After years of research, analysis, and first-hand experience, here's what we’ve learned:
Phishing is a big deal.
Last month we held a webinar, with the aim of helping organizations to fight back against phishing. Hosted by Crane Hassold, our Senior Security Threat Researcher & former FBI analyst, and Dane Boyd, our Lead Solution Manager, this was one of the most comprehensive and entertaining webinars that we have hosted on phishing and security awareness training.
In this article we’ll give you the highlights of the webinar, and help you understand why and how your organization should combat phishing attacks.If you’d prefer to jump straight over and watch the webinar, be our guest. (It’s free!)
First off, it’s important to realize that phishing is not a cyber crime. Phishing is a way to exploit people, that typically leads to cyber crime in one form or another.
And the thing is, phishing has been around for so long that many people accept it as a fact of life. Many organizations simply assume they will be phished, and do their best to mitigate the risk with technical safeguards.
In a way, they’re right. Phishing and spear phishing combined are the number one infection vector for cyber attacks, accounting for over 90 percent of all infections. To make matters worse, the number of emails with malicious attachments more than doubled in Q1 2016.
So before you invest too heavily in the latest technical controls, consider this. Last year, the NSA was involved with incident response for “…all the high profile incidents you’ve read about in the Washington Post and New York Times.”
Their findings? Not a single one resulted from a zero day threat. Instead, they all started with simple attack vectors such as spear phishing and water holing.
Gauging the Damage
Of course, it’s not phishing itself that costs organizations millions of dollars every month. It’s the payload.
Ransomware and business email compromise (BEC, also known as CEO scams) are the two most expensive causes of phishing-initiated breach. Ransomware alone cost organizations over $209 million in Q1 2016, and the costs of BEC exceeded $3.1 billion (USD) between October 2013 and January last year.
But those are just the costs of extortion. On average, remediating a breach caused by ransomware or BEC costs between $2 - 4 million (USD).
And of course, there are plenty of indirect costs to consider as well. Other areas to consider include:
- Stock price drops
- Consumer trust damage
- Employee trust damage
- Loss of valuable data (PID, Credentials, Tax records, Intellectual property, etc.)
- Brand reputation
Many of these factors are never considered when large scale data breaches are reported, but any company with first-hand experience will know precisely how much a single incident can cost.
The Rogues Gallery
Our clients are often surprised by the sheer number of different cyber attack vectors routinely delivered via phishing and spear phishing emails. Crane gave a thorough rundown during the webinar, but here’s a quick taste:
Threat #1: Ransomware
Ransomware was the biggest emerging threat of 2016, and unless you’ve been living under a rock for the past 12 months you’ve seen at least one ransomware headline. Simply put, ransomware comes in the form of a trojan that restricts access to files, and extorts the victim for a ransom in exchange for the decryption key.
In all honesty, ransomware is a relatively simple attack vector, and in many cases it’s simply bought or downloaded from dark web markets by unskilled threat actors. Campaigns are often intelligently targeted at those organizations most likely to pay ransoms (healthcare, SMEs, schools, etc.), and the vast majority of Trojans belong to a small number of persistent ransomware families.
Threat #2: Remote Access Trojans (RATs)
RATs allow a threat actor to remotely control the victim’s computer, steal their data, and monitor their activity. This attack vector is generic, and requires almost no skill to use.
Again, RATs are typically bought through dark web markets, and victims often have no idea their device has been infected.
Threat #3: Banking Trojans
Banking Trojans exploded in popularity several years ago, and are still going strong. Used to harvest login credentials, there is little or no interaction between victims and threat actors after the infection has taken place.
Webinjects and redirects are typically used to present victims with a fake login webpage, through which the credentials are stolen. Unfortunately, we have seen examples of sophisticated banking Trojans which can be configured to target internal enterprise systems.
Threat #4: BEC/CEO Scams
When it comes to attack vectors, it doesn’t get simpler or less technical than BEC: There are no attachments, no infections, and no URLs to click. Nonetheless, BEC exploded in 2016, and proved staggeringly effective.
In essence, threat actors spoof the emails addresses of trusted sources within an organization, such as the CEO or CFO, to coerce recipients into sending large payments as quickly as possible. Typically, they look something like this:
Thinking this would never work on your organization? Imagine an entry level payment clerk receiving an email like this from the company’s CFO. Unfortunately, threat actors have had tremendous success with BEC scams, often bringing home millions of dollars from a single transaction.
Threat #5: IRS Scams
An offshoot of BEC, IRS scams utilize spoofed emails to request employee W-2s, which are used for tax refund fraud and identity theft. In January last year we saw a 400 percent increase in IRS scams, and more than 40 companies were compromised in Q1 2016.
