Many folks find fishing – the real thing with a hook, bait, and scaly fish – to be relaxing and enjoyable. I on the other hand find it to be a boring activity with a relatively limited chance for success. After all, there is far more ocean than there are fish, so the chances are that when I throw in my line, there won’t be a fish anywhere near my hook. I may get lucky and have one swim nearby, but the odds are statistically stacked against me.
Now, imagine if you could throw 1,000 hooks in the water at the same time. Suddenly, your odds become much more reasonable. Add to that a device that you could put on your hook to seek fish, and it is a whole new ball game.
My fantasy above is actually quite real in the world of phishing however. For the uninitiated, phishing is the practice of sending emails disguised as legitimate communications from service providers, in an attempt to fool you into clicking a link and providing your credentials, which they can capture and use. In real fishing, we can't practically cast 1,000 hooks at the same time. In the phishing world however, a hacker can easily send a million phishing emails. Typically, such emails are for a particular service provider, a bank for example. Only a small portion of the recipients is statistically likely to use that bank, but since the hacker can send so many email at little or no cost, they still win.
Scarier still are the spear phishing attacks, which involve personalizing the messages to better target the desired audience, and to make them more believable. The better the targeting, the better the return. A good case in point is the recent attack on a small hotel chain reported in ars technica. The hackers obtained a list of employees, and a credit card form used frequently by the hotel staff. The Word document, laden with a macro virus, was sent to all employees. Anyone who opened the document was infected. Because of the targeted nature of the attack, the chain’s anti-virus software did not catch the malware. To further cover their tracks, the hackers setup the malware to communicate with an outside server that had a name very similar to the chain’s domain name.
If a hacker can target a small hotel chain that precisely, they can do it for anyone. With such a targeted attack, the odds are high that someone will fall for it. This explains why so many of the successful hacks and data breaches today begin with a phishing attach. How can we win?
It seems to me that the basic problem stems from the fact that we have all learned to trust email. We get a message from someone we know, and we reflexively assume it is legitimate.
A good indicator of this email trust relationship comes in the form of numerous recent examples of fraudulent wire transfers based on an email request, purportedly from the company CEO. Such an attach begins with a hacker hijacking the CEO’s email, or doing a good job of spoofing it. A message is sent to a company official using the CEO's address, requesting an urgent wire transfer for a large sum of money. The staff member trusts the CEO and the email, so the money is wired. The FBI reported recently that in the past 3 years, $2.3 billion dollars has been lost to this type of fraud.
So, what hope do we have of resisting email attacks that are this sophisticated? Resistance is not futile, but it is certainly hard. Here are some practical ideas:
Break the habit of inherently trusting email. We must get in the habit of assuming that any unexpected email is suspicious. Given that email addresses are easily spoofed or stolen , there is a good chance that the person on the other end of such a message is not who they claim to be.
Block spam. A high percentage of phishing still comes in the form of spam, sent to millions of people at once. If you bank at SunTrust, and you get a message from Bank of America, such an email is easy to dismiss. If they happen to hit with your bank, it is hard to resist a click. If you block spam before it hits your inbox, you can eliminate much of the risk. There are plenty of available products that block spam, either at the server level, or within email programs like Outlook. Cloudmark's DesktopOne is a good, free product for this purpose.
Test your users. There are a variety of companies that will perform simulated phishing tests on your employees, which can become a learning experience for them. GoPhish, a recently introduced phishing simulator, is free to use. Even easier is Dell’s Phishing IQ Test, which acquaints the user with many examples of well disguised phishing attempts, and how to spot them.
Bottom line – we are our own worst enemies because of our natural inclination to trust email. We must break this habit, or the hackers will continue to hook us.