back to article So long – and thanks for all the phish

While messaging apps, social media, fake websites and phone calls can all be used to carry out phishing attacks, in the business world, fake emails are the most common and dangerous method. The wave of mass-mailing phishing attempts appears to be subsiding but that doesn’t mean business and IT managers can allow themselves to …

  1. Pete 2 Silver badge

    The (traditional) three questions

    Things like response plans are laudable, but security is like any other company process. It will always be subject to executive scrutiny. That will involve providing adequate answers to at least these three questions:

    1.) What is the company's legal / commercial obligation?

    2.) What will it cost?

    3) How much will it save?

    And I would suggest that one of the barriers against widespread adoption of additional anti-phishing measures is a failure to address those points.

    The first one is the easiest. It is probably the only one that has a clearly defined response. Depending on the details of the company, the sort of data it handles and the markets it operates in, demonstrating a requirement to comply with some sort of "best practice" or regulatory requirement could be enough to carry the day.

    If you have to rely on a financial argument, the problem becomes a lot trickier. Especially since those costs and savings can be easily measured.

  2. Steve Davies 3 Silver badge
    Mushroom

    Phishing Emails

    The number of companies that have no way of accepting phising reports supposedly made by them is staggeringly large.

    many don't have an email account to receive them.

    How hard is it to have an account called phishing@megacorp.com

    Sage is just one of them.

    Being a (sometimes) diligent sort of person, I tried this with one company. phishing@xxxx bounced.

    So I sent it to support@xxxx.

    I got an email back asking for my customer number.

    Errr..... Doh....WTF.... I'm not a customer (which was clearly stated in the email).

    I replied stating that the original email was a phishing one that said that I owed them $73,490.45. You can guess the rest.

    The company just ignored the thing. The obviously don't care.

    I won't name them because they are well know for being litigation happy. Sue first and don't ask questions.

    Barstewards the lot of them.

    See Icon for what I hope happens to these companies.

    1. DropBear
      WTF?

      Re: Phishing Emails

      Maybe I'm getting something wrong here, but considering that phishing emails coming "from" so-and-so are by definition SPOOFED, as in their alleged source has nothing whatsoever to do with them, what exactly would you expect such a company to do? Complain to the UN that they are being impersonated by Does and demand the carpet-bombing of Nigeria or what?

      1. Anonymous Coward
        Anonymous Coward

        Not just 'Phishing Emails' - Corporations have no in-tray even for Regulators

        https://www.bloomberg.com/news/articles/2017-10-20/pesky-spam-filter-is-behind-taser-maker-ghosting-the-sec

        Taser Company Ignored SEC Emails Because They Were In a Spam Folder - Check your spam box. It could be the SEC. That’s the lesson learned this week by Axon Enterprise Inc., the company best known for its Taser stun guns. Axon announced that “due to miscommunication issues,” the company has just become aware of SEC requests regarding its previous financial reports and is now scrambling to respond. The stock fell as much as 7 percent, its biggest drop in more than two months. What happened? Axon’s internal email filters are to blame. The SEC sent its initial comment on Aug. 10 and follow-up requests only to Axon’s new CFO Jawad Ahsan, and they were quarantined in a spam filter.

        1. Florida1920

          Re: Not just 'Phishing Emails' - Corporations have no in-tray even for Regulators

          Ignored SEC Emails
          Good grief, SEC is using email for this level of inquiry? They should be using Certified postal mail at least, so there's a trail. There is a bit of humor in the fact that a USG agency looked like a spammer, though!

      2. Darth Poundshop
        Unhappy

        Re: Phishing Emails

        The theory, at least in part, is that we collect phishing emails to try and monitor the volumes or patterns of attacks, whether any particular person or department is being targeted, whether there is any useful information in the headers (e.g. one time we were able to let an IT company know that one of their servers had been compromised) and pass the information to the police as evidence. Also, we can use the email dialogues, between scammer and victim, in our training.

        Of course, this being a department within a well known public body, where IT Managers are not chosen either by IT expertise or management skills, the above theory and actual practice seldom coincide.

