Imagine this composite scenario, drawn from real-life customer experiences: Laura is the CFO of SoBank and receives an urgent email from Tom, a partner at Dorling Clayton, SoBank's external law firm.
The email came from Tom's Dorling Clayton address and shows a photo of him next to his name in the sender display. The email reads:
Excuse the speedy nature of this message - I'm at Finance2020 and just about to speak on stage. But just had a frantic call from one of our senior partners saying that some of the expenses for SoBank last quarter weren't paid.
Can you please make sure $11,522 is paid into the following account ASAP?
Account no: 12345678
Sort code: 00-00-02
Please could you action this as soon as possible to avoid any missed payments?
Laura panics. How could the expenses not have been paid? She believes she must have made a mistake and is concerned her company will be penalized if the payment is held up even further. Laura transfers the money into the account. It isn't until the next morning that she finds out she wired $11,522 to a hacker, but at that point it's too late.
Anatomy of a Spear-Phishing Attack
According to the FBI, $26 billion has been lost to business email compromise attacks like this one since 2016. How can so much money be compromised through email alone? The truth is, it's easier than many of us realize. A quick look at how a hacker was able to trick Laura can tell us where key vulnerabilities lie.
Every spear-phishing attack consists of a target, like Laura; someone who is being impersonated, in this case, Tom; and an attacker orchestrating everything behind the scenes. It's incredibly easy for attackers to use publicly available information and social media to make their impersonations as believable as possible.
In this case, the attacker can find a press release announcing Dorling Clayton's work with SoBank on a joint venture with another company. From there, they can track down Laura and Tom on LinkedIn and on their company websites, which also provides a photo of Tom to use in the email spoof. A quick look at Tom's Twitter profile, too, reveals a post about his upcoming talk at Finance2020, including the date and time, which will add credibility to the message. The upcoming talk adds a sense of urgency to the email, a proven technique for getting the target to take action.
Spoofing Tom's email address is also relatively easy for the hacker to do. DMARC is an email authentication technique that verifies who is allowed to send emails on behalf of a domain. The thing is, not many businesses actually have DMARC in place. It's estimated that 80% of company Web domains don't use email authentication. All the attacker has to do is verify whether or not Dorling Clayton has DMARC in place. And luckily for them, the firm does not.
This means the hacker can send an email from dorlingclayton.com and legacy security tools won't be able to detect it. Legacy systems also only look for display name impersonations of people within a company's own organization, which can be circumvented by impersonating an external contact.
Humans Are Our Most Vulnerable Layer of Security
According to Symantec, there are 135 million phishing attacks attempted every day — and when they're successful, they can be devastating to a business and can risk both money and sensitive information. Today, for example, the average cost of a data breach is around $3.92 million in the US.
One major part of the problem is that businesses have predominantly focused on protecting machines but have neglected an essential element: the people who use them. People now spend 28% of their time reading and answering emails each workday. It's their main channel of communication but it's also one of the riskiest platforms in business. On email, people can be duped into making fraudulent wire transfers like Laura, or they can accidentally email highly sensitive or confidential information to the wrong person.
People make mistakes, they break the rules and they can be hacked, which is why protecting people is much more challenging than protecting machines. Specifically, no two humans are the same. We make decisions based on psychological factors. Our connections and relationships are complex, they change over time, and we communicate in a variety of complicated and dynamic ways. This means that we can't secure people with the same "if-this-then-that" logic used to protect machines from malicious threats.
Businesses, therefore, need a new way of thinking to protect people and the ways they interact with networks, devices and databases. Securing the human layer requires advanced technology that can understand human behavior and relationships online to detect and prevent incidents of human error in the moment or block threats in real-time, without disrupting people's productivity. Security leaders must consider how to apply the same level of advanced technology and resources to protecting humans as they do to protecting the rest of the enterprise.