PROVERB: Give a man a fish and you feed him for a day; teach a man to fish and you feed him for a lifetime.
The problem with phishing is that only incidentally is it a technological attack – it’s primarily a social engineering attack, albeit one that is mainly carried out via email, or perhaps a messaging app. A phishing email might not even have a malicious payload or direct you to a malicious website. It could simply be a fake invoice, which if presented plausibly enough and sent to the right person, gets paid regardless – a fraud called BEC, or business email compromise.
So defending against it using the usual security technologies is a challenge. Sure, you still need endpoint protection in place for when there is malware involved, which there may well be. For instance, malware is usually present if hackers target you for spearphishing – a phishing attack that is personalised to you, and aimed at breaking into your organisation’s systems.
Anti-malware software is not enough on its own, though. Even if there is malware involved, spearphishing attacks in particular may well employ zero-day exploits – vulnerabilities that have not yet been reported and patched.
And if there isn’t any malware to detect, then you can build all the fences you like, fit alarms, whatever – it won’t stop an imposter or a skilled social engineer. Remember that with attacks like this we’re basically up against confidence tricksters, and they can be extremely good at what they do. The con might seem obvious from the outside or in hindsight, but not when you’re in the middle of it.
What else can you do? The obvious essential is training – never click on a link in an email, never open a file attachment that you’re not expecting, that sort of thing. But that won’t save you on its own, because people can quickly forget a training session, or can still be tricked by a clever imposter.
One idea is to keep people on their toes using simulated attacks. This is something anti-phishing companies can do for their clients, using real examples to craft look-alike threats. Talking recently to experts from PhishMe, for example, they explained that this has more benefits than just the obvious one of identifying the inveterate clickers.
First, people absorb the lesson a lot better when they’re able to make and learn from mistakes – in a safe environment, obviously! And second, you encourage your users to report suspected phishing attempts. Knowing who is good at that – seeing who spots and reports the simulated ones, for instance – helps you identify whose reports to prioritise when you trawl through the morass later.
Because even without malware, there are still clues for the sharp-witted to pick up. Whether it’s spelling, grammar or other linguistic clues, or perhaps a message ‘from the CEO’ that uses phraseology they’d never use or the wrong email app, it can all ring alarm bells.
Add on some automation and machine learning to look for typical warning signs such as obfuscated links or unexpected email servers, and now you have the makings of a useful defence.
All it tells you though is that you have been attacked, not whether you have already been compromised. The downside of knowing the former is that you have to assume the latter, because by the time one of your smarter people reports it, it’s quite possible that someone else has already clicked on the link, opened the attachment, or whatever.
Still, now you have clues to base your forensics on: who else got that message, who opened it, what was the payload, and can you detect it? Good luck!