How to Manage Spear Phishing Threats

For the last few years, the number of spam emails seems to have gone up drastically.  Along with this, the danger of the emails has increased significantly as well.  Now that most of the pharmaceutical emails are being blocked either in the cloud, or at the network perimeter, most of what is left is zero day viruses and malware or other heinous exploits that can wreak havoc in the network.  Often, this malware can steal passwords or other private information, or take your files for ransom and cost you hundreds of dollars, lost productivity and employee time.

This is one of the areas of network security we are constantly watching and trying to stay ahead of.

There are two basic types of spam email

  1. Spam: Unwanted and unsolicited email advertising for legit, or not-so-legit products.  Often including pharmaceuticals that should not be talked about in polite company.   Spam is literally ‘spammed’ to thousands of recipients, with the hope that a few make it through the spam filters and someone buys the product.
  2. Phishing: Phishing is sent in a similar fashion, but the end motive is much different.  Phishing emails are sent to trick the recipient to click on an embedded link or an attached file so that malware can be installed.   The malware can do anything from encrypt your files (ransomware), to exploit a weakness in an application on your computer, which can lead to the bad guys completely taking over your computer, or using it for illegal purposes.

 

Phishing can be broken down even further.

  1. Spear fishing: The bad guy does some reconnaissance and finds out some specifics about who works at company and what their job is.  Then specifically targets that individual with an email that looks legit, but has fraudulent intentions.  For example, a bad guy may find out you work in accounts payable and may send you a fraudulent mail asking for money to be wired to a new account.  This can be especially troubling if the bad guy has done some good research and knows your clients.  They can then spoof the domain of your client and send you a legit looking email.   It’s a good idea to keep as much information that can be used this way from the internet. (Specifically LinkedIn or Facebook).  Keep your information private, especially when it comes to business and partners.
  2. Whaling: Where would you go if you wanted to steal as much money as possible?  Well to the people who have access to the money, silly!  This is called whaling for obvious reasons, they go for the big fish—maybe your company’s CEO/CFO/CIO/President/VP.  If they don’t have good training in phishing and network security, your whole business is at risk.   I have personally seen many attempts at whaling and they look something like this:

CFO gets an email from the CEO asking if the wire to xxx company has gone through yet, they need it done now! CFO believes they missed the first email so obviously the CEO is angry because they are late in acting (or so the bad guys would have you believe).   The CFO, recognizing the email is from the CEO (a spoofed email) acts quickly and wires the money to the account in the previously attached PDF file.

Managing the fraudulent email threat

So how do you protect against this type of threat?  Well, most businesses are using some type of malware protection, spam filtering, anti-virus software.  That is a good first step, and is needed for a solid foundation in email and network security.   However it doesn’t protect you against the latest trend in malware which uses zero day exploits that traditional antivirus can’t detect.  Antivirus is signature-based, and there is time needed to create the signatures and get them to your PC.  Spam filtering is typically signature based as well.  Zero day exploits are called zero day because they come out quickly before any signatures can be written.    Bad guys are always looking for weaknesses in your protection, and you will always have weaknesses.  The best way to stop spam from infecting your PC or network is to train your employees about the threats of phishing, spam and unsolicited email.

Emailed malware or fraud attempts will not work 100% of the time when users don’t click the email link, or don’t respond to the suspicious request.  

100% is a pretty good number, and it can be achieved through non-technical means—training.

Fraudulent Email Security Training

A great way to train employees to not click is to send them simulated phishing messages.  Study some of the phishing email examples, and try to reproduce them.  Focus especially on those that are the greatest targets.   The focus here is not to humiliate your employees, but to let them know this is a significant problem and you are here to help.  It helps the company, but will also help the employees in their personal digital world when they leave the office.   There are some great partners in the cloud to help with this, and many offer free trials to check out their services. Here are a few:

 

Phishme.com   Excellent resources and education.  Easy to use and offers a nice Outlook add-in that employees can use to report the email to IT.  (This can be done for free using Microsoft’s junk email reporter, but I digress…look for more details  in a future post)

KnowBe4.com  Great service that includes Kevin Mitnick Security Awareness training videos.   The videos seem to be more ‘real world’ than the others I’ve seen.  They really explain the threat from an end-user perspective, and are very valuable in helping employee awareness.   The simulated phishing is 2nd to none, having many email templates so you can adjust your training based on your company’s  threat levels.

Phish5.com   One thing I can say about phish5 is that their price is right.  When I looked at them they were very affordable, and had many email templates that could be used.  The only issue I had with them was their inability to provide me with customer testimonials, they didn’t follow up when I asked.

Others   There are many others out there, and more coming all the time.  Post below any that I missed or you have experience with.

 

 

From the IT perspective

I’ve found a few home-grown solutions to help the IT department track phishing emails with the help of employees, but I will save that more technical discussion for another post.  The key here for IT is to know your enemy.  Do you know what emails are getting sent to your employees today?  Do you know how they currently respond to the emails?  Do they regard clicking on that spam as a serious problem, or are they relying on IT to fix it if something happens?   These are all good questions to ask, and I suggest you gather as much information as you can now, it will come in handy when you develop a training program.

There are several ways bad guys can get personal information, many include the traditional hacking, bad passwords, unknown or forgotten ingresses to the network (think wireless or VPN), unscrupulous vendors, and even disgruntled employees.   All can be major security issues for your organization.  Review and know your network, and train employees on the basics like phishing, password complexity and other things you take for granted working in IT.  Remember, network security is becoming everyone’s job, not just IT.   Spread the love!

Leave a Reply

Your email address will not be published. Required fields are marked *