Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


10:00 AM
Tim Sadler
Tim Sadler
Connect Directly
E-Mail vvv

Why Humans Are Phishing's Weakest Link

And it's not just because they click when they shouldn't... they also leave a trail of clues and details that make them easy to spoof

Imagine this composite scenario, drawn from real-life customer experiences: Laura is the CFO of SoBank and receives an urgent email from Tom, a partner at Dorling Clayton, SoBank's external law firm.

The email came from Tom's Dorling Clayton address and shows a photo of him next to his name in the sender display. The email reads:

Hi Laura, 

Excuse the speedy nature of this message - I'm at Finance2020 and just about to speak on stage. But just had a frantic call from one of our senior partners saying that some of the expenses for SoBank last quarter weren't paid.  

Can you please make sure $11,522 is paid into the following account ASAP?

Account no: 12345678
Sort code: 00-00-02

Please could you action this as soon as possible to avoid any missed payments?

Thank you,


Laura panics. How could the expenses not have been paid? She believes she must have made a mistake and is concerned her company will be penalized if the payment is held up even further. Laura transfers the money into the account. It isn't until the next morning that she finds out she wired $11,522 to a hacker, but at that point it's too late.

Anatomy of a Spear-Phishing Attack
According to the FBI, $26 billion has been lost to business email compromise attacks like this one since 2016. How can so much money be compromised through email alone? The truth is, it's easier than many of us realize. A quick look at how a hacker was able to trick Laura can tell us where key vulnerabilities lie.

Every spear-phishing attack consists of a target, like Laura; someone who is being impersonated, in this case, Tom; and an attacker orchestrating everything behind the scenes. It's incredibly easy for attackers to use publicly available information and social media to make their impersonations as believable as possible. 

In this case, the attacker can find a press release announcing Dorling Clayton's work with SoBank on a joint venture with another company. From there, they can track down Laura and Tom on LinkedIn and on their company websites, which also provides a photo of Tom to use in the email spoof. A quick look at Tom's Twitter profile, too, reveals a post about his upcoming talk at Finance2020, including the date and time, which will add credibility to the message. The upcoming talk adds a sense of urgency to the email, a proven technique for getting the target to take action. 

Spoofing Tom's email address is also relatively easy for the hacker to do. DMARC is an email authentication technique that verifies who is allowed to send emails on behalf of a domain. The thing is, not many businesses actually have DMARC in place. It's estimated that 80% of company Web domains don't use email authentication. All the attacker has to do is verify whether or not Dorling Clayton has DMARC in place. And luckily for them, the firm does not. 

This means the hacker can send an email from dorlingclayton.com and legacy security tools won't be able to detect it. Legacy systems also only look for display name impersonations of people within a company's own organization, which can be circumvented by impersonating an external contact.

Humans Are Our Most Vulnerable Layer of Security
According to Symantec, there are 135 million phishing attacks attempted every day — and when they're successful, they can be devastating to a business and can risk both money and sensitive information. Today, for example, the average cost of a data breach is around $3.92 million in the US. 

One major part of the problem is that businesses have predominantly focused on protecting machines but have neglected an essential element: the people who use them. People now spend 28% of their time reading and answering emails each workday. It's their main channel of communication but it's also one of the riskiest platforms in business. On email, people can be duped into making fraudulent wire transfers like Laura, or they can accidentally email highly sensitive or confidential information to the wrong person.

People make mistakes, they break the rules and they can be hacked, which is why protecting people is much more challenging than protecting machines. Specifically, no two humans are the same. We make decisions based on psychological factors. Our connections and relationships are complex, they change over time, and we communicate in a variety of complicated and dynamic ways. This means that we can't secure people with the same "if-this-then-that" logic used to protect machines from malicious threats.

Businesses, therefore, need a new way of thinking to protect people and the ways they interact with networks, devices and databases. Securing the human layer requires advanced technology that can understand human behavior and relationships online to detect and prevent incidents of human error in the moment or block threats in real-time, without disrupting people's productivity. Security leaders must consider how to apply the same level of advanced technology and resources to protecting humans as they do to protecting the rest of the enterprise.

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's featured story: "This Is Not Your Father's Ransomware."

Tim is the Chief Executive Officer and co-founder of human layer security company Tessian. After a career in investment banking, Tim and his co-founders started Tessian in 2013, creating a cybersecurity solution that uses machine learning to protect people from risks on email ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/21/2020
Cybersecurity Bounces Back, but Talent Still Absent
Simone Petrella, Chief Executive Officer, CyberVista,  9/16/2020
Startup Aims to Map and Track All the IT and Security Things
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/22/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-09-23
PingID Integration for Windows Login before 2.4.2 allows local users to gain privileges by modifying CefSharp.BrowserSubprocess.exe.
PUBLISHED: 2020-09-23
** UNSUPPORTED WHEN ASSIGNED ** peg-markdown 0.4.14 has a NULL pointer dereference in process_raw_blocks in markdown_lib.c. NOTE: This vulnerability only affects products that are no longer supported by the maintainer.
PUBLISHED: 2020-09-23
A vulnerability in the web management interface of Cisco Unity Connection could allow an authenticated remote attacker to overwrite files on the underlying filesystem. The vulnerability is due to insufficient input validation. An attacker could exploit this vulnerability by sending a crafted HTTP re...
PUBLISHED: 2020-09-23
A vulnerability in the email message scanning of Cisco AsyncOS Software for Cisco Email Security Appliance (ESA) could allow an unauthenticated, remote attacker to bypass configured filters on the device. The vulnerability is due to improper validation of incoming emails. An attacker could exploit t...
PUBLISHED: 2020-09-23
A vulnerability in the web-based management interface of Cisco Unified Communications Manager (UCM) could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack on an affected device. The vulnerability is due to insufficient CSRF protections for the web-based...