  3. Pascal Monett Silver badge
    Coat

    "lawyers [..] are often used to craft a spear-phishing attack"

    I'm supposing they know what they are participating in.

    I'm also supposing that, if one is caught, he will hopefully be disbarred.

    Then again, I'm also hoping to win the lottery, so . . . I probably have better chances.

  4. VinceH

    Optional

    "A typical spear-phishing attack plays out like this: when the time is right a maliciously crafted email is sent to the victim. The fraudsters spoof a familiar trustworthy account, belonging for example to an executive, senior manager or supplier, and instruct the recipient, such as a finance officer or accounts clerk, to carry out some routine financial transaction."

    For one of my client companies I (and a couple of the directors) get something quite regularly - and I had a good example only a few days ago: An email claiming to be from one of the directors, saying he needs me to set up a CHAPS payment.

    When any of us get one of these emails purporting to be from one of the directors, it's always when that particular director is on holiday - so the perpetrator knows that much, at least.

    1. Anonymous Coward
      Devil

      "that particular director is on holiday - so the perpetrator knows that much"

      Facebook? <G>

      1. VinceH

        Re: "that particular director is on holiday - so the perpetrator knows that much"

        That's always possible - I know that director is on Facebook. It sometimes happens when another director is away as well, and I expect he's also on Facebook.

        However, the opening wording of the email I received this week is making me think the knowledge is coming from meatspace. I'm not there every day, but most of the time my days are fairly regular - except the last couple of weeks when I've been there very infrequently.

        The email opened up with "Are you available".

        I doubt if the director has mentioned my schedule on Facebook, so my sneaking suspicion is that it may be someone working on the same trading estate who sees me coming and going, and isn't sure when I am/am not going to be there.

  5. Christoph

    "Consider the use of digital signatures for executives using email"

    Impose the use of digital signatures for executives as standard operating procedure. Set it up so it's easy for them to use and they can't get round it. They are perfectly free to complain about this as long as each such complaint is accompanied by a copy of the keys and access codes to their house.

    1. Charles 9

      How do you go about enforcing such a policy, however, given that executives, by definition, are already at or near the top of the business structure? IOW, they're the ones usually setting terms in the first place.

      1. Florida1920

        How do you go about enforcing such a policy?

        Hire Simon!

      2. Christoph

        Yes, you have to convert the Big Boss. Hand him a list of all the losses, reputation damage, fines, resignations etc. directly due to phishing. Make a clear record that you have done so. Wait for the fewmets to hit the windmill, then try again with the next Big Boss having added that one to the list.

  6. Anonymous Coward
    Anonymous Coward

    educating NOT

    experience from a friend in a LARGE (and "reputable") organization: he gets those e-mails addressed to a (real) person in a partner organization, with a link to an invoice, or such hook. Once he did bother to contact that (real) person to point out s/he is being speared (with hundreds of others). No response. OK, the IT support in that organization (what was he thinking?!. No response. His own IT support then... No response. And in casual conversation in his workplace, people were astonished that such benign e-mail was actually a phising attempt, no way man! And, given human nature (curious monkeys, them humans), and level of stress at work, when you have to deal with dozens of e-mails an hour, he was quite sure most of his co-workers would have clicked such a link. No invoice opens? Oh, well, never mind, NEXT email. So yeah, phishing works and will continue to work, because entry-point education is not applied, and even if it is applied, it's done as No 374 of the 665753 of jobs people have to do, so "tick!" and they promptly forget about it, and next month they click on a crafted link again...

  7. Chairman of the Bored
    Pint

    Article is meh, but the title is outstanding

    Have a pint.

    The only point I will make is that an organization is only as crafty as its stupidest executive. And boy do I have some great Peter Principle-compliant examples...

  8. Commswonk
    Facepalm

    A Fool and his Money..?

    I am astonished that any company would pay an invoice / bill / other demand without checking that the item(s) or service(s) for which payment is being sought were (a) ordered (against a verifiable order number) and (b) delivered (accompanied by a delivery / completion note).

    Places where I have worked had proper "chains of evidence" (yeah OK it's paperwork!) so that purchases are properly authorised and delivery confirmed and an invoice checked against them before anyone could authorise payment.

