Phishing attacks: Why we're still losing the battle against phoney emails

People deal with hundreds of emails a day and employers aren't doing enough to help, which means the threat of fake messages will continue.
Written by Danny Palmer, Senior Writer

Phishing is still the most common way for cyber attackers to gain entry into networks. Whether it's crooks looking for financial gain or state-backed hacking operations engaging in cyber espionage, it almost always starts with a message designed to make someone click a link or give away sensitive information. Just one person falling victim can be enough to provide hackers with the foothold they need to gain access to the whole corporate network and the confidential information stored within.

But blaming the victim rarely solves anything – especially given how phishing emails can be so highly tailored towards victims, meaning it can be almost impossible to distinguish a real message from a spoofed one created as part of an attack.

"It's fairly easy for an attacker to get hold of an email address and pretend to be somebody," says Amanda Widdowson, cybersecurity champion for the Chartered Institute of Ergonomics & Human Factors and human factors capability lead for Thales Cyber & Consulting.

Take business email compromise campaigns: one of the most common methods of attack is to send out emails to staff claiming to be from the chief financial officer (CFO). Large numbers of organisations will provide information about their board on their websites, providing attackers with the name of the CFO. 

SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic)  

It's also relatively simple to track down what email addresses of a company look like, not only allowing attackers to convincingly spoof the name and address of the CFO, but to also use this information to target individuals within the company after tracking them down on public-facing sites like LinkedIn.

After that, it's simple to create a convincing looking email asking for data to be shared or money to be transferred. In many cases, the attacker will create a false sense of urgency and secrecy in order to coerce the victim into doing what they want them to.

"There's a power play going on in a lot of these emails. There's somebody impersonating a position of authority, of seniority, effectively saying don't ask questions, just get it done, which is effective," says Tim Sadler, CEO of email security provider Tessian.

"When people send spear-phishing emails, they're taking on the persona or identity of a trusted person. That personalisation makes it highly effective in terms of getting the target to comply with the request, pay the invoice, do what they need to do," he adds.

If you're a mid-level employee in the finance department and you get an email from the CFO instructing you to do something, you're probably going to do it.  

Even if the employee does want to confirm the request with the CFO, in large organisations it will be difficult just to walk into their office and ask the question – in some cases, the CFO might not even be on the same continent. 

It isn't unusual for important requests to be made over email – attackers know this, so are actively attempting to take advantage of it, because the balance between attacker and victim actively plays into their favour: a cyber criminal creating a spear-phishing campaign has done the work to know for certain who the victim is. The victim can't sit there and meticulously research if the email is really from who it claims to be from.

"There's very little to let the person receiving the email know the person they're receiving it from is who they say they are. It's a little asymmetric, asking a person to do the hard bit, then making not life easy for them," says James Hatch, director of cyber services at BAE Systems.

This behavior isn't restricted to email either; there are times when banks, utilities, telecommunications and other service providers will call customers out of the blue, and then ask the customer to provide their personal security details to verify it's them, yet the customer has no way of identifying if the call is a hoax or not.

"It's too easy to establish false trust so we have to make it more certain that when you receive a message from your bank, you know it's your bank – the bank should be proving itself to you, not asking you to prove yourself to them," says Hatch.

"Similarly, your employer should be proving who they are to you, as well as asking you to put your password in to prove who you are ten times a day. That two-way trust would make a big difference and make false trust more difficult," he adds.

Despite this lack of two-way trust, email remains the key way of conducting business online, with employees expected to answer potentially thousands of messages a week. In that context, it isn't difficult to see how a handful of malicious phishing messages could slip through the net and get treated like any other email – with potentially devastating consequences for both the victim and their company.

Yet organisations still expect their general workforce to act as the last line of defence against phishing attacks, when for the most part, they won't have received much security training outside of an annual awareness programme – often using overly simplified examples of phishing attacks.

"We need to remember that not every employee has been hired as a security professional – security isn't in every employee's job description," says Sadler.

SEE: How to spot a phishing email [CNET]

So coming down hard on someone who falls for a phishing email isn't the answer – especially when the email application hasn't identified the message as a threat.

"Ultimately, people are just trying to do their jobs and cybersecurity incidents are caused unintentionally – people aren't malicious in most cases," says Widdowson.

"What organisations should be doing is talking to their employees and understanding their jobs and what they need to do and making sure that security policies are balanced with that and allow them to do their jobs reasonably, but safely and securely," she adds.

While training is all very well and good, the only way the problem of phishing attacks can get solved for good is if email and cybersecurity policies are built around the needs of the users and security providers can build software that automatically detects suspicious emails. 

That's difficult, because attackers are constantly evolving their tactics, but some of the most basic phishing attacks are still able to bypass protections, indicating it's the technology which needs to be improved, rather than the blame being put on people.

"Our main approach at the moment seems to be to tell people not to fall for it – which is clearly not working. That's where we can shift the playing field, rather than giving people a hard time for falling victim," says Hatch.


Editorial standards