Recap: ‘State of the Phish’ SecureWorld Webinar

On January 28 — which just happened to be Data Privacy Day — Wombat sponsored and participated in SecureWorld’s State of the Phish™ – A 360-Degree View web conference. The session featured Wombat CTO Trevor Hawthorn as well as Garrett D. Felix, Privacy Officer and Information Security Officer for EXOS|MediFit, and moderator Dr. Faith Heikkila, CISO and Privacy Officer for Greenleaf Trust.

Hundreds of attendees listened as the presenters discussed the continued prevalence of phishing and spear phishing attacks and offered advice about how to mitigate the threat and the associated risks to productivity, intellectual property, and business reputations. As was noted, social media have made it much easier for fraudsters to obtain information that makes malicious emails seem legitimate. In addition, attackers use tried and true social engineering tactics to exploit users’ natural curiosity and tempt them into clicking links and intriguingly named attachments.

Dr. Heikkila began the web conference by providing some tips end users can use to recognize and avoid dangerous URLs. She advised that users be encouraged to trust their instincts as well, saying “If it looks or feels wrong, it probably is.”

Garrett Felix then took center stage, sharing some of his personal experiences and advice about attacks his team has faced (and averted). He shed some light on the rise of whaling attacks, which are spear phishing emails that target executives and other important stakeholders within an organization. He noted that the second half of 2015 saw an increase in these scams, particularly within small and medium-sized global businesses.

Felix indicated that technical safeguards can help catch these types of messages, but he stressed that users also need to be made aware that these types of attacks exist in the workplace. He offered some insights into the characteristics of whaling attacks, which often lead to request for a wire transfer:

• Recipients should be made aware that sophisticated attackers are able to gain access to names, roles, and email structures. This makes messages seem more legitimate.
• An attacker is likely to pose as a high-level employee, one who would need access to funds or sensitive information.
• Trust is often built over time, with senders at first asking for pieces of information that seem harmless. “Familiar” names are also used (Mike instead of Michael, Pam instead of Pamela, for example), which helps to create a sense of confidence and intimacy.
• Messages are generally short and sweet, and they are often made to appear they have been sent from a personal email account or a mobile device.
• “Payoff” messages are often sent after a comfort level has been established. Attackers like to take advantage of their “busy” targets. It’s not uncommon to see a late-Friday request for a wire transfer or a confidential document, which arrives as the recipient is trying to wrap up his or her tasks for the week — and with the hopes that he or she will fulfill the request without questioning (or vetting) it.
• Requests are generally significant but not exorbitant — a large but not ridiculous amount of money, for example.

Trevor Hawthorn rounded out the scheduled portion of the conference with an overview of the results of Wombat’s recently released 2016 State of the Phish Report, which features data compiled from millions of simulated phishing attacks and responses from a survey of hundreds of infosec professionals. Among other statistics, Hawthorn shared data points about the growth of successful phishing attacks (a 13% increase since last year’s report), the rise in spear phishing attacks (up 22% since last year), and the industries that have the highest average click rates (telecoms, professional services, and government).

In speaking about why phishing attacks have continued to rise over the past years, Hawthorn indicated that he feels the answer is simple: they’re relatively easy to execute and they work. Because technical advances in firewalls and other network safeguards have made hacking more difficult, attackers look to users as inroads — and their successes can’t be disputed. Looking forward a couple of years, he feels that the threat landscape won’t change until targeted organizations force it to change; if phishing continues to work, attackers will continue to use it.

Hawthorn shared additional insights that infosec security teams can use in planning — and justifying spending on — their defense against phishing and spear phishing attacks:

• Phishing techniques have long tails. security response teams should recognize that the toolsets of today’s high-end attackers will eventually trickle down to less sophisticated attackers.
• Phishing is not just a problem for the large enterprise. Attackers are increasingly targeting small and medium businesses because their defenses are generally not as robust as larger organizations.
• Though malware is a well-recognized side effect of successful phishing attacks, it’s often a means to an end. What attackers really want are credentials; they will use malware to get in, but once they have credentials, they get rid of the malware so they can be “invisible” on the network (i.e., their footprint is that of an authorized user).
• It’s easy to find out a little bit of information about someone — and even minor personalization pays dividends. Attacks that include a first or last name are nearly 20% more likely to be clicked than a generic message.
• One of the most major costs of phishing is lost productivity; a successful attack takes employees and IT teams off the ball and away from doing business. (Hawthorn recommended listeners check out a recent 60 Minutes report that highlights the major impacts businesses are experiencing as a result of cyber attacks.)
• Awareness and training work — in all industries. The maturity of a cyber security program has far more influence on average click rates than other factors.

Hawthorn closed his portion of the conference by stressing the value of training and measurement — though he acknowledged that security officers tend to be uncomfortable with trusting users. He recommends evaluating user vulnerabilities (using assessments like simulated phishing attacks) and equating the management of end-user risk to the management of technical risks. You can assess users, train them, measure the effectiveness of efforts, and (ultimately) use ongoing “maintenance” to mitigate risks. After all, the path to better cyber security is a marathon, not a sprint.

To listen to the webinar firsthand, visit the SecureWorld website. To explore the additional findings of the 2016 State of the Phish survey and data analysis, download the full report.