There are plenty of malware tools designed for detecting malicious software that infects computers and applications, and just as many anti-phishing spam filter programs aimed at keeping users’ inboxes free of potential attacks. Even though firewall technology grows more sophisticated and secure each year, fraudsters hunting sensitive user data and financial information continue to thrive.
Phishing is an old scam that dates back almost 20 years. Attacks grow more effective each year—to the tune of costing businesses USD $5.9 billion annually worldwide in 2013—a figure that is expected to grow again this year.
With that in mind, it makes sense that phishing is more troublesome than ever for IT professionals. A July 2014 HP TippingPoint survey of 205 corporate IT security workers revealed that nearly 70 percent are targeted by phishing attacks as often as once a week . The survey also indicated that 75 percent receive untargeted spam in their organization at least once a week if not more, and around 70 percent reported that the attacks stemmed from a malware infected host.
These attacks are not the “Nigerian prince” wire transfer scams found in just about everyone’s spam filter. Phishing attempts can be pretty convincing. Recently, millions of JPMorgan Chase customers received a phony e-mail masquerading as correspondence from the financial institution in hopes of stealing user credentials. This particular attempt used a screen shot of an authentic e-mail used by the bank, and it was sent from its domain. It urged recipients to click a link to view a secure message, and once clicked, it asked users for logon information while simultaneously trying to install the Dyre banking Trojan.
Anyone who thinks they are smart enough to sniff out every phishing attempt should try this Phishing IQ test by DELL SonicWall. It will reveal that spotting fakes is not that simple.
Why Technical Solutions Are an Incomplete Fix
The main reason why phishing continues to be an effective method of attack is that the technical solutions deployed to combat phishing do not address the source of the problem: the user. Users are the ones clicking the link, downloading the malware, and forking over his or her account number or other sensitive information. Phishing attacks get around the best firewalls and filters, but should be no match for a vigilant, properly trained user.
Security implements built into Web browsers can pretty effectively flag unsecure sites. However, as is the case with these types of warnings, too many are triggered due to browser misconfiguration rather than a legitimate security threat. This creates disdain among users, and desensitizes them to the warnings. This results in users blindly clicking through security safety nets without much thought— a dangerous habit to develop.
Likewise, spam filtering software can keep most unwanted e-mails out of a user’s inbox. However, in the event that some clever phishing e-mail does get through (which research tells us happens on a fairly regular basis), then what? The user, trusting that their IT department puts significant resources behind blocking malicious e-mails, might have his or her guard down as a result.
Here’s a famous example: Visiting West Point Military Academy teacher and National Security Agency expert Dr. Aaron Ferguson sent out a message to 500 cadets asking them to click a link to verify grades. Ferguson’s message used a phony West Point e-mail domain, belonging to a fictional faculty member named Colonel Robert Melville. Over 80 percent of recipients clicked the link in the message. In response, they received a notification that they’d been duped and warning that their behavior could have resulted in downloads of spyware, Trojan horses, and other malware.
Remember: Phishing Attacks Prey on Misguided Trust
Dr. Ferguson coined it the “Colonel Effect”—where users are more likely to take the bait when they perceive the communication as coming from a reputable source—and it illustrates an important principle: the illusion of trust is the foot in the door for an effective phishing attack.
Social media phishing attacks have become increasingly common because the level of trust is already built in. On Facebook, for example, a friend’s hacked account produces phony materials that appear in a newsfeed, and if clicked, redirects to a fake Web site that looks like the Facebook logon page. If a user attempts to log in on this page, his or her password becomes compromised.
Reports of malware hosted on reputable sites have also made headlines recently. The proportion of malware-hosting Web sites on Amazon Web Services more than doubled since 2013. Phishing attacks are more successful when they attempt to drive traffic toward a trusted, widely-used domain like Amazon.
10 Training Tips for Conducting an Anti-Phishing Simulation
Any measure to curb phishing starts with user awareness training. Simulated phishing attacks are one of the more popular methods of training used by IT security professionals. When conducting simulated phishing in your organization, there are a few things to keep in mind.
- Do not blindside users with simulated phishing, as it might create a negative attitude towards the program. Inform everyone that a phishing simulation training is launching, and let users know of its goals to make the work environment safer.
- Do not take a fire drill approach, either. Some element of surprise is needed for the simulation to be effective.
- Make sure that everyone is involved from the top down. Since everyone is subject to phishing attacks, everyone in the company should receive training.
- Be careful about training users to click. Many programs redirect users who fall for phish links to an online training session or game. By making them click the link to receive the training, it places users in the wrong mindset— after all, they are being trained not to click.
- Use a familiar e-mail format and a trusted domain name for the phish bait e-mail. The best resource for drafting a fake e-mail is often located in a user’s own inbox. Grab, copy, and alter just like a spammer would.
- Set up a link you can track for the simulated malware link. Many free programs like Google Analytics have detailed click tracking features.
- Stagger message delivery to mimic real world attacks, and lessen impact on operations staff conducting the simulation.
- Set up a landing page for the simulated malware link. It can be as simple as a few words (“Oops, you’ve clicked on a phishing link!” or a simple 404 error.
- Gather actionable data so that you can identify weaknesses and train accordingly. Track the who, what, when, where, and how of every clicked simulated phishing link.
- Train over time. Phishing simulation training should not be a one-and-done endeavor. By making it an ongoing project, it heightens awareness for the real thing, which underscores the project’s goals.
Additional resource: Firewalls / Security Appliances
Anti-phishing training should be at the heart of an organization’s effort to secure its data network, and are just as important as an enterprise-grade firewall appliance. Nothing is as effective as a well-trained, vigilant user for snuffing out suspicious network activity, and will prove time and again to be the number one malware tool money can buy.