An astounding 91 percent of cyber-attacks originate in spear-phishing email messages in which a hacker either sends out malware as an attachment, embedding it in a legitimate-looking file, or tells the victim to download an attachment, which then installs the malware. Unfortunately, cyber-criminals are getting smarter, hacking is a growth business, and exploits are the most coveted tools of the trade. New spear-phishing scams—take the Locky ransomware email campaign, for example—suggest that this method of spreading malware will surely continue to grow.
Ninety-one percent of anything is a lot, but that number is particularly significant for cyber-security professionals; it means that the greatest security risk is email that prompts victims to inadvertently install malware, which, in turn, hacks into their computer or their company's computers and steals passwords, corporate data, bank account details, and even the name, date of birth, and social security number of the employees. Maybe that's good news: all a cyber-security pro has to do is convince employees not to open anything they're not supposed to, and the problem is solved.
If only it was that easy! It's not as if spear-phishing is new—the technique has been around since email and viruses came into existence more than two decades ago. Yet the fact that so many people fall for such a scam would indicate that they are just unaware of the danger of opening innocent-looking but malicious email. On the other hand, assuming that companies spread the message by providing training, distributing memos, hanging up warning signs, and even threatening to punish employees who inadvertently unleash malware in the system, we can conclude that a lack of awareness isn't the problem.
Given that such educational efforts have been going on for years, one wonders why spear-phishing is becoming more widespread. Are company employees falling asleep during training sessions? Are there really that many adventurous individuals who just can't resist finding out what's inside a PDF file with an enticing title? And are employees so intimidated that they would respond to what seems to be instructions from their boss to hand over personal information—or else?
So how are we doing on another kind of training, “emotional” education? Are we teaching employees how to avoid the traps set by malicious organisations and hackers that use social engineering to ensure the success of their campaigns? Here we enter a whole new realm, which is far more complicated. How do you educate people to regulate their emotions? Good social-engineering scams, after all, appeal to the psyche—to employees' fear of losing their job; their desire to inject some fun into a boring day; their sense of adventure; and their desire to travel, make money, meet people, and even find love. In fact, in many high-profile attacks, hackers have studied employees for months, using the information that they've gathered from social media to carefully tailor their attacks.
A good example is the recent Amazon spear-phishing campaign, which security researchers consider one of the largest spam ransomware attacks thus far in 2016. Through sophisticated evasion techniques, email messages with infected attachments easily bypassed email gateway controls. The assailants used legitimate-looking email headers to trick recipients into thinking that the message sent to them actually originated from Amazon. Persuaded to open the attachment, the recipients set in motion the installation of Locky malware delivered to their computer in the form of an infected Word file.
The Amazon campaign hackers had taken the time to understand how the target organisation operates and who its user base is, and thus successfully tempted many of the email recipients into opening the infected attachment. When loyal Amazon customers received an email message with the subject “Your Amazon.com order has dispatched (#code),” sent from firstname.lastname@example.org, we can understand how these users would not think twice about opening the attachment to review their orders.
The worst part is that all a hacker needs is one individual out of a thousand or ten thousand employees or users who will fall for the scam just one time. Resisting the pressure—all day, every day—to see what's hiding in an attachment takes iron willpower. Are people capable of such willpower? Perhaps the solution is a psychologically based program to train users to resist the urge to open attachments. Will that solve the problem?
Contributed by Itay Glick, co-founder and CEO, Votiro