IMAGINE A SCENARIO in which a midlevel executive has been emailing her real estate agent about a transaction for weeks. In the final days of negotiation, the executive’s administrative assistant is expecting to deliver a down payment check, but at the last minute receives an email from his boss: “”Change of plans; we’re not cutting a check,”” she writes. “”Instead, please wire the funds here””—and the email includes a link with directions for entering account details.
If the assistant does as his boss instructs, he will have fallen victim in this case to “”spear phishing.”” Although it’s not a new phenomenon, spear phishing is becoming an increasingly common type of attack.
Unlike broad phishing attacks that spam large recipient pools, spear phishing employs impersonation and targets specific individuals. “”[The attackers] leverage authority and scarcity to get people to click,”” sums up Diana Kelley, CTO of SecurityCurve, based in Rye, N.H. “”They do a really good job of enticing us to click and respond.””
That’s because the “”bad guys”” are doing homework so they can tailor their attack to a specific person or organization, “”tricking end users to hand over credentials to their email account or take some kind of action,”” explains Chris Hamm, CTO of Premier One, a managed service provider based in Topeka, Kan.
Many initial spear phishing attacks begin with urgent notifications seemingly from trusted services, like Microsoft 365 or a routine file-sharing or document-signing platform. “”With any of these cases,”” Hamm says, “”once the attacker can get a valid username and password, they’re going to login directly.”” The attacker may then read dozens of emails and devise a finely tuned spear phishing plot.
The types of attacks Hamm describes are becoming “”far greater than SMBs’ ability to detect and respond,”” says Ori Arbel, CTO of Israel-based Cyrebro, a cloud-based security operations center-as-a-service provider. As a result, he adds, the SMB market lags behind in addressing the threat.
Moreover, Arbel says the average MSP is “”not as equipped to defend clients from spear phishing as they need to be.”” For instance, he says, “”Two-factor authentication is not widely adopted or enforced, and ‘don’t click’ policies are not communicated enough.””
Two-factor authentication is the biggest protective measure MSPs can take, according to Hamm. “”The Office 365 account absolutely has to have multifactor authentication,”” he stresses, adding that “”you really need it for any online account—all your banking and financial accounts, and even Amazon and Facebook.””
Kelley agrees and cites other “”really low-hanging fruit”” for MSPs to implement—namely, the DMARC email authentication protocol (so outsiders can’t spoof your address) and mail exchange (MX) records in the Sender Policy Framework (SPF) of a Domain Name System (to define the exact IP addresses permitted to send email). “”This is good mail hygiene,”” she says.
Hamm offers another set of frontline solutions: external email tagging and AI-driven email scanning.
“”Most systems include a pretty simple tag that says it’s coming from outside the organization,”” Hamm notes. “”So, if you get an email from Dave in Accounting, but there’s a tag across the top, you know it didn’t come from inside the company.””
As for email scanning, Hamm says these AI systems are “”scanning for characteristics of emails compared to other emails in the inbox or in the company as a whole to identify [suspicious] things.”” Barracuda Sentinel is one example, and it integrates with Microsoft 365.
Still, nothing is quite as effective as user awareness. “”Channel pros need to educate their users about the potential threat and ramifications,”” Arbel points out. “”Training employees on a regular basis on how to recognize common tactics and properly protect their stations is vital.””
Kelley says what’s needed is a change in the culture of response. “”There used to be a lot of dismissive comments [from channel pros] that the problem existed between the chair and keyboard. I’m happy to see that changing. We’ve got a real opportunity to engage in deeper learning that can be fun and gamified. People shouldn’t be made to feel embarrassed if they get fooled by a really good phish.””
Image: iStock