We all know that phishing is nothing new, however the recent impact that it is having on business and other organisations is truly surprising. I do a lot of public speaking at various events across the country, and it's shocking how many times people tell me their stories, either before or after my presentation. Most of the time these stories follow almost the same script. These tales of woe usually fall in to one or more broad categories including CEO fraud (a.k.a Business Email Compromise), tax form fraud or ransomware and inevitably start with, “One of my users clicked a link/opened an attachment and…”
To understand how to not fall victim to these tactics, we need to understand the current threat landscape. Gone are the days of the “Nigerian Prince” scams that are riddled with grammar and spelling errors. Now are the days of very well organised phishing campaigns using OSINT (Open Source Intelligence) gathering techniques and big money targets. In addition to just email phishing, we are also seeing hybrid attacks that combine phishing emails with other attacks such as smishing (phishing using SMS text messages) to increase the effectiveness of the attacks. Let's look at how this may play out.
Bad Guy: Sends spoofed phishing email that looks like it's from the CEO telling the CFO/Controller that they are jumping on an opportunity to take over another company and to wire money to a bank account ASAP so they can lock it in. CEO also says they are in negotiations right now, so they can't be on the phone.
CFO/Controller: Thinks this looks odd and has reservations doing this, however the CEO is currently travelling, so it could possibly be legitimate. They do not want to be the one that causes the deal to go south, but the nagging doubt won't go away.
Bad Guy: Sends spoofed text message to CFO/Controller saying that he just sent an email and needs them to take care of it immediately.
CFO/Controller: Since they got both an email and a text message from the CEO, the CFO/Controller no longer feels the nagging doubt and does the wire transfer.
Bad Guy: Retires in the Bahamas drinking fruity drinks and enjoying the ocean breeze.
CFO/Controller: Updates resume and LinkedIn profile while searching for another job.
CEO: Has to explain to the Board of Directors and/or shareholders why they helped a bad guy retire in the Bahamas.
Combining different types of phishing attacks, in this scenario email and SMS, is a very effective way to take the scams to the next level. We can expect to see more of these types of hybrid attacks this year and need to take steps to protect ourselves.
How do we do that? There are a few things that could work together to reduce the risk.
1. Implement technical controls such as SPF (Sender Policy Framework) records, DKIM (DomainKeys Identified Mail) and DMARC (Domain-based Message Authentication, Reporting and Conformance) to make spoofing emails much tougher.
2. Train the leadership about social engineering threats and their role as a potential target. If they don't know about the threat, they cannot be expected to defend themselves against it.
3. Now that the leadership is trained and aware of the threat, implement a “Call first” policy in which the CEO knows that you will not transfer funds or send sensitive information (like tax forms) without actually speaking to them, not via text or email.
Having been taught that they are a target and there is a significant risk, the enlightened CEO should understand the importance of the “Call first” policy, which will in turn, greatly reduce the risk of falling for the scam.
Given the complexity of the current phishing scams and losses being incurred, the need for and value of training and education has never been as great as it is now. It is not enough to stick folks in a room and show them PowerPoint presentations once a year though. They need to be trained in an interactive way and the skills they learn in the training, exercised and honed through monthly-simulated phishing attacks. Combining some basic technical controls and this training approach greatly reduces the risk of becoming a victim to phishing attacks.
Contributed by Stu Sjouwerman, CEO, KnowBe4
*Note: The views expressed in this blog are those of the author and do not necessarily reflect the views of SC Media or Haymarket Media.