Phishing is a popular technique used by attackers for one simple reason, it works. Whether it’s to entice the target into opening a document or spreadsheet with a malicious attachment (that will attempt to infect their computer with ransomware, spyware, etc.), clicking a link to a malicious website that will do the same or posing as someone in a position of authority (CEO, etc.) to entice the user into action (transferring funds, sending sensitive data to unauthorized parties, etc.), phishing just works.
I’ve talked at length about the limits of the ‘shiny boxes with blinky lights‘ and the ongoing success of phishing campaigns is a perfect example. As we’ve gotten better at defending our imaginary perimeter, the attackers have been busy completely bypassing it.
We have seen a significant increase in requests for phishing campaigns both as part of a larger engagement and as a stand alone engagement to test the organizations response to an actual attack (how many people will open a phishing email, how many will click on a link in a phishing email, how many people will open files [documents, spreadsheets, PDFs, zip files, etc.] and how many people will submit credentials to sites that they visit after clicking a link in a phishing email [please update your banking information, please confirm this deposit, please confirm your pizza order, etc.]).
Thankfully, low-tech [phishing] attacks frequently have low-tech solutions. Indeed, one related defense that I heard multiple information security professionals suggest at this year’s RSA Conference in San Francisco is deceptively simple: Think ahead. In particular, many firms have now created security policies that spell out exactly how wire transfers will be handled. That involves using multiple stages of sign-offs – to help spot any social engineering attacks that might have tricked an employee – as well as preapproved communications channels specifying how such transfers will be commissioned, triple-checked and ultimately approved.
Although our current sample size is relatively small, we are encouraged to see a pattern emerging that organizations who may not do well in an initial phishing engagement incorporate the lessons learned into onboarding for new employees and ongoing training / continuing education for existing employees and generally do significant better in subsequent engagements. Additionally, companies are are making non-technical changes in business process like requiring non-electronic confirmation to move money or transmit sensitive information as well as an increase in user awareness and peer support (“Hey Bob, I just got an email from you, did you send it?”). At this point, I believe that we’re still losing the war but we’re winning more battles and learning more from the ones that we lose.