Forget DDoS, data breaches, and botnets – the biggest threat for modern organisations is the old-fashioned scam, nowadays known as spear-phishing. According to recent analyses by Kaspersky Labs, Australia topped the list of countries most often attacked by phishers – comprising almost 1 in 4 of all attacks globally.
Spear-phishing scams are more sophisticated and tailored than ever before, yet most business leaders tend to underestimate the risk they pose to the organisation, by assuming they are adequately protected. We need to rethink how we combat spear phishing and regular phishing attacks on both the technological and the human front, and educate users to recognise attacks rather than be their victim.
It's dangerous to assume...
Business leaders typically make two assumptions about spear-phishing: that traditional defences are sufficient, and that threats are easy to see through. Both assumptions are dangerous. First of all, traditional email security isn’t well-placed to deal with phishing or targeted attacks. This is because email isn’t, strictly speaking, the problem. The main risk to any business comes from the URLs within the email, which are usually malware-laden and can potentially threaten the organisation. However, antispam and antivirus tools only scan content in the body of the email, not the destinations of any URL. And while web proxies can pick up these malicious links, they can’t protect the myriad of devices that employees and customers use nowadays to connect to the web.
But shouldn’t mailbox filters be able to pick up phishing based on the content of an email? The answer is a resounding no. Phishing threats are increasingly sophisticated and persuasive when it comes to convincing people of their legitimacy (a process known as “social engineering”). Energy Australia customers, for example, were targeted in June this year by phishing emails that looked exactly like the bills they were accustomed to receiving. The only difference: the phishing scam addressed recipients as “Valued Customer” instead of by name. It’s unlikely Energy Australia’s executives would’ve picked up the difference, let alone customers themselves.
In other words, Australian businesses need to rethink phishing threats as highly targeted attacks designed explicitly to take advantage of human psychology. The typical kneejerk reaction of content policies and stringent rules is not well-equipped to deal with today’s phishing threats. Organisations need a new approach that allows for human curiosity while preventing its potentially disastrous effects.
Knowledge is power
New tools already exist that target the specific behaviour of phishing threats. Our own Targeted Threat Protection tool, for example, immunises all embedded links by re-writing them to point to Mimecast’s global threat intelligence cloud. The cloud then scans the original destination against a database of known threats and advanced heuristics when the person clicks the link, alerting them or blocking the site if a potential threat is detected. By focusing on the hyperlink instead of the email message, Targeted Threat Protection is able to protect people from directly accessing potentially malicious webpages, regardless of the device or operating system that they’re using.
Most businesses still focus their anti-phishing resources on staff education, and rightly so since phishing threats take advantage of human psychology. Anti-phishing tools like Targeted Threat Protection generate data and real-time notifications which can strengthen these education efforts.
An IT admin can, for example, identify people who more readily click on potentially harmful links; or see if lots of staff in a specific division are clicking a link (which could suggest a highly targeted threat). Some of our customers are already using Targeted Threat Protection’s data to inform how they design and distribute customer notices too – including prompt announcements when a potential zero-day threat hits the business.
The best defence against phishing attacks is a vigilant employee community of what we like to think of as “human firewalls”. Enterprises can’t just rely on robust anti-phishing tools: they need to foster a culture of awareness and interest in the nature of these fast-evolving threats. Employee notifications and alerts help do this. So do internal tests like sending out fake phishing emails: these not only deflate people’s overconfidence in their ability to spot threats (which many phishing attacks take advantage of) but also generate data that identifies weak spots within the organisation.
In the long term, upgrading our users to act as human firewalls is critical if we want to maintain trust in email in the enterprise. After all, the insights which analytics and data provide are crucial to enhance people’s knowledge of threats – and knowledge remains the single strongest defence against scams, no matter how sophisticated they may become.
Nick Lennon is the ANZ country manager of Mimecast