What Are We Doing Wrong In The Fight Against Phishing?

WannaCry ransomware has attacked companies in more than 100 countries, shutting computer systems down until a ransom is paid in Bitcoin. It’s the largest cyber attack recorded to date.

The cause of this weekend’s cyber attack is still under investigation, but researchers have already begun to examine email as a possible culprit. Email-based phishing attacks have become a favorite of cybercriminals, and phishing is now the primary entry method for hackers accessing organizations, according to a recent Symantec security report

“Ninety-five percent of the events over the past year, from Sony to the U.S. and French national elections, have all started with phishing,” says Oren Falkowitz, co-founder and CEO of Area 1 Security. 

Falkowitz, who previously worked as an analyst for the National Security Agency (NSA), discussed the state of email security in a conversation with Email Marketing Daily.

Falkowitz argues that current security solutions are largely not addressing the core of the phishing problem because they are reactive in nature. They focus on the later stages that come after phishing, addressing such issues as malware and ransomware.

Legacy security solutions, like firewalls or spam engines, also do not specifically focus on phishing.  

“Phishing and spam are very different types of problems,” says Falkowitz. “Phishing doesn’t just exist on email, but spam does. Spam is also about bulk email -- it’s about un-wantedness as opposed to maliciousness.”

The 2-3% of messages that still land in the inbox cause 100% of the damage, he says.  

Email authenticity protocols, like DMARC, DKIM and SPF, are also insufficient checks to stop phishing.

“The problem is that senders of phishing emails can easily get their messages properly verified,” says Falkowitz. “ Anyone can set up their own Google domain and authenticate it themselves.”

Consumer education has also failed to address the issue. 

“It just doesn’t make any sense to blame the user,” says Falkowitz. “It’s like rather than just taking the flu vaccine, you just try to dodge people sneezing. Anyone is likely to click on something. You can’t expect humans to be 100% perfect all the time.”

Successful social engineering scams are thoughtfully researched and designed, not just in an email’s content, but also on the Web page that the email directs to.  Emails can be sent in milliseconds, but building a Web site is a much longer process. It is not something that can be done in minutes, and that time can be used as a defensive opportunity to protect users.

“We recognize phishing is not just an email problem,” asserts Falkowitz. “It’s an email, Web and network problem”

Area 1 Security is a cloud-based software-as-a-service security solution that uses a variety of techniques, including an active sensor network, visual analytics and machine-learning, to eliminate phishing threats before they land in the inbox.

The company can recognize when images such as a brand logo are spoofed and used out of place on the Internet.  For example, if an attacker wants to phish financial username and password information, they will first need to build a Web site designed to look like a private bank. Area 1 Security can identify the Web site as potentially malicious in its infancy, inoculating its customers from that threat.

Falkowitz recommends that organizations of all sizes should imagine that they will one day become a victim of a cyber attack. 

“Attackers don’t need to hack Visa or American Express to retrieve critical financial information,” says Falkowitz. “They can go after fast-food restaurants or retail chains because they have the same information. Hackers are great at finding the weakest link in a chain to achieve the same desire goal.”

Next story loading loading..