The oldest scam on the internet – phishing – is going from strength to strength.
Indeed, the Anti-Phishing Working Group report published in February 2017 tells us that the number of unique phishing sites detected in the second quarter of last year was at an all-time high.
The dreaded bogus links in incoming emails can trigger everything from banking fraud, to ransomware (the Locky attack was set off this way), to theft of Office 365 logins, as this phishing video shows.
So what advice should security partners be offering to their end-users to help them mount an effective defence against this menace?
1. No more phish and spam sandwiches
Poor spam management is a recipe for heightened exposure to phishing risk, since spam email is often the ‘bread’ around the phishy ‘filling’.
It sounds disgusting – but end-users are still swallowing it. In 2016, for example, 71% of ransomware was delivered via spam, making spam the most common attack vector. In fact, it’s even spawned a new term – malspam!
Strong anti-spam detection is therefore a critical ingredient in stopping phishing attacks before they reach the user, and for this a number of critical features are necessary in the security solutions end-users choose, including:
- Antispam filters, so that detection thresholds can be adjusted in response to users’ experience of how effectively spam is being caught.
- Connection to a global email and web reputation database, so that domains and identities associated with known malicious servers can be identified, and their IP addresses blocked.
- IP address behaviour analysis, so that potentially suspicious behaviours like dynamic or masked IP addresses can be detected.
- Document exploit detection to look beyond the email and into the attached files that malspam often makes use of to trigger an exploit.
At its least harmful, spam is a distraction that leaves a bad taste in the business’s mouth. At worst, it carries a truly toxic payload.
2. Beware the newly-borns…
But at the risk of sounding like King Herod, one of the biggest threats in the phishing sphere comes from ‘newly-borns’ – malicious servers that simply haven’t been around long enough to make it onto any web or email reputation database, and so might not be detected.
So it’s critical that businesses’ anti-phishing security goes beyond this, and attempts to analyse the characteristics of the phishing email itself, such as:
- Who sent it
- Where it’s gone to
- What it contains
- When it was sent
- How it reached a user’s inbox
As this excellent summary explains, by mapping these factors automatically to known social engineering scenarios (i.e. the many ways in which users can be tricked into doing something they shouldn’t!) tell-tale signs of phishing intent can be detected, and the relevant IP addresses blocked.
Needless to say, this process involves some pretty hefty probability calculations, and social engineering scenarios are changing all the time, so the system needs to be able to constantly learn from what it absorbs and update its assessments accordingly.
Machine-learning is the key here, and if implemented effectively it can ensure that businesses’ anti-phishing protection doesn’t behave as if it were born yesterday!
3. Educate, educate, educate!
Security vendors are in this business to make money by selling software – but even they have been vocal about the need for businesses to educate their workforce to spot the signs of phishing, and take evasive action.
Content like these Tips for mitigating phishing attacks, for example, is certainly helpful - but there is a realisation that hints, tips and instructions alone won’t change security culture within organisations.
Instead, businesses must fuel constant internal security conversations using simple, accessible content, and they are looking to resellers and MSPs to deliver this to them, working through cyber-security awareness content partners.
Phishing protection will never be 100% effective. But shouldn’t every business be wishing that whatever slips through the net (or should that be Net?) could be stopped by the ‘human firewall’?