In the midst of a private ongoing criminal investigation, news broke last month that previously leaked classified US-UK trade documents were stolen via spear phishing. These documents had been published anonymously online before the last UK election and were already the source of much embarrassment for the UK Government, writes Dave Mount, Director, Europe at the anti-phishing product company Cofense.
Allegedly stolen from Conservative MP Liam Fox, the breach was believed to be politically motivated and conducted as a state-backed – with fingers pointing towards Russia – operation. Fox was tricked into handing over the password and login details to his private email via a sophisticated and targeted attack.
The attack itself clearly delivered the damage it was intended to do. However, irrelevant of the documents stolen in this particular case, the incident itself is worth thinking about more broadly regarding what it means for security as a whole.
Why spear phishing matters
Spear phishing, as you likely already know, is a form of social engineering that efficiently infiltrates systems and data. While hackers randomly spoofing the look and branding of an email or website is common place, sophisticated spear phishing goes one step further. With element of social engineering, a little bit of research and an extra bit of effort, hackers are able to create tailored attacks that can catch out even savvy users if they aren’t trained to spot the red flags.
For example, a user who receives an email from a random insurer is very unlikely to follow through with any steps the email asks them to do. If, however, that same user has previously Tweeted about what insurer they use… well then the hackers can create a bespoke email which is far more likely to catch the user out and get them to expose their login data.
Going after Governments
Data leak examples such as this (where spear phishing) has been used only servers to show how seriously it should be taken. If high ranking government officials protected by the National Cyber Security Centre and solutions like Secure Email Gateways (SEGs) are susceptible to leaking sensitive data and information via these methods, then it stands to reason that your employees are, too. No matter what your SEG vender might want you to believe, every day, thousands of malicious emails pass through the systems of leading SEG venders unnoticed.
Arguably, it is the businesses that believe they are fully protected by SEGs that are most at risk. If employees believe only genuine emails will get through to them, they are far more likely to read a spear phishing attempt as a genuine request for data such as login details. All with potentially huge consequences.
The world outside of SEGs
So if an organisation already has SEG technology and wants to do more to ensure its employees are protected, what can it do? The answer is a mix of technology and human training. While technology alone does help, it is all for nothing if those protected are not actively working to spot malicious actors.
In other words, a human and machine pairing is – and will remain – the best way to reduce the risk of phishing attacks. As the National Cyber Security Centre [NCSC] says themselves, “If just one user reports a phish, you can get a head start on defending your company against that phishing campaign and every spotted email is one less opportunity for attackers”. The threat landscape has never been more dangerous and we, together with machines, all need to ensure we are best prepared against it.
