Unusual wording
But not necessarily wrong
Oxford Dictionary: sharpen (a blade), refine or perfect (something) over a period of time.
Based on the premise that the scammers are steadily 'improving' their attacks, they are indeed 'honing' them in.
Cybercrims are ramping up their efforts to target employees through fraudulent email and social media scams, according to a new study by email security firm Proofpoint. Retailers and government agencies saw huge quarter-on-quarter increases in email fraud attempts in calendar Q2, with attacks per company and agency soaring 91 …
This post has been deleted by its author
Your office soccer team (imagine you have one, any other team sport will do) gets a game against a top professional team. They get thrashed. Management decides awareness of the rules will help and the whole office gets training. There is a rematch with the office team. They get thrashed. The office team is taken to one side and given two days intensive awareness of the rules and tactics before another match. They get thrashed.
So it is with security.
The security industry has realised that the People side of the process hasn't really been fully milked yet and the technology snake oil is starting to wear thin. So this is where the new focus is.
The office team will never beat the professionals. You have to change the rules to do that. But organisations don't have the balls to change the rules. Restrict Internet access for example, only allow business emails, segregate areas of the business that need unfiltered interactions,... All technically possible. Then look explicitly at how Process and Technology failures can impact you and implement countermeasures.
Don't put the weakest link on the front line.
Your example is, at best, about one-quarter right.
It's not a game like football. It's more like a siege on a castle. The defenders don't know when or how the attack is coming, but they have walls. And a hundred other technologies carefully designed and implemented to thwart attacks.
And some idiot keeps raising the front gate for every joker that comes along with a line.
Yes, the attackers have some advantages. But checking the domain name of the sender BY ITSELF is 99.99% of my spam.
@Claptrap.
Let's look at some of the things the 'top professional team' will do.
* Originate emails from compromised accounts. The sender information is completely valid and if the address book and Inbox/Outbox are used to select recipients they are used to receiving emails from the compromised sender. Going a step further, they may be used to receiving emails with links from the trusted (but compromised) sender.
* Use a valid domain where the domain owner has not implemented any countermeasures such as SPF or DMARC. A major bank had such a domain, it was regularly used for phishing attacks, they never used the domain for customer emails but the customers didn't know that.
* Use non-standard email headers to trick the email client into presenting an external email exactly as if it had been sent internally. The displayed From address is a valid internal address, all adornments applied to internal emails are present, visually perfect.
* Time emails so that they get into the recipients Inbox at the start of local business hours. They get actioned quickly when the user starts work. Volume sent is small to make them harder to detect, 10 or 12 is enough.
* Use information gleaned from the Internet to make the Subject and content more convincing. An online job add was used to provide context in one case, anything out there will be used against you.
This is just a small sample. The top teams are highly skilled and they will take care in their targeted attacks. Your walls don't really exist. The recipients, the users, are way out of their depth.
I pay attention. I am aware of the things you mentioned. But I reject your claim that these things are entirely indefensible. For instance, if a client can mis-represent the origin of a message, it should never be considered for use. (Outlook, IE...)
Likewise, there are only a handful of accounts that have any business need to access a bank. "Everyone" has smart phones. If they need to conduct personal business, do it on personal systems.
And so forth. No system is perfect. Security is not free. Businesses need to be rational about their costs, pay for the security that they want. That includes regular paranoia training.