian man who scammed Facebook and Google out of a collective $100 million by creating fake invoices.
Urgent requests for payment have always been effective on unsuspecting victims. With all the resources about individual professional lives and organizational structures available online (think: LinkedIn), it’s only become cheaper for the scammer to research their next victim and execute an attack.
Targeted Phishing scams are engineered to capitalize on 3 weak points to take advantage of victims:
Familiarity: By impersonating a vendor, partner, or colleague, (and even at the domain level) the cue acts as a shortcut, establishing less skepticism.
Inattention: Assuming the target makes dozens of decisions a day with possibly a hundred emails a day, the victim likely doesn’t have time to over-analyze every email.
Urgency: Making the payment or fulfilment an immediate need, requiring immediate and rapid action, creates an environment where the victim will act more rapidly and miss important cues.
The structural elements of email further enable phishing. The ability to send lookalike domains, spoof email addresses (especially “header from”) and mismatch reply-to addresses are increasingly becoming headaches for conventional email filters. This is especially crucial when depending on the study, anywhere from 10-25% of your colleagues will click a link in a malicious email.
The Inadequacy of Conventional Email Filtering
Most email filtering that is currently utilized by your average small or medium sized business doesn’t address these issues well enough to weed out malicious emails. DMARC is growing in prominence, but it is designed to stop broader attacks, not the targeted attacks that are thoroughly researched and directed at a victim.
Worse, once the attackers gain access to a compromised account within whitelisted domains or organizations, especially on O365 and other cloud services, the damage can be extensive. A single compromised account can easily result in the discovery of the accounts that authorize financial transactions. Changing wiring instructions can then be a cinch.
A conventional spam filter looks to score emails and recognize waves of spam or malicious content. However with highly targeted phishing, given the often one-off nature of the email, it can be easier for scammers to breach conventional security. Top this off with malicious attachments and URLs that deliver malware, ransomware, zero-day exploits or simply fake invoices, and one can see how easy it is to catch a user in an unsuspecting state of mind.
Socially Engineered to Beat Your Conventional Security
Multi-factor authentication (MFA) has been a failsafe in the industry for a long time. However, scammers are learning to beat MFA systems. One example is by setting up a phone number and confirming the transaction or even making the call preemptively. If an employee is uninformed, this can often be enough to secure confidence in the transaction. There’s an opportunity to improve awareness and training, which can dramatically reduce the effectiveness of many attack verticals – but given the realities of the workplace, a social engineered attack might be much for your average employee to recognize.
Beyond Conventional Spam Filtering
The first consideration of a better spam filtering has to be one that addresses the evolution of attacks. Defending against attacks once they’ve been executed is the epitome of inadequacy. An effective spam filter recognizes threats in real time and prevents delivery. It uses machine learning to identify trends across billions of emails, and anything remotely suspicious is flagged before it gets to your servers.
It is not a set and forget, but requires that IT specialist are regularly monitoring email flows ensuring the bad stays out. This is across the whole security system. You need multi-layered security. Attachment defense, url defense, spam filtering, anti-virus and all packaged in a way that is intuitive to manage.
Find a solution that addresses the specific attacks that are projected to grow over the next few years, and please remind all your employees – if it’s too good to be true, it probably is!