Just like a tsunami, spear-phishing attacks continue to be unstoppable. As spam and phishing filtering has improved, attackers have ‘upped' their game even further. Just like in sports, attackers operate at many layers, from amateurs to low-level professionals through to nation-state and specialist gangs focused on specific targets.
Phishers and spammers no longer send tens of millions of the same message any more, making it much harder to detect at the network and ISP level. Even top level anti-phishing gateway solutions fail to detect them accurately every time. Many of the high-level and professional phishing emails are truly unique, like snowflakes, called 'patient zero’ in the industry. This means it’s impossible to create a rule to address every iteration of every phishing email without slowing down email to such an extent that employees can no longer do their job via email efficiently.
Anti-phishing vendors have to walk the line of being able to detect enough of the bad stuff without blocking too much good stuff….which allows a grey area in which good, targeted phishing emails can safely ‘play’ within an inbox today. Herein lies the problem. If my solution catches lots of bad stuff, it’s likely to block lots of good, legitimate email as well, because really well-written phishing emails look exactly the same as a bad one, typically. But, if I dial the detection engine down, employees get lots more junk and spam email to decide what is or isn’t legitimate.
Factor in that most employees may get security training once or twice a year at best, then they forget it and get on with their day jobs. Reminding users about email security and phishing attacks is getting better with physical awareness, posters in the office, etc., which continue to raise awareness to the less professional phishing emails. And, while it can help some of the time, it will never work for all users all of the time.
As an example from my own HotMail account, what if every link (bar the final one) is correct, legal and looks exactly like a legitimate message? It’s unlikely then that even a trained user would spot it and call it suspicious. For example, one email I received was from a vendor invoice for songs I didn't buy. Every single link was a legitimate link, apart from the 'Manage Subscription' link at the bottom. It took me ten minutes to work out that the email was fake. The URL took me to a fake vendor page in Russia that was created the day before.
In short, awareness is critical for employees to ensure that they continue to think and consider before clicking on links. However, professional attacks could even be legitimate internal messages.
One of my favourite spear-phishing hacks was the CNN social media hack in 2014 by the Syrian Electronic Army. A CNN social media employee was tricked into a fake Outlook login page, where he entered his username and password, and gave his credentials to the attacker. The attacker then sent an email on his behalf to the rest of the team asking for their Twitter and Facebook credentials - the proverbial keys to the kingdom - in what looked like a legitimate email from a colleague. There are many other stories we could share as well, but I think you get the theme. Employees are busy, distracted and even with the best training and intentions, will make mistakes. This is where the good phishers flourish.
Awareness- and detection-based technologies will only get you so far. There is no silver bullet to stop really good phishing emails getting to their target, even in 2017, after 20 years of fighting this battle.
Technologies like Isolation can help customers further mitigate this risk for those phishing emails that do get through to inboxes, and provide realtime end-user awareness and education while protecting users from browser-based attacks or potential credential theft attacks that phishers are hoping to succeed with.
Attackers will always outsmart defensive layers. Many years ago, I spent some time with a spammer, Spammer X, and his job was to work out what spam and phishing filters were looking for, every hour of every day and then defeat them. The research pays off when you can steal millions of dollars of data, intellectual property or money via electronic transfer, as some examples.
Spear-phishing isn’t going away; it’s simply too effective for attackers. It’s time to consider new ways to mitigate the risk.