Can You Stop Phishing Emails? Why What You’re Doing Now is Failing.

Can You Stop Phishing Emails? Why What You’re Doing Now is Failing.

phishing emails FIPhishing emails are not new. Despite broad coverage in the press, numerous corporate training programs, and many anti-phishing solutions, why are a massive 93% of data breaches still caused by phishing? With the average phishing attack costing a mid-sized company $1.6 million, this is not a matter to take lightly. How can you be sure that your company is adequately protected?

Let’s start by seeing how good you are at detecting phishing emails. Think you can outsmart these devious scammers? To find out how you measure up, take the Google phishing quiz by classifying 8 emails as either phishing or legitimate. Go ahead…do it now…we’ll wait.

How did you do? How do you think your employees will do? Fact is, many employees are still being tricked by these phishing scams. Why are phishing emails still so successful and how can you protect your company against these harmful attacks?

Phishing, a Brief History

The first recorded phishing attempts date back to the 1990s, but it was in the early 2000s when phishing really took off. The first phishing attacks were crude hit and miss attempts that involved sending mass email blasts that appeared to be from well-known banks in order to trick unsuspecting recipients into divulging their personal information or bank account login credentials.

In 2010 a new phishing phenomenon was proving to be far more effective: spear phishing. Infamous data breaches at Anthem, Sony, and even the White House, all started with a spear phishing attack in which a socially engineered email was sent to a small number of high-ranking individuals, tricking them into providing their credentials or opening a malware-laced attachment to gain access to their systems.

By 2015, a new and highly dangerous phishing technique surfaced: business email compromise (BEC). This is currently the most insidious use of successful phishing attacks because BEC attacks do not use URLs, attachments, or malware to scam their victims, making these attacks much harder to detect and prevent.

Different Types of Phishing

Phishing comes in several variations, each utilizing a different set of techniques to scam their victims. Below is a short explanation of each phishing type:

Phishing: This is the overarching term for email-based attacks in which cybercriminals attempt to trick individuals into clicking on a link or malware-laced email attachment in order to gain access to sensitive information, passwords, or banking or credit card details.

Spear Phishing: These are phishing attempts that are highly targeted and only sent to specific individuals, often using information gleaned from the Internet to make the emails look personal and legitimate.

Clone Phishing: This is a type of attack where a legitimate email is cloned and then resent from a lookalike address with altered links or email attachments with a malicious payload.

Whaling Phishing, BEC and Pretexting: In these attacks, cybercriminals target high-profile employees, such as CFOs and CEOs, and try to trick them into sending a wire transfer to the cyber criminal’s account or to provide W2s or other sensitive information that can be used to commit fraud. According to the FBI, between 2013 and 2018 BEC fraud amounted to $12.5 billion.

In their recent report Fighting Phishing – 2020 Foresight, Gartner says: “Through 2023, business compromise attacks will be persistent and evasive, leading to large financial fraud losses for enterprises and data breaches for healthcare and government organizations.”

Why Are Phishing Attacks Still So Successful?

While traditional anti-spam solutions and secure email gateways are able to stop some phishing emails, there is still a significant number that makes it through to users’ inboxes, leaving companies vulnerable to attack. According to the email security test performed by UK research firm SE Labs, Microsoft Office 365 only had an 8% accuracy rating when identifying malicious emails and Microsoft Office 365 Advanced Threat Protection did not perform much better with a 35% accuracy rating.

How are phishing emails still able to bypass filters and trick individuals? Scammers make use of the following tactics to outsmart their victims:

  • Highly Targeted: Signature-based anti-phishing solutions are ineffective since spear phishing and BEC emails are only sent to a small number of targeted individuals.
  • Look Legitimate: Scammers have vastly improved their tactics and their emails look very realistic. Gone are the days when scam emails were easily recognized due to poor grammar and spelling mistakes, and the addresses from which they’re sent are very hard to visually distinguish from those of recognized companies.
  • Play on Human Weaknesses: Scammers know how to exploit human weaknesses: the will to please superiors, fear of breaking the rules, and curiosity. Cleverly playing on these weaknesses, cybercriminals try to make people act before they think.
  • Reference Current News and Events: By referencing topics or people that are already on people’s minds, such as the Olympics, Super Bowl, political figures, tax season, the Oscars, or Brexit, it is easy to spark curiosity and feign legitimacy.
  • Not Always a Payload: Business email compromise does not use malware, URLs, or attachments. These emails closely resemble normal emails and are therefore hard, but not impossible, to detect.

How Can You Protect Against Phishing?

Don’t let phishers win the game. There are ways in which you can protect against phishing attacks:

  • User Education: Educate users to stop and think before they act on an email. There are numerous online training courses that employees can take to help them identify suspicious emails. Periodically send test phishing emails to keep employees on their toes. Repeat regularly as scamming tactics change.
  • Endpoint Protection: Ensure anti-malware programs are updated regularly. Make sure operating systems and applications are up-to-date to avoid exposure to vulnerabilities.
  • Network Protection: Ensure anti-malware is up-to-date on server systems, deploy a secure email gateway, and implement email authentication methods such as Sender Policy Framework and DMARC to protect against email spoofing. In addition, it is important to supplement with a more advanced email threat protection solution that is able to detect spear phishing and business email compromise emails that traditional solutions miss.

Also, Use Artificial Intelligence in the Fight Against Phishing

The suggestions above will help, but they will likely still be insufficient. At the end of the day, the weakest link is human error. With all the pressure on employees to achieve KPIs, hit targets, and let’s face it, just do their jobs, why should individuals be tasked with continually being on the lookout for these devious scams? Of course, user training is very important, but there is only so much we can ask employees to do. You do not want to create an environment where employees are afraid to open emails, or worse, ignore emails with the excuse that they thought it was a phishing email.

For this reason, instead of relying on employees to spot tricksters, companies must utilize anti-phishing solutions that can identify and filter out malicious emails before they even get into employees’ inboxes. This is where machine learning (ML) and artificial intelligence (AI) can be deployed to constantly learn and record the attributes and behavior of malicious emails, resulting in the ability to accurately distinguish phishing emails from legitimate emails. Contrary to humans, these methods are objective, not prone to human error, and can analyze massive volume of inbound emails. In the fight against phishing, machine learning and artificial intelligence is our most valuable defense yet.

Andy Norton

Andy Norton

Andy has been involved in cyber security best practice for over 20 years, specializing in establishing emerging security technologies at Symantec, Cisco and FireEye. In that time, he has presented threat and intelligence briefings for both Bush and Obama administrations, The Cabinet office, the Foreign and Commonwealth office, SWIFT, Swiss National Bank, Prudential Regulation Authority, the Bank of England, The Hong Kong Monetary Authority and NASA. Returning to Europe from Asia in 2011, he has spent the past 5 years helping many of the FTSE 250 companies measure, manage and respond to cyber incidents.
Andy Norton