James Aguilan | 19 February 2019
Even with everything we know about practicing good Cyber Security hygiene, spoofing still works. One of the most popular forms of spoofing is phishing, which is an attempt by an individual or group to solicit personal information from unsuspecting users by employing social engineering techniques.
While Social Engineers are utilising social media, instant messages, text messages and voice calls, e-mails are amongst the common form because of inherent flaws in how emails are designed. For example, Simple Mail Transfer Protocol (SMTP), the standard for sending and relaying email, is around 30+ years old and was not intended to validate senders or verify the integrity of received messages. This makes it easy to fake where an email claims to come from.
Phishing is a major concern as it's typically the initial attack vector hackers use to compromise an organisation. Government agencies have become the forefront targets as they house citizens' personally identifiable information (PII), which hackers use for a variety of phishing campaigns. From an attacker's perspective, they're trying to trick the user into clicking on a malicious link or opening a malicious attachment so that they can establish a way in. What an attacker does from there will depend on their motive, which is most frequently money.
A 2018 document from the National Cyber Security Centre (NCSC) provides guidelines to organisations in how they can defend themselves against phishing attacks and have warned how phishing emails may look like they come from legitimate sources. Phishing messages often include a sense of urgency or a threatened consequence if the recipient doesn't act quickly. NCSC encourage people to be careful about opening attachments or clicking on links in emails, to look up websites and phone numbers through a web search rather than trusting those provided in the message and to call agencies directly to find out if the email is legit.
Despite the increase in Cyber Security awareness, phishing attacks show no sign of slowing down. While organisations can use multifactor authentication, keep security and antivirus software up-to-date and backup files to cloud storage to limit damage, there is no definitive way to avoid falling for a phishing lure. The most effective way is through a defence-in-depth approach covering technology, procedures and education.
Technology can be used to secure the perimeter of systems, networks and may help prevent users from being exposed to phishing attacks to begin with, but this will never be guaranteed. The human mind can be trained to detect malicious intent better than even the most advanced machine learning model. Without a doubt, education isn't foolproof either and some attacks are so well crafted that they are not only able to avoid advanced technical controls but can even trick the most well-educated users. That's because social engineers are masters of deception, alluring to even the least vulnerable computer users by using open source intelligence (OSINT) and Personal Information that has been disclosed in data breaches, which dramatically increases their likelihood of success. They also use timing to their advantage. For instance, anything related to pay checks typically goes out toward the middle or end of the month.
What are the chances of you questioning the integrity of a flawlessly-crafted email that appears to be from a Senior Executive? In many cases, you wouldn't question a request from a senior level as a fear that not complying will put your job on the line. Combining all of this with a sense of urgency, and you have the perfect recipe to override a person's better judgment.
QA have an extensive Cyber curriculum offering a number of courses to improve Cyber Awareness. QA have also partnered with The AntiSocial Engineer Limited to provide advanced social engineering and phishing courses.
Visit cyber.qa.com for more information on how they can help solve the Cyber Security skills gap.