Phishing attacks remained a rampant problem in 2018, and 2019 is already shaping up to offer more of the same.
SEE: Research: As overseas business operations grow, so do concerns over cyberwarfare and cybersecurity (Tech Pro Research)
Scott Matteson: What are the most significant phishing stories from 2018?
Alexander Garcia-Tobar: The growth in business email compromise (BEC), specifically impersonation attacks, leads the list for 2018. Just this month, the FBI warned that there was a 60% increase in 2018 in fake email schemes that aim at stealing money or tax data. That’s after three years of declining rates of BEC.
Finally, the biggest story in the fight against phishing has to be the US federal government’s amazing progress in implementing anti-phishing measures, which the Department of Homeland Security mandated in 2017 — BOD 18-01. Government agencies, as a group, went from being in the last place in the use of email authentication to leading all industry segments. They’re even ahead of tech companies and unicorns in this. And they did it in just one year. The benefit is that this protects agencies from impersonation via email, and will increase agency operational efficiency as well as security for all US citizens.
SEE: Phishing attacks: A guide for IT pros (TechRepublic download)
Scott Matteson: Why has BEC grown so much in 2018?
Alexander Garcia-Tobar: It’s growing because BEC works. These scammers work just like email marketers: They’ve deployed automation, social networks, classic marketing schemes, and leveraged the fact that email can easily be impersonated. We’ve seen shifts from general phishing to whaling: By carefully crafting their messages and personalizing them, scammers can increase the click-through rates with high-value targets. Unfortunately, that kind of personalization is easier than ever due to the wealth of information available via social networks.
Scott Matteson: What is the anatomy of a typical phishing attack?
Alexander Garcia-Tobar: Usually, it starts with attackers doing research into a target organization to find key individuals, their job responsibilities, who they report to, etc.
They’ll typically start with fake emails to targeted individuals — or to individuals at other organizations (vendors and other companies they do business with). These emails impersonate a trusted individual in order to increase the likelihood that the target will open it, read it, and take action.
Once they gain trust, the attackers use that to entice the targeted individual to download a file containing malware, click on a link to a malicious site, or even enter their username/password into a site that looks like a legitimate login but is actually controlled by the hacker. With that step, the attackers can access the target’s email account or even to the company network. At that point, they start deploying malware, exfiltrating data, or installing ransomware.
SEE: Information security policy template download (Tech Pro Research)
Scott Matteson: Can you provide me with the details of a typical attack?
Alexander Garcia-Tobar: Whereas most think of phishing as a poorly worded email requesting your bank account number, email deception has become quite sophisticated. A recent episode highlights this trend. A mid-sized East Coast bank received a request for 1,000 bitcoins or they would “suffer the consequences of your systems going down.” The bank refused, and the criminal network sent millions of emails to local consumers and businesses, all of which appeared to come from the bank. Not only did this produce a negative impact on the bank’s brand (imagine dozens of nonsensical emails from your bank in your inbox), but the bank’s ISP saw a client that normally sent out 5,000 emails/day suddenly sending millions of emails/day, most of a very suspicious nature. This prompted the ISP to shut down the bank’s email service. The bank had no ability to send email — a devastating blow.
This is where email authentication comes into play. Email authentication was put in over the weekend and allowed the bank to regain control of who could send email and shut out the criminal’s efforts. Once in control of their own email systems, the bank got the ISP’s restrictions lifted and resumed normal operations. It brought the importance of email and their dependence on it into sharp focus, and since the episode, the bank diligently keeps their email authentication in place.
SEE: Phishing and spearphishing: A cheat sheet for business professionals (TechRepublic)
Scott Matteson: Why is this still a problem? We solved the spam problem, can’t we solve phishing?
Alexander Garcia-Tobar: One big reason is that email itself is unauthenticated by design. While classic email security focuses on content filtering, the attack vectors we’re seeing are based on impersonation of the sender.
Secondly, approaches that use heuristics and AI to try to determine the legitimacy of the sender are just making educated guesses based on email content. Outside of the potential privacy violations, this is just not that finely tuned.
Email authentication standards attempt to fix this shortcoming, making it possible for a receiving mail server to know, authoritatively, whether a sender is legitimate or not. These standards are widely supported by almost every email receiver. However, domain owners need to configure authentication in their DNS for this to work. While the number of domains using authentication has grown exponentially, it’s still a small percentage of the overall internet. In other words, the problem is getting solved, but slowly.
SEE: GDPR resource kit: Tools to become compliant (Tech Pro Research)
Scott Matteson: What can you tell us about the people who conduct these phishing scams. Do they actually make money? Are they often caught and prosecuted? Is there dedicated law enforcement agencies/institutions which specialize in stopping them (FBI or some branch thereof)?
Alexander Garcia-Tobar: The FBI’s Internet Crime Complaint Center (IC3) is the primary source for collecting and disseminating information about phishing scams. And yes, people do get caught. For example, earlier this year 74 people were arrested (42 in the United States) in a massive FBI operation aimed at taking down BEC scammers. This year the FBI also indicted a dozen Russian hackers who infiltrated the 2016 election, often using phishing techniques.
Scott Matteson: Do you think the rate of BEC will continue to rise in 2019?
Alexander Garcia-Tobar: Yes. Solving the BEC problem long-term is not rocket science, but change is hard — especially in large enterprises with tons of legacy technology and processes to navigate and modify. It will take time to deploy effective layered email defenses across all industries. In the meantime, BEC rates will continue to grow.
Scott Matteson: What are the three things organizations can do to protect themselves against phishing and BEC in 2019?
Alexander Garcia-Tobar: The best defense is a layered defense:
- Deploy email authentication as your first line of defense, so that only authorized senders can use your domain to send email messages. This will block a huge proportion of fake messages (the direct spoofs/exact-domain attacks). It also is becoming a mandated requirement. So deploying email authentication will both get you ahead of the compliance curve and protect your employees and brand.
- Make sure you use an effective secure email gateway (SEG) to stop inbound messages with suspicious content that could contain malware or malicious links.
- Train your users how to be smart about phishing messages that make it through the first two layers, and make sure to refresh that training every three to six months.