Security awareness and spear phishing: How to stay out of danger
Have you ever received an e-mail that urges you to act quickly and provide your username and password, or one that asks for your birth date and Social Security number through a legitimate-looking (but fraudulent) website to verify your identity? How about a computer request to update your bank details and personal information with the warning that your account was compromised and might be closed if you do not comply?
The first instinct is to click on the provided link or open the attachment to address the request. In reality, such e-mails should always ring alarm bells for recipients. They might infact be a phishing attack.
A recent post from Appthority co-founder Kevin Watkins disclosed a previously unknown vulnerability in iOS which could exploit MDM (mobile device management) clients and subject victims to spear phishing attacks among others. With that in mind, here’s what you need to know to stop a potential attack happening to your organisation.
Phishing is a technique used by cyber-criminals to lure users into handing over personal information or visiting a website that is a fake. Phishers’ goal is to gain access to sensitive information on the network. Often these attacks use botnets to disseminate a request for info to a large number of people in the hope to receive even just one answer. After all, all it takes is for one person to reveal sensitive data or install (unknowingly) malware. It’s an ever-evolving problem today worldwide (see phishing infographic) with more and more people falling prey to such a scheme.
Teaching corporate employees how not to fall victim of spear phishing may just be the best defence against these attacks
One recent example has been the IRS Impersonation Scam; in this case, several Americans reported to have fallen victim of someone claiming to be working for IRS. Many received messages (phone calls or e-mails) and found out later (after being deceived, tricked and having revealed info) they were actually not contacted by the bureau of the Department of the Treasury. The messages ranged from telling the recipient they “owed money” and they “better pay now,” to “put money on a prepaid debit card or wire the money.” Sadly, some of those that received such a bogus message fell for the trick and lost their money, while the cyber-thief got away with a successful scam.
Sometimes, however, these attacks are targeted at a particular individual or group of people within an organisation. Spear phishing might be even harder to recognise as the baits are tailored and personalised and seem even more legitimate. Attacks can come from instant messaging, social networks, and other forms of electronic communication.
Too often potential victims are convinced the e-mails are from a reliable source and are ready to give up personal info without further explanation as to why they are being asked to release it. E-mails seem to be sent from a ‘trusted’ source, but they are actually designed to trick the recipient into giving away sensitive information (e.g., credit card, account number, PIN, SSN, etc.) to the scammer.
Depending on the scope of the spear phishing, criminals might go a long way to create legitimate looking e-mails using realistic names, logos, and information. They may also create entire fraudulent websites as bait.
Ways to prevent it
Firewalls and malware scans can aid in the fight against spear phishing. Systems administrators can use tools that can help in recognising suspicious traffic and screening social media use of employees on the network, to be able to catch any attempt of phishing before and not after a scam incident. However, technical solutions are not enough to counteract spear phishing attacks; they can only in part help recognise e-mails with malicious aims.
As John Toon, a researcher from GTRI, explains, “the success of spear phishing attacks depends on finding the weakest link in a corporate network. That weakest link can be just one person who falls for an authentic-looking email.” Since the target of these attacks is actually the user, it is the user that needs to be the first line of defense. Security awareness training, then, is the best defense against these attacks. The more end users are made aware of the risks, the more they will be able not to act in an impulse when pressed for information and will be able to evaluate better each request.
Training is not just effective for the acquisition of knowledge; training can also help make security relevant to end users, employees and executives
Training needs to be given also to executives and higher officials in a company as they are often the primary targets of spear phishing attacks. Arming corporate employees with knowledge might not prevent spear phishing but can help diminish its likelihood.
According to Alan Paller, SANS research director, “95% of all attacks on enterprise networks are the result of successful spear phishing.” Equipping users with the knowledge to recognise most attacks can help strengthening the security posture of any company. A well trained team can be taught to recognise the signs of a phishing email, phony website, or other suspicious behaviors online before it is too late.
Employers need to ensure their workforce understand the types of scam attacks they may face, in addition to the risks involved and how to address them appropriately. Becoming aware of phishing techniques can ultimately provide greater sense of awareness when these strategies surface, points out Entrust, a company that provides identity-based security solutions.
How spear phishing awareness training can be effective
To teach corporate employees how not to fall victim of spear phishing might just be the best defence against these attacks that continue to be a problem. Having training sessions about how to detect these spoof e-mails and knowing how to distinguish them from genuine e-mails by legitimate senders may help staff from falling prey of such scams.