    Have businesses become so sloppy that even basic common sense has been eradicated from their internal processes? I suspect I might know the answer...

    1. Mark 85

      Re: A Fool and his Money..?

      Have businesses become so sloppy that even basic common sense has been eradicated from their internal processes? I suspect I might know the answer...

      Yes you are correct. With "downsizing" and dumping the workload on temps, outsourced people, etc. and the workload doesn't go down just because you fired some bodies... It's obvious.

  9. Anonymous Coward
    Anonymous Coward

    SPF, DKIM, DMARC...

    What about telling which servers can send legitimate emails? And mark at least everything else as a suspicious message?

    1. dtweney

      Re: SPF, DKIM, DMARC...

      Very good point. This article spends a lot of time on training users but doesn't even mention the available technologies for authenticating emails and preventing spoofing.

  10. a_yank_lurker

    Missing something

    There seems to be something missing - robust internal procedures for paying invoices, setting up bank accounts, etc. might be more valuable. What strikes me is that most phishing attacks seem to take advantage of less than robust internal procedures. For example, paying an invoice is not done to a link in an email but via the payment system directly to a known, valid account. Also, all invoices must reference an internal authorization code that is verified before paying. It sounds as if the backend processes are in poor shape.

    1. Commswonk

      Re: Missing something

      @ a_yank_lurker: See my posting two above yours at the time of writing. Did you read the previous comments before sending your own?

  11. dtweney

    Too much emphasis on training, not enough on blocking spoofs

    Training is important, but I'm surprised this article didn't address email authentication (via SPF, DKIM, and DMARC), which can prevent spoofed emails from reaching people at all.

    Of course, you can't control whether your business partners, customers, suppliers etc are using email authentication. But you can filter or flag inbound email based on whether it's authenticated.

  12. Doctor Syntax Silver badge

    "This Temperature Check of 330 IT professionals"

    Trying to find out if the bodies were still warm?

  13. Sigfried

    The trouble with DMARC and all such similar tools, is that it is possible (if not necessarily easy) to spoof them as well. And not every sending organization has the correct setup so manual intervention is needed.

    One thing though that tends to stop spear phishing in particular is a simple rule, any emails requesting payments or transfers MUST be verified personally with the requestee by a non-email channel. That's our rule, the request must be verified personally by meeting, phone call, or text.

    And user education isn't as hard as some think, though of course it may depend on the organization. Like anyone, we are of course vulnerable to a lapse, but our users are generally pretty good at reporting possible issues and at NOT clicking on links or attachments. Plus we aggressively filter at the gateway, and run an up-to-date AV. New versions of malware are always present and don't get detected, but that's what the email filtering is for, all executables of any sort are quarantined. Links are harder as they are tested but if not detected or flagged as malicious they can get through.

    1. Charles 9

      A spear-phisher may be willing to jump through the hoops, especially if posing as a DISTANT correspondent so a face-to-face meeting would be impractical.

    2. Anonymous Coward
      Anonymous Coward

      "The trouble with DMARC and all such similar tools,"...

      They are another layer of protection. They make harder to spoof an email address and send it from any compromised machine. Without, spoofing an email is far, far too easy, you just need a telnet client. If an organization is unable to setup them correctly, it needs to rethink its IT approach - it clear it lacks adequate skills, or its IT service suppliers lacks them, and it's time to find a better supplier.

      Then you'll need to add more layers, but it will also easier to train users when most noise is blocked.

      Remember the kind of phishing luring people into transferring money is not done using malware - it's done using pure social engineering techniques, like the 409 scams. You should train people to spot unexpected behaviours, and also train executives to avoid to act out of policies so unexpected behaviours are also the norm.

      Identifying mail not coming from legitimate server is a first and useful step to make. And if you're in a position to do it, your should question your suppliers when they do not implement adequate, available protection. Large companies often vet the supply chain under many aspects - they should start to do for security ones as well.

      It quite stupid to lament how insecure the internet is, and then doing nothing because skilled, knowledgeable personnel costs something more, and they trust the old admin who still lives in 1991... keep on losing money to crooks then - you're still paying more, just the wrong people.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like