Expert: Three Quarters of Employees Duped by Phishing Scams

In the wake of the data breach at e-mail marketing firm Epsilon, the specter looms of widespread phishing attacks on hundreds of millions of e-mail users whose information was stolen from the firm.  But according to  Aaron Higbee, the Chief Technology Officer at Intrepidus Group, organizations had reason to fear phishing attacks long before the Epsilon breach made headlines.

In the wake of the data breach at e-mail marketing firm Epsilon, the specter looms of widespread phishing attacks on hundreds of millions of e-mail users whose information was stolen from the firm.  But according to  Aaron Higbee, the Chief Technology Officer at Intrepidus Group, organizations had reason to fear phishing attacks long before the Epsilon breach made headlines.

Targeted attacks against employees are a growing problem for organizations of all stripes, Higbee told Threatpost, and the public remains woefully ignorant of how phishing scams work, making them highly susceptible to being scammed. Higbee, whose company helps train organizations to defend against phishing attacks, spoke with Threatpost editor Paul Roberts in March, before news of the Epsilon breach made headlines. 

Threatpost: What trends are you seeing in the phishing arena these days?

Aaron Higbee: We’re seeing a lot of attacks aimed at verticals like government, financial services, insurance, health care and especially education. You wouldn’t have thought that education would be on that list, but we see a lot of universities targeted.

Threatpost: Why is that?

Aaron Higbee: Students are vulnerable. They’re required to put their Social Security Number into different forms, so they’re susceptible to being phished. We’ve traditionally focused on enterprise customers, who ware worried about spear phishing attacks and less focused on the consumer or identity theft side of spear phishing, but universities have been buying our solution.  

Threatpost: Is the trend towards more targeted (“spear phishing”) or generic phishing attacks?

Aaron Higbee: It depends. For retailers and organizations like Paypal, phishers are targeting their users for financial data and account takeovers. When you’re talking about other kinds of organizations, say in government the attacks are very targeted. An attacker will research the people within the organization. If they’re interested in a particular product, they’ll do their research on the engineering team, so they can say “these people are probably connected to the part of the network we’re interested in getting a foothold on.” And the phishing e-mails will be very convincing. They might claim to be from their employer regarding an update to the healthcare provider they know you’re using. They wont send in hundreds of e-mails. Just two or three. For the recipients, if the e-mail makes it into their inbox, they assume it’s safe.

In our engagements, we’d use these types of more sophisticated schemes, and organizations would feel demoralized when 70% or 80% of their employees fell for them. But we’ll even try sending around pictures of cats as e-mail attachments, and 50% of the recipients will fall for that, so we’ll go back to the customer and say ‘you have a bit of work to do in terms of creating awareness of the sophistication of these attacks.”

Threatpost: What is the biggest change you’ve seen in the phishing landscape in recent months?   

Aaron Higbee: We definitely see enterprises are starting to expect sophisticated attacks, and phishers realize this. They’re shifting away from e-mail attachments, because organizations have figured out how to keep suspicious attachments out. So we’re seeing them put malicious attachments in ZIP files and include the password with the e-mail message in an effort to get past filters. But there’s a big shift on towards click-only and data entry scams, because phishers are having more success getting through with those.

Threatpost: For example?

Aaron Higbee: With the data entry scams, the idea is to get them to go to a Web site and log in using their corporate credentials, say to see if they won a prize. There’s not a payload. A typical data entry scam is a package delivery notice, where victims get an e-mail saying that someone signed for a package for you, with a link to a Web site you need to log into. For click only scams, its about malware booby trapped Web pages, where clicking a link is enough to compromise the end system. We’re also seeing a shift to social media, so e-mail claiming that someone left a negative comment on your LinkedIn profile, or someone has tagged you in a (Facebook) photograph and “click here” to untag yourself. People know that their reputation online is at risk, and they want to go online and sort that out.

Threatpost: What are the biggest mistakes organizations make when it comes to defending against phishing attacks?

Aaron Higbee: Companies want efficiency, so they’re creating portals and so on and encouraging their users to go to third party Web sites. So, when you’re dealing with a spear phishing threat on the one hand, but using services that do point employees to external Web sites on the other, its confusing: you’re both sensitizing and desensitizing them to the threat at the same time. I think its amazing that its 2011 and we still haven’t figured out authorized e-mail yet. So when you get an email, you know who sent it to you. Maybe its time to get back to those technologies. Our clients ask us all the time: ‘what can we do for end users so they’ll know that an email from our domain came from us?” The answer is SPF (Sender Policy Framework), where you can say ‘only these addresses can send from our domain.’ We’ve had that technology for a couple years and I thought we were making progress as an industry to fix that. But if you look at how e-mail is displayed on mobile devices – where it doesn’t show the domain of the sender or recipient, so we’re kind of repeating mistakes. One thing companies can do is to encourage employees to be suspicious and aware that they could be targeted, even if they’re not a high level person. Phishing attacks play on common motivators like curiosity, fear, shame. The hope is that people are learning to be suspicious.

Threatpost: Social networking adoption is huge within organizations, but its also a security problem. What can companies do?

Aaron Higbee: Right. If you get a message on a social network, that’s often outside the visibility of the organization you work for. Our hope is that the themes you learned from understanding a spear phishing campaign would translate. So we go through that and try to get users to understand the kinds of things an attacker would do to build a compelling story and get them to click on a link. We’re hoping to train the mind to be less gullible.

Threatpost: From your experience, what percentage of employees are susceptible to spear phishing campaigns?

Aaron Higbee: Mosf of the organizations we work with have never done spear phishing training. In the first campaign, we might see 75% of employees fall for it. We try to help them and train people to be vigitlant. We emphasize that we’re not trying to make them feel bad, just to immerse them in the experience and use the same tactics the bad guys use so they’ll be better prepared to protect their identity.

Suggested articles

Discussion

  • asmiller-ke6seh on

    I think that a "How To Guide to Prevent Being the Victim of Phishing Attacks", written on a consumer level, would sell well.

    I know of one company (Epsilon Marketing) which could have used that as a "We're Sorry" gift as a way of mending fences. I'm pissed that my email address has been stolen our of Epsilon (I already have received two emails from two companies -Tivo and Crucial - which told me that my email was among those stolen.)

    Seth Miller
    Farmingdale, CT

  • Rick Leir on

    This problem is mostly solved when your business systems are configured to use OpenDNS. I am not related to them, just a user of their free service.

  • Brian on

    Open DNS may help, but with tens to hundreds of thousands of new domains springing up each day... its more of a whack-a-mole approach then proactive. 

    Email policies are critical to preventing this. I recently did a study and found that over 70% of the time and email was delivered to an inbox when the 'From' address contained a non-existant domain. 

  • Anonymous on

    re: "For click only scams, its about malware booby trapped Web pages, where clicking a link is enough to compromise the end system."

    Shouldn't that have said "...to compromise the unprotected end system."

    Would patch management integrated with an 802.1x network have prevented this?

  • Anonymous on

    I'm a big proponent of firing people who do stupid things like this at work. Not sure it would help but it would certainly get the really dumb people out of the company.
  • Anonymous on

    The best defense on all accounts is training end users to think. Over 90% of our infections can be stopped with common sense and repetition. We will never have a 100% blockage for all attacks unless we simply stop using technology and that is clearly not an option

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.