Training needs to address first the basics of spear phishing and phishing’s prevention. As Stephen Northcutt of the SANS Technology Institute explains, to avoid spear phishing users should:
- Never provide personal or financial information in a response to an e-mail request.
- Not act on suspicious emails.
- Not open attached files or click on links without first knowing the sender and their URL address. Curiosity not only killed the cat, but opened the house!
- Report any recognised phishing attempts.
Because these attacks target people, they need to be armed with the knowledge to counteract them. The problem with spear phishing is that it targets restricted groups and executives and, therefore, cyber-criminals are able to create sophisticated and highly personalised baits to lure their victims. Busy executives and executive assistants might not have the time at their disposal to really analyse the e-mail received. Therefore, frequent training is needed to help stop the instinct to reply with sensitive data or click on suspicious links.
Employees may not be able to differentiate quickly and separate potential spear phishing attacks from harmless emails
Joe Ferrara, President and CEO of Wombat Security Technologies, says the cyber-threat of spear phishing is very real and has come increasingly transparent online. He points out the importance of improving individuals’ knowledge to be able to spot an attack so to be able to avoid opening themselves or their employer to it. A “continuous cycle of assessing knowledge” is key to ensure the employees are keeping their information secure.
This goal can be met with frequent re-certifications through annual cyber-security training, but also by creating fake spear phishing e-mails that periodically can be sent out to gauge users’ reactions. That way, also those who normally don’t have much time to concentrate on security can be reminded through real-life examples of what can happen and how important it is to be on guard.
Trainers can use interactive training or mock phishing scenarios, or simply discuss specific episodes. It is also helpful to make available simulated phishing exercises or staging phishing attacks for others to learn and understand. This, of course, in addition to conveying the array of tactics utilised by cyber-criminals in today’s world.
Training is not just effective for the acquisition of knowledge; training can also help make security relevant to end users, employees and executives. User awareness training empowers users and makes them less likely targets by understanding their primary role in the defense of the network. When working for an organisation that communicates a strategic plan, employees will no longer feel powerless against scammers. Cyber-security is no longer a distant concept relegated behind the doors of servers’ rooms and the sole responsibility of IT managers, but it becomes a collective effort.
There is another benefit to training targets employees’ habits. Though it is possible to warn members of an organisation about spear phishing and encouraging them not to respond or even open email from unknown senders, employees may not be able differentiate quickly and separate potential spear phishing attacks from harmless emails, says Andrew Howard, a research scientist who heads the Georgia Tech Research Institute’s (GTRI) malware unit. Howard said, “It’s very difficult to put technical controls into place to prevent humans from making a mistake. To keep these attacks out, email users have to do the right thing every single time.”
Training might not prevent spear phishing or make people infallible email or website evaluators; yet, it might teach them to be more cautious when releasing sensitive data online to a third party. Behaviour modification is the ultimate goal of training; people will become more aware with any emails they receive and not just when suspicious ones reach their mail inboxes.
Spear phishing appears to be the weapon of choice right now for cyber-crime and cyber-terrorism
Today’s spear phishing activities and trend reports reveal attacks are becoming more dangerous because of new security evasion tactics. Spear phishing appears to be the weapon of choice these days for cyber-crime and cyber-terrorism.
Email security solutions and web-filter techniques—that can help to prevent the messages from being directly delivered to an inbox—are not enough to protect today’s computer end users from a cyber-criminal. Overall, one cannot stress enough how important it is to support security awareness to improve phishing detection and avoidance.
As renowned American hacker Kevin Mitnick, former cybercriminal that turned security consultant explains, “social engineering has a 100 per cent success rate […] once people become more security-aware, they are less likely to be conned.”
Repeated security awareness training is necessary to help others learn about the dangers of spear phishing, but training doesn’t only give knowledge to end users. It also helps to involve users in the protection of company’s networks and causes a behavior modification that can help change the way they react to any e-mails, even those that might not look suspicious at first.
Interested in hearing industry leaders discuss subjects like this and sharing their use-cases? Attend the co-located IoT Tech Expo, Blockchain Expo, AI & Big Data Expo and Cyber Security & Cloud Expo World Series with upcoming events in Silicon Valley, London and Amsterdam and explore the future of enterprise technology.
- » How the future of AI will put new demands on ERP systems – and how to overcome them
- » The 10 ways asset intelligence improves cybersecurity resiliency and persistence
- » How to deal with technical debt to fully go through the gears of digital transformation
- » Why businesses must bite the bullet and upgrade their legacy ERP systems
- » How CIOs must address the most pressing cybersecurity issues of 2020: A guide