According to the SANS Institute, 95 percent of all attacks on enterprise networks start with a successful spear phishing attack.
For example, Arizona Secretary of State Michele Reagan revealed that the state’s much-publicized August breach in its voter registration system owed itself to a spear phishing attack mimicking an actual state employee.
As in the case of the Arizona breach, the targeted company or organization may not even realize until much later that email was the initial point of entry.
So when you’re training your employees to be more secure, it makes sense to start where the hackers are starting, with email. If you can stop your employees from opening the front door to spear phishers, you’ll have made tremendous strides in securing your company’s digital assets.
A spear phishing attack works by emulating messages from a legitimate source, such as a bank or an executive at your own company. That is effective because the email functions like a “familiar face” in the digital world. Just as you’re much more likely to lend $100 to someone you know than you are to a stranger, similarly you’re much more likely to take an email seriously if it appears to come from a co-worker, vendor, or other institution you do business with.
Basic awareness is an important first step. Tell employees: If you don’t recognize the sender, don’t click on any links in their email and don’t open attachments. Train them to be alert to small differences that give away the game – unusual URLs, typos in the company name, odd formatting and the like.
Train employees to be suspicious of links, especially those encoded with URL shorteners like bit.ly. Rather than clicking on a link in an important email (say, a communication from the company’s bank) it’s better to enter the URL manually or via a browser bookmark.
However, training alone won’t solve the phishing problem. Many successful spear phishing attacks owe their success to the fact that there is no clear differentiation in the email interface between legitimate communications and fraudulent ones.
Let’s take the example of the Business Email Compromise, or BEC. In the BEC scenario an employee with the ability to initiate a wire transfer of corporate funds receives what appears to be an email from someone in the organization who is able to authorize that transfer, often the CEO.
This well-meaning employee follows what seems to be direct instruction from the CEO and sends a large sum of money to the bank account specified. Of course, the email didn’t really come from the CEO, the bank account is not as claimed, and the money promptly disappears.
The FBI reports that since January 2015 BEC attacks have increased 1,300 percent and have bilked 22,000 companies out of $3.1 billion.
These attacks are so successful simply because there is nothing to differentiate them from real business communication. That’s where you can help your users by making sure that the real email and the fake email cannot look the same.
Email authentication accomplishes this task by “locking down” email purporting to be from your domain name. As a domain owner you can enforce authentication so that only those emails legitimately coming from your company will be delivered to inboxes.
This feat is accomplished using an industry standard called DMARC. 2.7 billion mailboxes obey the DMARC standard globally, including those from Microsoft and Google, so it’s highly likely your own users are covered. With DMARC enforcement in place, any email that pretends to be from your domain name but is not will be automatically dropped into spam folders or rejected outright.
That makes the job of training users much easier, because messages impersonating the company’s own employees won’t get through.
Training can then focus on identifying more obvious spoofs, such as emails sent from domains that are similar to the company’s but off by a few letters. In other words, they won’t see that fake “familiar face” any more, and the fraudulent email will be that much more obvious.
Of course, training your team on email safety won’t protect you from every danger. But it’s a good place to start – particularly when combined with technical measures that can give your employees something to look for.
This article was originally published in our monthly newsletter, Today's Cybersecurity Leader. You can subscribe here.