Email phishing has remained one of the most popular ways to trick people out of their money since the days of false Nigerian princes, who claimed they would share their inheritance with random strangers in a foreign land if those strangers could just do them the one small favor of helping to access the funds.
Of course, everybody knows those weren’t real Nigerian princes; few would be naïve enough to fall for such a trick today. But as email users have grown more savvy, so have the bad guys behind those fraudulent emails.
It’s all very professional these days, says Rohyt Belani, CEO of Cofense, a cybersecurity provider that was just acquired by a private equity consortium and changed its name from PhishMe. The consortium will furnish additional backing for further innovation to keep up with these ever-evolving malicious actors, said Belani – innovation both organic and inorganic.
“PhishMe was founded to challenge the cliché – human is the weakest link,” Belani said in a press release announcing the acquisition. Employees, he said, can not only “be conditioned to be less susceptible to cyberattacks, but in fact can be turned into sensors of such attacks that provide very timely intelligence.”
Phishing Then vs. Now
Once upon a time, said Belani, malicious actors worked solo. Now, however, many attacks are coming from nation states. The sophistication and logistics that go into fraud campaigns show that these are massive operations, criminal rings with extensive resources.
“Even if you’re a Fortune 50 company, you’re up against a nation,” said Belani. “The only way to stand up to it is if we all collaborate in defense.”
Belani noted that today’s phishing emails are far more sophisticated than they used to be, relying on tactics like social engineering that make these messages appear to come from a legitimate sender who is known by the recipient.
The people behind these attacks may have studied past email conversations in order to adopt the sender’s mode of speech and mannerisms. The malicious emails originate from domains that, at first glance, appear to be trustworthy – but upon closer scrutiny, they are perhaps off by one letter, or have replaced a character with one that is visually identical, which the human eye would not identify.
Malicious actors also put their attacks through a quality assurance process, trying them against any and all types of defenses to see where they get in before launching a real attack against their true target.
All of this adds up to malicious emails that are able to find their way into inboxes despite an organization’s best protections. That’s why Belani said people must comprise a second line of defense.
“We replicate what we see in the physical world of law enforcement and intelligence,” Belani said. “If you see something, say something.”
The Human Element
There’s no doubt that technology has a place in this fight, said Belani – it’s not a choice between human and machine defenses, but a blend of both that will keep organizations safest.
It is true that mature organizations follow some best practices when it comes to tech-powered defenses.
For instance, many instate a sender policy framework: When an email arrives claiming to be from any given organization, the system queries that organization’s server to determine whether the email truly originated there. This eliminates spoof emails.
Furthermore, a computer can identify when, say, an “O” has been replaced with an identical Cyrillic character, when the human eye would slide right over it. The system can easily recognize that the email originated from a fake domain.
However, Belani said it’s all about human-assisted artificial intelligence (AI). Humans have an important role to play, he said, because to AI, an email either is or isn’t malicious – but people will react differently to the same email. So, while one may whitelist it, another may be skeptical, and the second recipient’s resilience can counterbalance the first recipient’s susceptibility.
The reality is that sometimes tech defenses miss things. Within organizations that Cofense has trained to identify and report suspicious emails, Belani said that 8 to 9 percent of the reported emails turn out to be malicious. That’s 8 to 9 percent that thwarted every defense at the perimeter and every mail server security check.
It was only the human element that stopped them.