Phishing still steamrolls organizations
Phishing attacks rely on a single moment of inattention or ignorance. Follow a link and the results are front-page news. A strategy for combating these attacks on multiple fronts is vital. Alan R. Earls reports.
Phishing is one of the original forms of cybercrime and yet it still wreaks havoc. Witness the persistence of variations on the Nigerian prince email as an example. This tactic survives because it relies on flaws in human wetware instead of flaws in computer software or hardware.
“It’s all about and around social engineering; getting or tricking somebody into getting or giving you something you normally would not want to do.”
Specifically, phishers confuse people into inputting passwords or other credentials the attackers want, says Joshua Eckroth, a professor of computer science at Stetson University. Greg Schulz, senior advisory analyst at Storageio, adds, “It’s all about and around social engineering; getting or tricking somebody into getting or giving you something you normally would not want to do.”
Today's users are typically aware that the older form of phishing bait, Trojan horse email attachments from unknown senders, can contain malware. Related malware detection software has also improved to prevent those payloads from reaching users' inboxes. Eckroth says that today's typical phishing bait evolved into important-seeming emails from banks or utility companies that ask you to log into “their” website: a fake look-alike. A few clicks and keystrokes later and the phishers have what they want, whether that is login credentials or the codes for that user’s hardware security fobs.
About one third of people receive a phishing message and click through, often with disastrous consequences. Even worse, Eckroth explains, the most common variation on the theme today is a version of “spear-phishing” (a targeted attack) called “whaling,” which usually targets a “big fish” like a senior-level executive. The level of access those credentials give a phisher is truly dangerous.
So, how do people fall for the tricks of phishing and its cousins: vishing (over the phone), smishing (SMS fishing), pharming (website interception and redirection), and whaling? "Phishing emails and websites are often extremely convincing; typically the only way to tell if a message is legitimate is to look at the links themselves or hover over a link with a mouse," Eckroth says. "And, even then, the link might be so similar that most message recipients wouldn't flag the message as fake."
Those hoping their cyber insurance policy covers them against successful phishing attacks need to think again. Jeff Wilbur, technical director of the Internet Society's Online Trust Alliance (OTA), says many cyber insurance policies will not help because, ultimately, the phisher convinced an employee to act: a human failure rather than a breach achieved through technology. "We recommend you check your policy because often [phishing] is determined to be an act of a person as opposed to a hacker: if you fooled me, it was on me,” says Wilbur.
“The best defense against any phishing attack is your people; one well-trained user is enough to stop even the craftiest of phishing attacks in its tracks,” says Kent Blackwell, manager for security and vulnerability assessments at Schellman & Company.