In a modern business, IT is responsible for a plethora of tasks, including user support, which typically takes up a disproportional percentage of the IT workload.
Yet, we are supposed to assure users that repeat errors are the result of sophisticated attacks by professional hackers. Sure, some are, but the majority are easily spotted and no doubt released by bedwetters that buy the tools necessary on the Dark Web, using their preferred currency Bitcoin. Oh, how they love Bitcoin.
Well, we (as a former IT admin, I’m including myself) are sick and tired of correcting the same errors and usually from the same culprits. In practically every major breach that I can think of, the root cause is ‘human error,’ especially in cases where malware is released in a spear phishing attack.
Carrots not Working, Use Sticks Instead
Enough! It’s time to introduce a penalty system for repeat offenders that release ransomware or other attack vectors. Hit ‘em where it hurts, for every infraction reduce their monthly salary by five percent. When security awareness training fails to increase the level of…yes, you guessed it, security awareness, what other options are left?
“Security awareness training is only as good as the person listening or taking the training. I have had people who took the training and fall victim a few days later while others take it to heart and start to practice safety every day,” said Charles Henson, managing partner at Nashville Computer Inc. a Tennessee-based provider of managed IT services.
I guess companies could have a dedicated IT person to process each employee’s emails but it seems resources are better utilized on tasks that make companies money or improve process efficiency than filtering out phishing attempts.
“People with less natural technological interest often see technology as authoritative, so they are likely to implicitly trust emails, websites, etc. and not consider that they could be spoofed. When people get caught by phishing, it’s usually because they don’t have alarm bells going off when they see something suspicious,” said Tim Singleton, owner of Strive Technology Consulting, a Boulder, Colo.-based IT consultancy that provides support for small businesses in the Boulder/Denver area.
“What happened,” we ask.
“I clicked on the link saying “Click me” and the PC had a meltdown, embedding pieces of the LED monitor in my face. Look!”.
“Why did you click the link?”
“Because it was there….”
Words fail me.
The focus must be on fixing the problem so repeat offenders can return to work.
Okay then, let’s think about it logically. Users are generally aware of phishing and that it’s unrelated to fresh or saltwater. It comes in three basic categories:
This is a form of social engineering without a specific target. Think of it as a mass mailing spam solution, where embedded URLs or buttons are used to launch malware, whether ransomware attacks or other.
With a little social engineering, the cyber criminals send a targeted phishing email to members of the same company or demographic with the same attack vectors, buttons, and URLs that lead to fake sites and create a data breach to harvest usernames and passwords etc.
The most lucrative of all for hackers if successful. Social engineering allows them to send extremely convincing emails to the same company or demographic but with the correct information from a known contact, usually a senior member of your company or a service provider. Instructions to send money are enclosed and processed if you fall for it.
“We have received phishing attack e-mails claiming to be the business owner and asking for a wire transfer of funds. The e-mail looks like it came from the owner of the business as they used his first and last name in the e-mail from but the underlying e-mail address had a misspelling in the domain name,” said Henson.
Technology Can Help, But Its Not a Cure-All
Most users will receive phishing emails daily, with numbers increasing if free email services are accessed at work. There are many technical solutions available to reduce phishing or screen email cyber attacks. However, there is one takeaway for tech solutions.
“Like any security solution, you want to prevent where you can, detect where you can’t prevent, and respond when automatic detection fails,” advised Singleton.
Mobile device users are also targeted, and responsive design can make phishing attacks harder to detect as menus and other layout features resize to fit the display of the target device.
“Mobile device management (MDM) solutions for portable devices are essential as well as multiple layers of defense on the desktop and laptop devices. Either software to do real-time monitoring and rollback in the event of a scam, or edge boarder protection at the firewall level, it is truly up to the IT department to do their due diligence and find a right fit solution for their company,” said Henson.
Of course, endpoint protection, anti-malware programs, and other solutions are essential, especially when you cannot rely on users to screen all communications with a security-first attitude.
Users Need to Own their Mistakes
I sympathize with IT teams that support many users and can only wish you the best of luck as the frequency and complexity of phishing attacks continues.
“Like viruses and spam, phishing is an arms race. The better the filters get at catching it, the more realistic the messages will become. I expect this trend to continue, with the most dangerous aspect being personalized spear phishing attacks that are generated for a specific person, which is much harder to catch,” said Singleton.
If the sender’s name is a known contact but the email address doesn't look legit, that’s a huge clue. Trash it, don’t reply (it’ll bounce anyway as the email’s purpose is not communication) and don’t click on links or buttons, even if you have anti-virus software. I have seen some that use the unsubscribe link to trick users so be careful.