After the commotion about the GDPR, data leaks and ransomware it seems the waves have quieted down a little. This means that the phishing season has opened and it is time to address this growing threat. My mind has been going back and forth on this topic for a while now, and I seem to be getting to the conclusion phishing and CEO-fraud could soon run out of existence. Join me on this line of thought…
Don’t be low hanging fruit
Just to clarify: you will not be 100% secure. But many attacks are targeting low hanging fruit. With as little effort as possible, gain the most profit. You can gain much by just hanging your fruit a bit higher than everyone else. The higher you go, the more effort a phisher has to put in. This will rapidly disqualify you as an easy target.
Do you trust your CEO?
Phishing happens on a lot of different levels. Usually it is done on a big scale without a specific target, sometimes it is done on very specific targets like a person or an organisation. In those last cases, we talk about spear phishing. The most common way is to send emails which appear to have been sent by a colleague from within your own company. We tend to trust familiar names, so we don’t question the content. This is partly the reason that CEO-fraud is so successful: an email which supposedly comes from the CEO who asks you to make a quick financial transaction, will in most cases be accepted without question. That’s because nobody likes to cross a CEO.
It is quite easy to counter these types of phishing. Of course you should have your basic hygiene in place. Your DKIM, DMARC and SPF-records should be configured correctly for your mail server to stop a few basic attacks. Combined with an occasional awareness training, this is often as far as it goes. With the long-term effects of these trainings being questionable (as the taught principles subside over time), the impact of these measures alone does not suffice to stop phishing.
So let’s start PGP?
One of the more common resolutions is to introduce PGP encryption. True enough, that really can work. As long as all employees understand how to use PGP encryption and know when to check, sign or encrypt you could be out of the ballpark. But as most organisations are not filled with cyber-guru’s, this solution might not be the easiest obtainable. Thankfully there is another way.
The color of trust
Awareness will really work when a certain pattern is being broken. For example: when a phishing mail is always highlighted with the color pink, then it would stand out between all your normal mail. This way you can recognise it and discard the mail. Obviously, this is a utopia, but let’s reverse it: Imagine all incoming mail that can be trusted, gets highlighted. All mail from your colleagues will be tagged green for instance. This is quite easy to implement in MS Exchange with Outlook clients. You can tell the exchange server to color code all emails that: 1) are from a domain that Exchange serves and 2) are delivered by Exchange.
This might seem like a simple trick, but the results could be huge. As an employee you get used to seeing internal mail being highlighted with a specific color. When you receive a spear phishing mail or CEO fraud mail, those mails won’t have that color as those mails cannot fulfill both Exchange-rules. These emails will therefore stand out, which triggers awareness and suspicion. With the right training this person will then call the IT department or the CEO himself verifying the mail.
The one ring?
This won’t solve everything of course. There are many phishing alternatives that still work regardless of these rules. The important thing to remember however, is that we should start thinking outside of the box. Let’s do things different. When more and more companies use custom approaches in countering (cyber)crime, it’s increasingly hard for criminals to try and exploit them.
There is no one-size-fits-all solution to cybersecurity. We need to start thinking in layers. The more layers, the harder it will be for criminals to get through. With the above example we implement a layer protecting against a specific way of spear phishing and CEO-fraud which is easy to implement. It’s so simple that we might even overlooked some parts. But on the other hand, the best solutions are often the easiest. So maybe this easy solution will make a phishers life a bit harder. Something I can really live with