When you have ransomware, cryptocurrency miners, and polymorphic malware to battle, it’s easy to put phishing education on the back burner. In fact, a new study shows that 95 percent of IT professionals underestimate its impact and fail to adjust security accordingly.
Phishing is a relatively low-tech tool in the arsenal of internet bad actors. It has been devastatingly effective, though, compromising retailers and even interfering with the 2016 United States Presidential campaign.
While users have become savvier on how to avoid the attacks, even with the increased publicity, phishers are not hanging up their phishing poles. Instead, they are simply evolving their techniques and the problem is getting worse; phishing attacks are up by 297 percent in the U.S. this year. Phishing may seem like a problem for the home computer, but it can also be an entryway into an otherwise protected network. MSPs can’t just have a strict patching regime and think the threat is contained —they need to act.
Spear phishing goes local From artificial intelligence to cloud-based attacks, there are more and more tools for phishers to use for scamming victims. Spear-phishing is the practice of targeting a specific individual, but even that is evolving. There are increasing incidents of “hyper-targeted spear-phishing” that go retro, and use old-fashioned tools like snail mail and the telephone. Imagine getting a call from a spoofed phone number that matches that of your local credit union or bank and being coaxed into sharing your personal data. It’s been happening all across the U.S. this year. Tech writer Matt Haughey recently got caught in one and told his story to Krebs on Security.
Meanwhile, a report just released by Office of the Australian Information Commissioner found that half of data breaches ”Down Under” originate from phishing.
In another sign of evolving technique, Security Channel News reports that instead of traditional email-based phishing, criminals are requesting that individuals provide API access to their Gmail and G Suite accounts, enabling them to access all data in a user’s account.
For one phishing expert, though, phishing isn’t growing more sophisticated as much as it is being co-opted by new technology. “I’m not sure that the attacks themselves are any more sophisticated than they have ever been. I think the problem is new technology paired with the gullible user,” says Mahesh Tripunitara, professor in the Department of Electrical and Computer Engineering at the University of Waterloo in Ontario, Canada. Prior to joining the faculty at the university, Tripunitara worked as a principal researcher staffer in the Security and Privacy Technology division at Motorola’s corporate R&D Lab.
The pairing of gullibility and technology is proving troublesome, Tripunitara says. For example, mobile devices that are used as payment platforms can cause problems even as their convenience grows.
“I think most security folks would caution against (using your device for payment). Given the complexity of the hardware-software stack, the countless vulnerabilities that have been reported for such devices, and the relative immaturity of the trust models,” Tripunitara says.
MSPs as teachers
The single best weapon MSPs have against phishing is education. MSPs should prioritize strong patching regimes, multifactor authentication, and filters to reduce the chances of certain categories or term-laden emails getting through. However, the most important precaution is to simply raise awareness with your customers’ employees.
“The weakest link when it comes to phishing is the gullible user,” Tripunitara says, adding that it is crucial to provide one’s users with simple, common sense best practices.
A representative from your MSP needs to partner with someone on your client’s staff and gather everyone for a “how to avoid phishing” refresher. Hand out paperwork with easy to digest instructions and have them at each terminal. Have fun with it, like contests for the employee who catches the most phishing attempts. If you have employees alert the MSP liaison on staff about phishing attempts, you can coordinate a personalized response and refocus filters.
“It’s imperative to provide one’s users with simple, common sense best practices. And given the relative lack of sophistication in phishing attacks, I don’t think it takes much to raise the bar sufficiently on the attacker,” Tripunitara says. That’s the good news.
“Tip of the iceberg”
Given all the educational efforts out there to keep people from opening suspicious emails, downloading cute videos of squirrels doing backflips, or re-entering account information requested by the “bank”, you’d think phishing has peaked, but Tripunitara doesn’t think so.
“Phishing is absolutely going to explode. I don’t think we’ve seen the end of it, not nearly. I think phishing via mobile phones, for example, is really at the tip of the iceberg,” Tripunitara says. While he doesn’t have the research to back it up, he speculates that the effectiveness of phone phishing comes down to how people “feel” about their mobile devices. “Folks tend to somehow trust phone calls more when it’s to their mobile device,” Trupinitara shares.
Phishing’s international dimensions also make it difficult to stop. “Canadians are being phished from India, for example. And the only way I can think of for Canadians to protect themselves is to educate themselves,” Tripunitara says. For example, the Canada Revenue Agency (counterpart of the IRS) does not contact individuals in the same manner that phishers do. Similar phishing attempts are appearing under the banner of the IRS in the United States.
As the holiday season approaches, staffers using work computers to shop for gifts are probably inviting more phishing attempts. So perhaps before taking off is a good time to schedule that “phishing refresher.”
Photo: wk1003mike / Shutterstock.