We have all heard the term phishing. However, do we understand what it means and the overall magnitude of phishing attacks? According to a Digital Trends and Microsoft survey of Office 365 users phishing attacks are up so far in 2019 by more than 250%. An analysis by Microsoft Security Team which report more than 6.5 Trillion security related signals a day and 470 billion emails per day say we see the tip of the iceberg. This thought is staggering when you think about all it takes is one to get through; it could be costly to your organization. You are most likely asking yourself how is this possible? I spend so much money on Firewalls, Anti-Virus, and SPAM malware protections, how is it possible that I am at more of a risk now than before? Since protection research has improved so has the methods used by scammers to become more proficient and efficient in how they coordinate their attacks.
Dissection of a Phishing Attack.
There are many moving parts when it comes to how phishing attacks happen. How do you detect a phishing attack? How do you determine the damage? Could this be system damage via cryptovirus or financial harm to your organization? Incident Response; What responsibilities do you have to vendors, customers, and if you are a public company how do you report this to shareholders and customers? How do you deal with mobile device security and remote access, the most common entry points for phishing attacks? The questions both positive and negative go on and on. In today’s always connected world, there is a need for full collaboration software and connected services, but are they opening you up to phishing attacks? Couple those business needs with our need for immediate access to data then add the human factor, and you have all the dynamics for a robust phishing attack.
Before we get too far into this, let's go through the different types of phishing scenarios and how they target different people and processes.
Phishing attacks are typically more focused on the social engineering of the human and the assumptions that the human brain has been trained to see or expect to view data in a specific format. Phishers have become experts at identifying weaknesses in human behavior and the assumptions that we all make every day. In most cases we the human, don’t understand that we are making these assumptions. When it comes to changing human behavior, according to a Forbes Nov 2018 article, 70% of change initiatives within organizations fail and 84% of companies undergoing a digital transformation process fail. Companies see this human behavior in action in many forms. Companies spend millions on securing corporate email and networks. Only to find out that employees will use a Gmail account, or some other third-party email to get around restrictions that were put in place to protect the company. Companies spend millions on software. Only to find out that employees continue to use Excel or other work processes that the new software was bought to improve. These are simple examples but shows how difficult it is to retrain human behavior even when we know it is in our best interest. That makes us susceptible to phishing attacks.
Now that we have outlined the magnitude of phishing, the different types of phishing and determined that for a phishing campaign to work it does need the assistance of a human to help it along. You might be wondering how did all this get started? So, kind of as a fun fact according to Computerworld Magazine. The term phishing was the first document in 1996 in a hacker newsgroup while they were trying to steal America Online username and passwords. This term came out of what is known as phreaking or phone phreaking which is the original hacking of phone systems. The term phreaking was coined by John Draper, aka Captain Crunch who created the now infamous blue box that emitted an audible tone for hacking phone systems in the 1970s. The term phishing grew from this history and hackers knew the more hooks they put out there, the more fish they would catch, create the term Phishing.
What should you do to prepare for a security breach, whether it is from a phishing attack or some other form of system breach? The basic rule of thumb is; it is much cheaper to prepare for a breach than to react to one or clean up after one. According to a 2019 Gillware report industry experts are predicting Cybercrime to be a $6 Trillion-dollar business by 2021 and companies will spend more than 1 Trillion dollars on countermeasures to protect themselves.
Where should you start to focus your attention when it comes to preparing for a security breach? According to Gillware here are some primary areas to consider:
Some other interesting historical facts about phishing: These are according to the IT Governance Institute.
You are doing all the right things, you have updated your systems, implemented new firewalls and advanced threat detection. You have anti-virus loaded. You have good patch management in place. Then you find out you were still a victim of a phishing scam. How can that happen? In most cases, you may never know who did it and in some cases how the breach occurred. Let’s walk through an actual incident that Winning Technologies got involved in finding out how it was done and worked with both sides to examine prevention improvement steps. I’ll try and walk you through how all the things we have discussed so far came together to create for this company more than a $250,000-dollar loss. However, it could have been worse. The initial request attempt by the scammer was for over a million dollars.
In this case (Company A) was financing a project with a financial institution and a third-party investor. The project had reached a point that some of the financing for the project was scheduled for payment to keep the project moving along. (Company A) Emailed the investor to request the monthly requisition payment voucher so that a portion of the financing for the project could be paid out and distributed to vendors and suppliers of the project. There was no real descriptive information in the initial email's necessary discussions around timing and process for the release of financing. At some point, the emails were intercepted, and content injection phishing scam started to take place. The interception was so clean that (Company A) had no way to believe that the message was intercepted. It only looked like the investor had gotten busy, distracted, or was preparing additional information for the release of funds. From the investors perspective, they were now exchanging emails with the partner. However, based on the human conditioning factor didn't recognize the discreet signs that the parties had changed and that they were no longer communicating with (Company A). However, during the first look at this from a forensic perspective, it looked like a common spoofing of an email account, however, if you take a close look at the email headers you can easily see when the content injection happened.
