“We had an email to our CFO claiming to be from our CEO, which asked for money to be wired, but thankfully our CFO is well versed and knew it was not from Rohyt and he never asked for money via email and it had typos and was from the wrong mobile operating system!”
Speaking with PhishMe COO Jim Hansen, he said that this email landed with the CEO and with strong experience of what works as a phishing campaign, they turned it around and played along with the phisher, with the incident response director sending a phishing email back claiming to be from a clearing house. “The phisher clicked the link and we got the IP address of the compromised server,” he said. “But he came back three more times and eventually got tired, and the last email we sent to him was with a link back to our blog.”
This year it was reported by GetSafeOnline that phishing is up 21%, while it was claimed that a company lost $100m to email fraud and the concept of “whaling” has become more and more of a concern for businesses, particularly with scammers duping employees by pretending to be senior management.
Talking to Hansen, he said that the problem in 2016 is that we are still having the same discussion we have always had, that in the last 20-25 years we have focused on boxes and next generation boxes and not woken up to it not working, and that they stop some but not all of it.
So why are businesses falling victim to simple scams like this? “It sounds like classic IT security stuff, but we have neglected people for 20 years and need to get them in the game,” he said. “From a society point of view, this is about doing things faster and not taking care, but no one is perfect as even Steve Jobs fell for it. Everyone has an off day and we have customers who use a product and drive failure down below 10%.”
Hansen said that PhishMe prefers to call the problem “business email compromise”, and this is a problem as two organizations lost $40m each because someone sent them an email asking them to wire the money out. “The sad part is there is no malware and no dodgy links, nothing except the context of the email,” he said.
“Take the Nigerian Prince and add 20% to it and there is nothing more to it, so it comes back to that same argument, day in day out and we talk about inoculating people and some get the virus but you hope that those you inoculate become self-reporters, and can report and kill it.”
Alternatively, what if the request for money is genuine? Hansen said that if your organization can cross check where the CEO could say something like that, ask how you would manage that, and if it is abnormal, how do you detect it? “The scale may be different, but the problem remains the same if he needs money wired and you need to take a minute to check that it is genuine.”
So what is the answer? Hansen recommended flipping the problem of most people’s answer to say that the “system is great, but better without people on it”. He argued that people are not the problem; they are the answer.
“People are smart, but let’s turning the game on its head and admit we’ll never get to perfection but take 100 people who work on a floor and if you get one to report something suspicious, we can win if we act on it.”
Hansen was keen to promote the concept of crowd-sourced threat intelligence, as if someone is better at spotting and reporting an email as a phish, the response team can respond to that person as they are usually right.
“You’ll never prevent infection, but work on closing a door to a breach you have got the advantage and are extending the message on phishing,” he said.
Brian Krebs reported that the FBI warned of a “dramatic” increase in so-called “CEO fraud,” which estimates that these scams have cost organizations more than $2.3 billion in losses over the past three years. So is the weakest link the top guy? Hansen said that as they are more exposed as the face of the company, but the level of knowledge of the problem is astronomical.
“Phishing detection has gone from ‘nice to have’ to ‘what do you mean you’re not doing that?’” he said. “We are all susceptible to something targeted, but everybody has potential for falling for something, but the trick is if the three C-level members are targeted and one of us reports it, that is the answer and not everyone has a bad day the same day."
“CEOs are certainly targeted, and that makes a better story but are they the only ones targeted? Of course not, but it just makes a better story.”