Phishing for Whales with Spears: How to Protect Yourself from Email-Based Attacks
While the bad guys only have to be successful one time, we have to be successful every time. There is good news though: There are things that firms can and should be doing to minimize their risk and increase the likelihood that an email breach will be stymied before it succeeds.
November 21, 2018 at 07:00 AM
9 minute read
This article appeared in Cybersecurity Law & Strategy, an ALM publication for privacy and security professionals, Chief Information Security Officers, Chief Information Officers, Chief Technology Officers, Corporate Counsel, Internet and Tech Practitioners, In-House Counsel. Visit the website to learn more.
While most people like to think of themselves as email-savvy, email scammers are highly sophisticated and constantly evolve their methods to increase their success rates. Successful attacks include convincing innocent people to give up sensitive information or even actively transfer funds out of their organization. What you thought was protecting you in the past is likely no longer sufficient.
There's no question that email has revolutionized the way we operate; it's hard to imagine ever operating without the ease and speed of communication that email enables. Unfortunately, for all of its convenience, email has opened the door to serious security threats that include viruses, malware and fraud. Phishing scams have become a widespread problem — you'd be hard pressed to find anyone who hasn't been on the receiving end of a phishing attempt. Because email is something we all use every day, it's become a favorite tool for those who are looking to gain illegal access to our business systems and sensitive information.
It's vital to continuously adapt security measures as threats evolve. Failing to prevent a breach can be devastating to your firm's reputation and finances. While the bad guys only have to be successful one time, we have to be successful every time. There is good news though: There are things that firms can and should be doing to minimize their risk and increase the likelihood that an email breach will be stymied before it succeeds.
|Defining the Attack
At their core, all phishing scams are email attacks that attempt to steal sensitive information or obtain unauthorized access to systems. Attackers typically send out massive amounts of email with the intention of succeeding with only a small number of their recipients. Ordinarily, attackers attempt to pass themselves off as a person or entity known to and trusted by the recipient in order to trick the recipient into unquestioningly complying with their malicious request. The hope is that the emails prompt victims into clicking on links or logging into accounts to reveal or change their credentials. This process grants the sender illegal access as the link directs the victim to a webpage under the attacker's control.
Spear-phishing and whaling are more nuanced versions of this attack involving background research, preparation and a defined target. As opposed to a blanket phishing email campaign, spear-phishing is a more directed attack with the focus on one person or organization. Through a bit of due diligence the phisher tailors the attack to the intended recipient(s) in order to increase the likelihood of hooking someone. Often the email attack vector is supplemented with dummy webpages, email addresses and voicemail accounts. Whaling is the same concept, but the attacks are directed at CEOs or other C-suite members (or their support staff) with the intention of a bigger windfall.
It's tempting for small and midsize firms to believe that they're not big or important enough to be the victims of cyber attacks. In reality though, smaller firms are at no less risk than their larger counterparts. Phishing is a numbers game — attackers want to reach as many people as possible to improve their odds. It takes little effort on their part to send countless emails. Small and midsize firms can even be better targets because they often lack the budgets, infrastructure and training that the big firms have in place to defend against these attacks. In addition, smaller firms may be pursued if they service the actual intended targets of the cyber attack. It is important to keep in mind that attackers are looking for the weakest link; law firms and third-party vendors, without proper protective measures, are often just that.
|What to Look For
Phishing scams are not always easy to spot, and cyber attackers work diligently to fool us. One well-worn technique is to represent the message as from a legitimate known sender. Historically this meant that attackers forged the sender's address (not materially different from using a false return address on a snail mail envelope). This ruse was easily revealed with a simple reply to the sender and only allowed for a single, one-way, communication — either the recipient clicked the infected email attachment or link or they didn't.
This has evolved into phishers using domain names that look like the impersonated party. For instance, in using www.BANKOFAMER1CA.com they are betting that most people are too busy to notice that the “I” in the address is actually a “1.” This concept has further evolved with spoofed addresses now almost impossible to distinguish from the real ones.
By taking advantage of Unicode, attackers can use homographs — words that look correct but are in fact comprised of characters from foreign alphabets — to create addresses that look identical to the English address. For example, using a combination of Cyrillic and other alphabets, hackers can create an address that appears to read as www.chase.com, but isn't. When fake links become imperceptible, context and security measures are even more important.
While it will never be possible to spot every advanced phishing scam that shows up in your inbox, there are certain signs or red flags that should set off alarms. Even little things like tone, spelling and grammar can tip you off to an email that isn't actually from the person claiming to be sending it. Attachments can also be a huge red flag — if this person never or only rarely sends you attachments and you're not expecting anything, ask some questions before clicking on anything. If an email seems out of context or has an unexpected sense of urgency, that's another good sign that something might be wrong. Phishers will often review the mailbox of a compromised account before crafting their next attack, and we have seen them hijack conversations mid-thread as they pivot onto their next target.
While your conversation may have been legitimate when it started, a sudden shift can indicate that it's been taken over by someone with nefarious intentions. Another sign is if the sender is suddenly traveling or too busy to communicate and directs you to deal with a third party.
|How to Avoid a Breach
Even though hackers are constantly trying to figure out new ways around your system, that system needs to be as secure and up-to-date as possible at all times. Every firm needs good perimeter defenses — all email traffic should be scanned and approved before entering the network to reduce the likelihood that phishing emails get to their recipients. Many modern email filters now replace links and attachments with placeholders that allow for advanced scanning and the ability for the system to refuse access should it later determine that the link/attachment is a threat.
In addition to this basic security requirement, firms should:
- Ensure that malware and anti-virus programs are a standard part of their infrastructure.
