As you may know, phishing is a cyber-attack in which criminals bait their victims to take an action that allows the criminals to acquire sensitive information, such as usernames, passwords, and credit card numbers. Once criminals obtain the victims’ information, they can use it for any number of nefarious purposes, including to steal identities, empty bank accounts, and gain access to corporate networks and private email systems.
Spear-phishing is similar to phishing but targets a specific company, person or organization. The criminal crafts a context-specific campaign that increases the odds that their targeted victim will take the action they desire.
Phishing and spear-phishing are on the rise. According to Symantec, LifeLock’s new parent company, spear-phishing campaigns targeting employees increased 55 percent in 2015. Verizon’s research tells us that in 2015, organized crime syndicates were responsible for 89% of global phishing campaigns. And according to the Internal Revenue Service, there was a roughly 400% increase in phishing and malware incidents during the first six weeks of the 2016 tax season.
Because of these factors, phishing and spear-phishing are arguably some of the biggest cyber threats we face in 2017 and beyond. So, what can companies do to protect themselves? While multiple anti-phishing companies, non-profit research groups and government entities provide online advice and best practices, there are three key steps employers can take that will significantly improve their defenses against the threat of phishing and spear-phishing.
STEP 1: CREATE A ‘SECURITY FIRST’ CULTURE
One of the most important things a company can do is to infuse security into its DNA and create a “Security First” culture. In such a culture, everyone in the organization is “bought in,” and employees take cybersecurity very seriously.
To achieve a Security First culture, a company must drive from the top. The CEO and the leadership team need to convey a sense of unity, focus, vigilance, and urgency around the constantly changing cyber threat landscape. Mid-level managers strengthen this culture through constant training, reinforcement, and discussions. Everyone understands that security isn’t just the job of the InfoSec team, but that is everyone’s responsibility.
A Security First culture not only allows a company to reduce the risks of cyber threats such as phishing, but it also creates a strategic advantage for the company; customers gravitate towards organizations they can trust to protect their data and interests.
STEP 2: IMPLEMENT DMARC AND DKIM
At a very high level, Domain Keys Identified Mail (DKIM) is an email authentication protocol that allows organizations to sign and verify email messages emanating from or coming into their organization, and respectively using digital signatures. Domain-based Message Authentication, Reporting & Conformance (DMARC) specifies what organizations should do when they receive emails that don’t verify—for instance, to put an email that fails verification into a spam folder or delete it completely.
An email processing system with DMARC and DKIM in place can essentially weed out almost all of the phishing and spear-phishing email that masquerade as legitimate businesses or trusted individuals. This process occurs well before the “bad email” ever reaches the intended inbox. Implementation and in-life management of DMARC and DKIM is something that can be accomplished internally if a company’s IT and Security team are technically sophisticated in DNS (domain name services) record management.
There are also several cloud-based services and solutions that incorporate DMARC and DKIM protection for companies that want a turn-key solution. Additionally, a typical DMARC and DKIM solution generates reports which provide visibility into rejected email trends and senders. This information helps cyber intelligence efforts better understand the threat campaigns and threat actors behind them.
The bottom line is that a company with a properly implemented DMARC and DKIM email protection solution will experience a greatly reduced frequency of phishing and spear-phishing attacks and forces attackers to pursue more advanced phishing schemes. With fewer “bad emails” actually making it to an intended target’s inbox, combined with increased visibility of rejected email trends, a company’s risk posture can be greatly improved.
STEP 3: PHISHING GAMIFICATION
Again, criminals are becoming increasingly sophisticated in their phishing and spear-phishing tactics. They are constantly changing and adapting to attempt circumvention of defenses. As a result, employers need to prepare for the possibility that some phishing email may make it through their defenses and ultimately reach the intended target.
How the intended target (employee) reacts will ultimately determine if the phish is successful. To improve the probability of a proper response to phish and spear-phish, a company needs to implement a continuous training program that is embraced by the organization. This can be difficult, as many traditional security training programs are viewed as a compliance check box, ‘boring’ or simply as a nuisance. To overcome this challenge and to ultimately make humans less susceptible, consider phishing gamification.
Gamification can make important education enjoyable, interesting, challenging and memorable. The gamification of phishing and spear-phishing awareness training takes many different forms, but the most effective gamification programs leverage phishing games that are designed as a video game experience.
For example, one phishing game challenges the participant to identify good email and reject/eliminate phishing and spear-phishing email. By clicking/accepting the ‘good’ fish and rejecting the ‘bad’ ones, the participant will gain points and progress through the game. Clicking on the ‘bad’ phish will result in a loss of points and is used as a “training moment” where context around why the phish was “bad” is provided in real time. In the end, the successful participant is congratulated and presented with a certificate of completion, which is recorded in the company’s training records.
Phishing and spear-phishing will continue to be used by “bad actors” to advance their agenda. To best protect your organization and employees, take the threat seriously and take action.
Leveraging anti-phishing best practices and implementing these three key steps will improve your company’s security posture and enhance the trust in your brand. Ultimately, these actions will help your company’s success by allowing it to stay focused on achieving primary business goals and objectives while avoiding distractions associated with data breach and newsworthy hacks.
Posted by Scott Behm, vice president, cybersecurity engineering and operations, LifeLock