What do we know so far?
How was the email intercepted? It is just not that hard to detect and trap email traffic that is going across the Internet. You should have a higher sense of awareness if you are a high-profile organization or high-value targets such as a finance company, bank, or credit card processing company or government agency. Something that makes you a target. It is harder to do nowadays than it has ever been, but again anything that travels over the public internet is a potential target. Upon reviewing the header information of the emails, it was not to difficult to determine what had happened. Once the email from (Company A) was intercepted the scammer changed two letters in the domain name. Set up fake email accounts using Gmail and a phony domain. They even changed the email addresses of the individuals who were in the CC line of the email to further exploit the human conditioning factor of normalcy and started the communication with the third-party investor.
What do we know now?
There were lots of red flags all over this transaction. In the end, it was not a breakdown in the technology. Both sides have confirmed that neither team had a security breach of their internal networks or the Office 365 systems. This phishing attack was focused on the human conditioning of the brain seeing what is expecting and the lack of training. The bank questioned the transaction. Verbal conversations took place concerning the transfer. Internal verification processes by the humans involved were not adequately acted upon and documented. The money was transferred to the Mexican bank as requested. The Mexican bank accounts were closed, and the spoofed Gmail accounts were deleted.
We have learned a lot about phishing. There are typically red flags that would warn you that you might be part of phishing attempt or someone is trying to make you a victim. However, what are those signs? According to Protected Trust here are some things that you can watch out for:
Securing the human is the key to any security initiative. Even more so when it comes to phishing attacks, it is easy to think that the technology is at fault when it comes to security prevention. However, the real weakness is in human conditioning. Scammers have become experts at human behavior and attacking the human condition. So, until we secure the human, all the technology in the world is going to have this one major flaw. What are some of the behavioral elements that can help us secure the human?
Employee training. It is essential to communicate and train employees on the risks of phishing, how it happens and what they can do to be aware of the dangers. Educate employees about prevention steps and their role in that and how that is protecting the company. Create a culture of security within your business. Share the information. Educate on the risks and empower employees to ask questions. We have seen in the Winning Technologies customer base where we have implemented filter and prevention systems, and then people start to complain because they don't understand the role and function of the new system. Educating on the new and increasing threats and emerging threats over some time will help reinforce the culture of security within your company. Then it comes down to a security verse convenience discussion, and you can’t be secure and convenient, so you have to find that balance for your organization.
Routine testing of employees. Several products allow you to test your employees with fake phishing attempts. These will identify how click happy your employees are and specifically identify within your employee base who is more likely to fall victim to a phishing attempt. Armed with that information it allows you to have more focused educational programs for these individual employees, and help in the development of routine training for all employees. This type of routine testing can be an eye-opener for owners and managers. It can also show you if you are building a culture of security and awareness which is key to a long-term security strategy.
Cyber Insurance has been an ongoing debate regarding phishing attacks. The long-standing question is, are phishing attacks typically covered under a cyber insurance policy? In 2016 a case was filed by Ameriforge Group Inc. Challenging if a cyber insurance policy taken out through CHUBB should provide protections for a spear phishing attack which resulted in a bank transfer of 480,000 dollars by Ameriforge. The insurer denied the claim because they said it did not cover CEO fraud or business email compromise as a result of spear phishing. According to the policy, it would only cover the cyber event if it involved a forgery of a financial instrument. According to CHUBB's legal team, the financial device involves a written promise, order or direction to pay that is similar to a check or draft. The bottom line here is that since it does take human interaction and phishing financial losses are typically tied back to a human mistake. It is going to depend on the language and the specifics of each policy and how the coverage is defined within that policy. Phishing is such a high risk these days that phishing is by most standards left out of cyber insurance policies. So don't assume that all cyber insurance policies are going to cover phishing attacks that result in financial losses.
Successful phishing attacks don't happen merely due to the human condition. Companies still do not focus as much energy and money into training, technology countermeasures along with simply understanding and communicating the risks to our employees that are present in our connected world. Phishing is going to continue to grow. You can't create a multibillion or trillion-dollar industry and expect that it is going to slow down or disappear. Unfortunately, it just isn't going to work that way. There are many things you can do to help reduce the risk, limit the damage, and not make yourself the easiest target on the block. However, these come with a budget impact that is going to be ongoing, must be managed, and proactively monitored.
By Scott M. Lewis, President / CEO Winning Technologies, Inc.
About the Author: Scott Lewis is the President and CEO of Winning Technologies Group of Companies. Scott has more than 30 years of experience in the technology industry and is a nationally recognized speaker and author on technology subjects. Scott has worked with large and small business to empower them to use technology to improve work processes, increase productivity, and reduce costs. Scott has designed thousands of systems for large, medium and small companies and Winning Technologies goal is to work with companies on the selection, implementation, management and support of technology resources.