- Require complex passwords and regular password changes to keep email accounts more secure.
- Use two-factor or multifactor identification to go a step further toward preventing hijacked email accounts due to compromised credentials.
- Implement mobile device management (MDM) to tighten control on devices and access.
- Implement browser controls to ensure that Internet browsers call out addresses and links that are leveraging foreign languages to spoof legitimate organizations.
- Implement Advanced Threat Protection tools from Microsoft or Cisco.
- Consider implementing SIEM (security information and event management) and IDS/IPS (intrusion detection and prevention system) tools to help detect and prevent system intrusions by outsiders.
- Teach your employees what to look for and how to handle potentially suspicious emails.
Educated users make up the greatest tool you have in your arsenal for fending off phishing attacks. It is crucial to have annual training with frequent reminders of the seriousness of the threat and to update everyone on the newest scams being perpetrated. Teach your employees not to open attachments or click on links if they aren't part of an ongoing business endeavor. Teach them to be on the lookout for subtle signs that an email seems off and to thoroughly examine any email that requests something important.
|Conclusion
Diligence is crucial to stopping cyber attacks before they start. Built-in tools can go a long way toward detecting spam, but tomorrow there will be a new trick and your employees are your first line of defense. For users to have a hope of spotting an attack, they need to understand the types of attacks, how they work and what the bad guys are trying to get at.
Cyber attackers are relentless with ever-changing strategies and attack methods. You may not be able to always stay ahead of the game, but that doesn't mean that you can't take significant steps to prevent attacks from succeeding. With the right combination of understanding, regular training and security countermeasures in your arsenal, you'll be prepared when an attack comes. Taking action today can prevent you from being the next cybersecurity victim tomorrow.
Eli Nussbaum is a managing director at Keno Kozie Associates. He joined the firm in 1998 as part of its Y2K audit team. Nussbaum then became a full-time engineer, holding every position within the department before taking on an account management role. During his tenure with Keno Kozie, Nussbaum has focused on physical, virtual and cloud infrastructure design and implementation for both infrastructure and client environments.
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View AllTrending Stories
- 1Call for Nominations: Elite Trial Lawyers 2025
- 2Senate Judiciary Dems Release Report on Supreme Court Ethics
- 3Senate Confirms Last 2 of Biden's California Judicial Nominees
- 4Morrison & Foerster Doles Out Year-End and Special Bonuses, Raises Base Compensation for Associates
- 5Tom Girardi to Surrender to Federal Authorities on Jan. 7
Who Got The Work
Michael G. Bongiorno, Andrew Scott Dulberg and Elizabeth E. Driscoll from Wilmer Cutler Pickering Hale and Dorr have stepped in to represent Symbotic Inc., an A.I.-enabled technology platform that focuses on increasing supply chain efficiency, and other defendants in a pending shareholder derivative lawsuit. The case, filed Oct. 2 in Massachusetts District Court by the Brown Law Firm on behalf of Stephen Austen, accuses certain officers and directors of misleading investors in regard to Symbotic's potential for margin growth by failing to disclose that the company was not equipped to timely deploy its systems or manage expenses through project delays. The case, assigned to U.S. District Judge Nathaniel M. Gorton, is 1:24-cv-12522, Austen v. Cohen et al.
Who Got The Work
Edmund Polubinski and Marie Killmond of Davis Polk & Wardwell have entered appearances for data platform software development company MongoDB and other defendants in a pending shareholder derivative lawsuit. The action, filed Oct. 7 in New York Southern District Court by the Brown Law Firm, accuses the company's directors and/or officers of falsely expressing confidence in the company’s restructuring of its sales incentive plan and downplaying the severity of decreases in its upfront commitments. The case is 1:24-cv-07594, Roy v. Ittycheria et al.
Who Got The Work
Amy O. Bruchs and Kurt F. Ellison of Michael Best & Friedrich have entered appearances for Epic Systems Corp. in a pending employment discrimination lawsuit. The suit was filed Sept. 7 in Wisconsin Western District Court by Levine Eisberner LLC and Siri & Glimstad on behalf of a project manager who claims that he was wrongfully terminated after applying for a religious exemption to the defendant's COVID-19 vaccine mandate. The case, assigned to U.S. Magistrate Judge Anita Marie Boor, is 3:24-cv-00630, Secker, Nathan v. Epic Systems Corporation.
Who Got The Work
David X. Sullivan, Thomas J. Finn and Gregory A. Hall from McCarter & English have entered appearances for Sunrun Installation Services in a pending civil rights lawsuit. The complaint was filed Sept. 4 in Connecticut District Court by attorney Robert M. Berke on behalf of former employee George Edward Steins, who was arrested and charged with employing an unregistered home improvement salesperson. The complaint alleges that had Sunrun informed the Connecticut Department of Consumer Protection that the plaintiff's employment had ended in 2017 and that he no longer held Sunrun's home improvement contractor license, he would not have been hit with charges, which were dismissed in May 2024. The case, assigned to U.S. District Judge Jeffrey A. Meyer, is 3:24-cv-01423, Steins v. Sunrun, Inc. et al.
Who Got The Work
Greenberg Traurig shareholder Joshua L. Raskin has entered an appearance for boohoo.com UK Ltd. in a pending patent infringement lawsuit. The suit, filed Sept. 3 in Texas Eastern District Court by Rozier Hardt McDonough on behalf of Alto Dynamics, asserts five patents related to an online shopping platform. The case, assigned to U.S. District Judge Rodney Gilstrap, is 2:24-cv-00719, Alto Dynamics, LLC v. boohoo.com UK Limited.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250