Mitigating Phishing Threats

Posted by Mark Greisiger

A Q&A with Bob Bell and Luke Emrich of RSM US; Sudhir Bhati of Symantec; and Ondrej Krehel of LIFARS

Once a crude way for hackers to gain access to sensitive data, phishing attempts have now become increasingly sophisticated and more commonplace. Most concerning, this attack vector relies almost completely on human error, making it a difficult challenge to stamp out. We spoke with several experts—Bob Bell and Luke Emrich of RSM US, Sudhir Bhatti of Symantec and Ondrej Krehel of LIFARS—about how organizations can better arm themselves to avoid phishing scams. Their recommendations fell into three basic categories: training, technology and a combination of training and monitoring.

Employees should do due diligence and call or email a company before simply sending sensitive information along.

  1. Training
    People are the “weakest link” in cybersecurity, says Bob Bell, which is why phishing attempts work so well. Whether it’s laziness, curiosity or simply gullibility, phishing prays on human characteristics. Employees should be made aware of what phishing attempts look like and how to avoid falling for them.“Train your employees to use common sense when receiving email messages. Even if you’re getting an email from someone you communicate with every day you should be aware of what they’re asking you to do,” Emrich says. “Does the email look different? A red flag is any email that asks for your log-in credentials. If you get an email from Google or another major provider asking you to log in, don’t link from the email, but rather go to the website and log in from there.” Employees should do due diligence and call or email a company before simply sending sensitive information along. One way to immediately detect a potentially fraudulent email is to hover over a hyperlink to see if the URL is authentic. “You’ll find that often it’s a redirect,” Bell says.Another way some companies can train employees is to create internal tests to judge employees’ abilities to spot a fake. “The phishing test bakes some notification into the process that lets them know that they’ve passed or failed,” Emrich says. “You will want to retrain employees who fail because a mistake like this can cost the organizations hundreds of thousands of dollars.”
  2. Technology
    While there are few (if any) technology solutions that are bulletproof, technology can mitigate phishing scams through linguistic, IP and SMTP scans. “Bulk detonation technology providers can help detect elements such as web links or attachments that signal malware,” says Krehel. “The software can vary in cost depending on the size of the business and whether it’s a cloud-based service.”Heuristic technologies can also determine whether emails contain malicious code, Bhatti says. Symantec’s Skeptic™ predictive technology performs email structure analysis to examine headers and attachments. “Skeptic™ can detect that malware authors are reusing portions of their own code or infection techniques across new and different malware,” he says.
  3. Combining Technology and Monitoring
    Another approach is to outsource protection with a vendor that provides a scanning service 24/7 while monitoring network traffic and incoming messages for suspicious activity. “If an organization is not very large they can hire a company that will combine the software and human monitoring to help shield against phishing attempts,” Krehel says. “Ultimately, though, the human component in terms of training employees is important because simply relying on technology alone is probably not going to be enough.”

In summary…
We want to thank these gentlemen for their expert insights into the challenges of combating phishing attacks/exploits. Duped employees often provide a toehold into a corporate network that a hacker can then mine for sensitive data. The NetDiligence annual Cyber Claims Study continues to show that phishing is a leading cause of loss for many data breach claims paid out by the insurance industry. Daily vigilance can help mitigate the exposure – per the recommendations above – but realistically, with the number of system dependencies growing (employees; outsourcing to third party vendors) we expect phishing will be a constant peril to manage.
Note: Check out the new PhishFight™ section in your insurer’s eRiskHub® portal to learn more about phishing exploits or find vendors that can help test and train your staff on phishing.