Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

4/6/2020
10:00 AM
Tim Sadler
Tim Sadler
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

Why Humans Are Phishing's Weakest Link

And it's not just because they click when they shouldn't... they also leave a trail of clues and details that make them easy to spoof

Imagine this composite scenario, drawn from real-life customer experiences: Laura is the CFO of SoBank and receives an urgent email from Tom, a partner at Dorling Clayton, SoBank's external law firm.

The email came from Tom's Dorling Clayton address and shows a photo of him next to his name in the sender display. The email reads:

Hi Laura, 

Excuse the speedy nature of this message - I'm at Finance2020 and just about to speak on stage. But just had a frantic call from one of our senior partners saying that some of the expenses for SoBank last quarter weren't paid.  

Can you please make sure $11,522 is paid into the following account ASAP?

Account no: 12345678
Sort code: 00-00-02

Please could you action this as soon as possible to avoid any missed payments?

Thank you,

Tom

Laura panics. How could the expenses not have been paid? She believes she must have made a mistake and is concerned her company will be penalized if the payment is held up even further. Laura transfers the money into the account. It isn't until the next morning that she finds out she wired $11,522 to a hacker, but at that point it's too late.

Anatomy of a Spear-Phishing Attack
According to the FBI, $26 billion has been lost to business email compromise attacks like this one since 2016. How can so much money be compromised through email alone? The truth is, it's easier than many of us realize. A quick look at how a hacker was able to trick Laura can tell us where key vulnerabilities lie.

Every spear-phishing attack consists of a target, like Laura; someone who is being impersonated, in this case, Tom; and an attacker orchestrating everything behind the scenes. It's incredibly easy for attackers to use publicly available information and social media to make their impersonations as believable as possible. 

In this case, the attacker can find a press release announcing Dorling Clayton's work with SoBank on a joint venture with another company. From there, they can track down Laura and Tom on LinkedIn and on their company websites, which also provides a photo of Tom to use in the email spoof. A quick look at Tom's Twitter profile, too, reveals a post about his upcoming talk at Finance2020, including the date and time, which will add credibility to the message. The upcoming talk adds a sense of urgency to the email, a proven technique for getting the target to take action. 

Spoofing Tom's email address is also relatively easy for the hacker to do. DMARC is an email authentication technique that verifies who is allowed to send emails on behalf of a domain. The thing is, not many businesses actually have DMARC in place. It's estimated that 80% of company Web domains don't use email authentication. All the attacker has to do is verify whether or not Dorling Clayton has DMARC in place. And luckily for them, the firm does not. 

This means the hacker can send an email from dorlingclayton.com and legacy security tools won't be able to detect it. Legacy systems also only look for display name impersonations of people within a company's own organization, which can be circumvented by impersonating an external contact.

Humans Are Our Most Vulnerable Layer of Security
According to Symantec, there are 135 million phishing attacks attempted every day — and when they're successful, they can be devastating to a business and can risk both money and sensitive information. Today, for example, the average cost of a data breach is around $3.92 million in the US. 

One major part of the problem is that businesses have predominantly focused on protecting machines but have neglected an essential element: the people who use them. People now spend 28% of their time reading and answering emails each workday. It's their main channel of communication but it's also one of the riskiest platforms in business. On email, people can be duped into making fraudulent wire transfers like Laura, or they can accidentally email highly sensitive or confidential information to the wrong person.

People make mistakes, they break the rules and they can be hacked, which is why protecting people is much more challenging than protecting machines. Specifically, no two humans are the same. We make decisions based on psychological factors. Our connections and relationships are complex, they change over time, and we communicate in a variety of complicated and dynamic ways. This means that we can't secure people with the same "if-this-then-that" logic used to protect machines from malicious threats.

Businesses, therefore, need a new way of thinking to protect people and the ways they interact with networks, devices and databases. Securing the human layer requires advanced technology that can understand human behavior and relationships online to detect and prevent incidents of human error in the moment or block threats in real-time, without disrupting people's productivity. Security leaders must consider how to apply the same level of advanced technology and resources to protecting humans as they do to protecting the rest of the enterprise.

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's featured story: "This Is Not Your Father's Ransomware."

Tim is the Chief Executive Officer and co-founder of human layer security company Tessian. After a career in investment banking, Tim and his co-founders started Tessian in 2013, creating a cybersecurity solution that uses machine learning to protect people from risks on email ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 6/3/2020
Stay-at-Home Orders Coincide With Massive DNS Surge
Robert Lemos, Contributing Writer,  5/27/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-2196
PUBLISHED: 2020-06-03
Jenkins Selenium Plugin 3.141.59 and earlier has no CSRF protection for its HTTP endpoints, allowing attackers to perform all administrative actions provided by the plugin.
CVE-2020-2197
PUBLISHED: 2020-06-03
Jenkins Project Inheritance Plugin 19.08.02 and earlier does not require users to have Job/ExtendedRead permission to access Inheritance Project job configurations in XML format.
CVE-2020-2198
PUBLISHED: 2020-06-03
Jenkins Project Inheritance Plugin 19.08.02 and earlier does not redact encrypted secrets in the 'getConfigAsXML' API URL when transmitting job config.xml data to users without Job/Configure.
CVE-2020-2199
PUBLISHED: 2020-06-03
Jenkins Subversion Partial Release Manager Plugin 1.0.1 and earlier does not escape the error message for the repository URL field form validation, resulting in a reflected cross-site scripting vulnerability.
CVE-2020-2200
PUBLISHED: 2020-06-03
Jenkins Play Framework Plugin 1.0.2 and earlier lets users specify the path to the `play` command on the Jenkins master for a form validation endpoint, resulting in an OS command injection vulnerability exploitable by users able to store such a file on the Jenkins master.