Threat #6: Advanced Persistent Threat (APT) Malware
Formerly the sole domain of nation state actors, many established cyber crime groups have now earned the title of APT. With stealth and persistence as their hallmarks, APT malware is invariably proprietary, and extremely sophisticated. Nonetheless, spear phishing is the most common delivery mechanism used by APT groups.
Of course, we’re not talking about hastily thrown-together spear phishing campaigns. Stories abound of third party organizations being hacked purely to inform spear phishing campaigns against their larger or more politically/technologically valuable partners, so don’t expect identifying them to be easy.
The War Against Phishing
The trouble with phishing is that technical controls are often ineffective. Advanced spam filters can certainly prevent a large proportion of phishing emails from reaching user inboxes, but threat actors work very hard to constantly setup new domains, email addresses, IPs, and C2 servers, making it functionally impossible to stop them all.
Equally, even the tightest vulnerability/patch management programs can’t guarantee security against the latest Trojans. Even if they could, tactics such as BEC and IRS scams bypass these technical controls altogether by preying on human weakness.
Enter Dane Boyd, our Lead Solution Manager, who explained how end users can be enlisted to tighten network security. By teaching users to identify and report phishing emails, organizations can dramatically reduce their risk of being breached.
According to Dane, there are four keys to the learning process:
- Make it memorable, keep it short,
- Repetition and consistency are crucial,
- Prepare end users for the real world, and;
- Make success easy.
So how does Dane suggest teaching endusers to identify and report phishing emails? By consistently and repeatedly sending them simulated phishing emails, and analyzing their responses over time.
Of course, there's more to it than that. For a start, in order for your simulations to be maximally effective, they must resemble real samples collected in the wild. For our own employee defense training (EDT) service, we use the latest phishing-specific threat intelligence to inform realistic simulations of all major phishing and spear phishing threats.
For instance, here's a real example of a phishing email designed to distribute a simple ransomware trojan:
Based on this sample (and many others like it), we constructed our own simulated email for a customer’s EDT campaign. Using the same tactic of posing as an official organization, our simulation uses common social engineering techniques to funnel recipients to the designated payload site.
Of course, since it’s a simulation, no infection takes place. Instead, users who ‘fall for’ simulations are sent immediately to a video training page, which specifically covers the type of email they’ve just received.
But of course, we don’t just want users to ignore or delete phishing emails, we want users to report phishing emails. Reported phishing emails are a fantastic source of intelligence, which can be used to inform future simulations, as well as to continually tighten spam filters and other technical controls.
To that end, Dane explained, it’s vital that you make the reporting process as easy as possible for users.
By adding a simple ‘Report Phish’ button directly to your organization’s email application, we make it incredibly easy for users to report any email that looks potentially malicious. And whether or not you choose to outsource your employee defense training, we strongly advocate this approach. People are naturally lazy, so anything more difficult or complex will massively reduce the number of reports you receive.
Who Cares About Security Awareness?
We’ve said it before, and we’ll say it again: Awareness should never be the aim of your security training initiatives. What you really need is an improvement in security behaviors.
So what level of improvement can you expect from a powerful EDT program?
In our experience, the average failure rate for our initial simulation campaigns with new customers is in the region of 25 percent. That may not sound high, but in reality it means one in every four ransomware emails that makes it into a user’s inbox could easily result in a breach.
Over time, with the addition of a powerful EDT program, that figure falls to around 7 percent, or a failure rate of roughly one in fourteen. New hires and employee attrition rates prevent it from falling even lower, but the addition of real reported phishing emails more than makes up for this. With this resource, IT departments have the opportunity to continually enhance technical controls, and dramatically reduce the number of phishing emails that make it into user inboxes.
Of course, percentages aren’t always easy to digest. Instead, try using our free cost of phishing susceptibility calculator to identify the average annual savings your organization can expect to see by reducing phishing susceptibility from 25% to 7%. For a typical 5,000-person organization, it looks like this:
Annual costs @ 30% susceptibility: $333,119
Annual costs @ 7% susceptibility: $93,274
Annual savings from EDT: $239,845
But to achieve these results, it's vital to focus on specific, measurable security behaviors. Nebulous aims like improving security 'awareness' just won't cut it.
We're proud to say that in a period of months, every organization we've worked with has seen dramatic improvements in phishing susceptibility and number of reported emails.
Fight Back Against Phishing
Phishing poses a huge threat to organizations of all sizes, and in all industries. As technical controls become more and more sophisticated, threat actors will have even more incentive to target people instead of technology.
Taking an intelligent, systematic approach to training your employees will dramatically reduce your organization’s risk of being breached, both now and in the future. If you’ve enjoyed this article, and want to know more about phishing and how to secure your organization against it, we heartily recommend you watch our latest webinar.
To watch the webinar on demand, click here.