Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

4/6/2020
10:00 AM
Tim Sadler
Tim Sadler
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

Why Humans Are Phishing's Weakest Link

And it's not just because they click when they shouldn't... they also leave a trail of clues and details that make them easy to spoof

Imagine this composite scenario, drawn from real-life customer experiences: Laura is the CFO of SoBank and receives an urgent email from Tom, a partner at Dorling Clayton, SoBank's external law firm.

The email came from Tom's Dorling Clayton address and shows a photo of him next to his name in the sender display. The email reads:

Hi Laura, 

Excuse the speedy nature of this message - I'm at Finance2020 and just about to speak on stage. But just had a frantic call from one of our senior partners saying that some of the expenses for SoBank last quarter weren't paid.  

Can you please make sure $11,522 is paid into the following account ASAP?

Account no: 12345678
Sort code: 00-00-02

Please could you action this as soon as possible to avoid any missed payments?

Thank you,

Tom

Laura panics. How could the expenses not have been paid? She believes she must have made a mistake and is concerned her company will be penalized if the payment is held up even further. Laura transfers the money into the account. It isn't until the next morning that she finds out she wired $11,522 to a hacker, but at that point it's too late.

Anatomy of a Spear-Phishing Attack
According to the FBI, $26 billion has been lost to business email compromise attacks like this one since 2016. How can so much money be compromised through email alone? The truth is, it's easier than many of us realize. A quick look at how a hacker was able to trick Laura can tell us where key vulnerabilities lie.

Every spear-phishing attack consists of a target, like Laura; someone who is being impersonated, in this case, Tom; and an attacker orchestrating everything behind the scenes. It's incredibly easy for attackers to use publicly available information and social media to make their impersonations as believable as possible. 

In this case, the attacker can find a press release announcing Dorling Clayton's work with SoBank on a joint venture with another company. From there, they can track down Laura and Tom on LinkedIn and on their company websites, which also provides a photo of Tom to use in the email spoof. A quick look at Tom's Twitter profile, too, reveals a post about his upcoming talk at Finance2020, including the date and time, which will add credibility to the message. The upcoming talk adds a sense of urgency to the email, a proven technique for getting the target to take action. 

Spoofing Tom's email address is also relatively easy for the hacker to do. DMARC is an email authentication technique that verifies who is allowed to send emails on behalf of a domain. The thing is, not many businesses actually have DMARC in place. It's estimated that 80% of company Web domains don't use email authentication. All the attacker has to do is verify whether or not Dorling Clayton has DMARC in place. And luckily for them, the firm does not. 

This means the hacker can send an email from dorlingclayton.com and legacy security tools won't be able to detect it. Legacy systems also only look for display name impersonations of people within a company's own organization, which can be circumvented by impersonating an external contact.

Humans Are Our Most Vulnerable Layer of Security
According to Symantec, there are 135 million phishing attacks attempted every day — and when they're successful, they can be devastating to a business and can risk both money and sensitive information. Today, for example, the average cost of a data breach is around $3.92 million in the US. 

One major part of the problem is that businesses have predominantly focused on protecting machines but have neglected an essential element: the people who use them. People now spend 28% of their time reading and answering emails each workday. It's their main channel of communication but it's also one of the riskiest platforms in business. On email, people can be duped into making fraudulent wire transfers like Laura, or they can accidentally email highly sensitive or confidential information to the wrong person.

People make mistakes, they break the rules and they can be hacked, which is why protecting people is much more challenging than protecting machines. Specifically, no two humans are the same. We make decisions based on psychological factors. Our connections and relationships are complex, they change over time, and we communicate in a variety of complicated and dynamic ways. This means that we can't secure people with the same "if-this-then-that" logic used to protect machines from malicious threats.

Businesses, therefore, need a new way of thinking to protect people and the ways they interact with networks, devices and databases. Securing the human layer requires advanced technology that can understand human behavior and relationships online to detect and prevent incidents of human error in the moment or block threats in real-time, without disrupting people's productivity. Security leaders must consider how to apply the same level of advanced technology and resources to protecting humans as they do to protecting the rest of the enterprise.

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's featured story: "This Is Not Your Father's Ransomware."

Tim is the Chief Executive Officer and co-founder of human layer security company Tessian. After a career in investment banking, Tim and his co-founders started Tessian in 2013, creating a cybersecurity solution that uses machine learning to protect people from risks on email ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Manchester United Suffers Cyberattack
Dark Reading Staff 11/23/2020
As 'Anywhere Work' Evolves, Security Will Be Key Challenge
Robert Lemos, Contributing Writer,  11/23/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: He hits the gong anytime he sees someone click on an email link.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-29129
PUBLISHED: 2020-11-26
ncsi.c in libslirp through 4.3.1 has a buffer over-read because it tries to read a certain amount of header data even if that exceeds the total packet length.
CVE-2020-29130
PUBLISHED: 2020-11-26
slirp.c in libslirp through 4.3.1 has a buffer over-read because it tries to read a certain amount of header data even if that exceeds the total packet length.
CVE-2020-26936
PUBLISHED: 2020-11-26
Cloudera Data Engineering (CDE) before 1.1 was vulnerable to a CSRF attack.
CVE-2020-29042
PUBLISHED: 2020-11-26
An issue was discovered in BigBlueButton through 2.2.29. A brute-force attack may occur because an unlimited number of codes can be entered for a meeting that is protected by an access code.
CVE-2020-29043
PUBLISHED: 2020-11-26
An issue was discovered in BigBlueButton through 2.2.29. When at attacker is able to view an account_activations/edit?token= URI, the attacker can create an approved user account associated with an email address that has an arbitrary domain name.