By Dave Gordon
Phishing attacks have been around for a long time since email went widespread in the mid-1990s. However, just like many other aspects of cybersecurity, phishing attacks have been becoming more sophisticated and effective in the last few years.
Ironically, this rise in phishing attacks is partly in response to the vast improvement and advances in cybersecurity. Thanks to cybersecurity tools like smart firewalls and micro-segmentation, it’s become prohibitively tricky for most cybercriminals to penetrate enterprise perimeters using technical means (not that this would stop anyone from looking for opportunities to slide through your tech defences in places that you may have overlooked).
As a result, personalized phishing attacks are rising – and succeeding – which means that tech-based phishing protection is no longer capable of filtering out the most threatening emails.
The alarming impact of phishing attacks
Phishing attacks are a serious threat to business around the world, effectively enabling cybercriminals to enter your infrastructure through the front door, instead of forcing open a metaphorical window in the back of the building.
As criminals get more surgical in their attacks, they are investing in bespoke email personalization, which can’t be filtered out algorithmically. Customized emails that target specific individuals within your organization are getting harder and harder to distinguish from genuine communications.
Hackers have also noted the vast potential of AI and are now harnessing these tools to their advantage. Advanced tech tools mean that cybercriminals can generate sophisticated, customized phishing emails in seconds.
Justin Fier, the director of cyberintelligence at Darktrace, has previosly said that impersonation attacks will become more common. Attackers can now use AI to automatically generate spear-phishing emails that mimic the writing style of trusted colleagues.
“While human attacks would need hours of social network research to effectively launch such an attack,” said Fier in an interview with SecurityWeek. “The AI attacker can do this in seconds.”
In Q2 2019, Kaspersky reported that their system blocked over 129 million attempts to redirect users to scam websites, a rise of 21 per cent from around 18 million attempts in the previous reporting period. Looking at Canada specifically, 32 per cent of .ca domain owners have team members who were duped by phishing emails and unwittingly shared sensitive information with unauthorized recipients.
It’s clear that phishing attacks are no idle threat, and only a combination of tech and human intelligence can overcome them.
The role of human and tech security defences
Empirically, humans are the weakest link in any security system. If someone is inattentive, stressed, over-stretched, forgetful, or confused, they could end up granting cybercriminals access to your central infrastructure. Hackers can fail a million times and still succeed in the end, but your employees only need to overlook one phishing email for your organization to lose funds, data or fall to malware, ransomware and other cyber attacks.
Yet the increasing sophistication of tech cybersecurity tools has led to a measure of complacency. There’s a sense that it’s the job of the CISO and/or security team to fight cyberattacks, rather than the employees as a whole. More than 50 per cent of employees think that their IT teams will receive an automatic alert if they accidentally download malware onto their computer.
Mika Aalto, CEO of Hoxhunt, is adamant that phishing education needs to go beyond theory and focus on action.
“Awareness in itself isn’t enough: it has to lead to correct action,” he said. “In the domain of social engineering, many attacks reach their goals no matter how aware their targets are.
“Hackers behind phishing attacks aim to tap into people’s emotions. If you generate enough fear or threat, a person will easily do something irrational, like open a shady attachment, even though they know perfectly well they shouldn’t.”
The only way to win this battle is to expand security teams to encompass the entire organization, by using action-oriented, company-wide educational programs to create a security-first culture.
Top-tier security demands an integrated security system
The 2019 Chubb Cyber Risk Survey found that only 31 per cent of respondents receive annual company-wide security training and updates. With such a gaping hole in employee security training, it’s not surprising that 59 per cent of respondents couldn’t identify a credential stuffing attack, 72 per cent couldn’t identify Emotet malware, and 74 per cent couldn’t identify Ryuk ransomware.
“Businesses must realize that they are vulnerable beyond the firewall, all the way across the open internet,” said Lou Manousos, CEO of RiskIQ. “Without greater awareness and an increased effort to implement necessary security controls, there will be more attacks using an ever-expanding range of technologies and strategies.”
Despite the vital importance of raising the bar in human defences, you can’t afford to let your tech guard down. The current rise in social engineering attacks is partly because the barrier of tech defences is high enough to deter many tech-focused attacks. Relaxing that guard would be a big mistake.
Additionally, tech defences play an essential role in terms of backup and restoration. No one can afford to rule out the chances of a successful cyberattack, making it vital to prepare for what happens after one occurs.
The right tech tools keep all your data backed up securely so that you can get back to normal as soon as possible.
Only people, with shields, can stop the spears
In the face of the relentless rise of cybersecurity attacks on organizations of all sizes, it would be foolish to abandon any defence strategy. Smart firewalls, perimeter protections, micro-segmentation, and other cutting-edge security tools are vital for establishing a high barrier around your environment and helping you restore your infrastructure swiftly after an attack.
However, it takes an alert, trained workforce to spot the most sophisticated phishing emails which target the Achilles heel of your organization. Security-conscious companies will make sure to combine both tech and human defences into a single, integrated security system.