Why email phishing persists

 

Connecting state and local government leaders

An email protocol that can't authenticate senders combined with bad actors' increasingly clever tactics may mean phishing is here to stay.

One reason why bad actors use spoofing to steal sensitive information is they can. Despite all we know about practicing good cyber hygiene, spoofing works.

One of the most popular forms of spoofing is phishing, which the U.S. Computer Emergency Readiness Team defines as “an attempt by an individual or group to solicit personal information from unsuspecting users by employing social engineering techniques.”

Although phishers are using social media, instant messages, text messages and voice calls, they most commonly rely on email. That’s because of inherent flaws in how email was designed, Neil Wynne, principal and analyst for secure business enablement at Gartner, told GCN. Specifically, Simple Mail Transfer Protocol, the standard for sending and relaying email, is more than 30 years old and was not designed to authenticate senders or verify the integrity of received messages, he said via email.

“It is therefore easy to fake or ‘spoof’ where an email claims to come from,” Wynne said. As a result, it’s “trivial for an attacker to impersonate a trusted entity -- the underlying protocol that powers every email system simply doesn’t have an inherent way to defend against this.”

To demonstrate how easily phishing works, Al Bailey, a special agent at the Environmental Protection Agency’s Office of the Inspector General’s Office of Investigations, walked through a scam that affected EPA. To steal office supplies to resell for a profit, attackers in a foreign country compiled a list of about 1,700 EPA employee email addresses and sent a mass message out pretending to be part of the agency’s online security team.

“The email told these employees that the EPA was undergoing a system upgrade and that they had to reset their remote log-in credentials or else their email accounts would be frozen,” Bailey said in a 2017 podcast. “And of course, the email included a link that took these employees to a page that was supposedly the EPA’s remote log-in page.”

The employees entered their usernames and passwords into the fake page, and the attackers used those real credentials to buy thousands of dollars’ worth of office supplies.

Phishing is a major concern because it’s often the initial attack vector hackers use to compromise an organization, Wynne said. Government agencies are especially tempting targets because they’re seen as housing citizens' personally identifiable information, which hackers can use for a variety of scams.

“From an attacker’s perspective, they’re trying to trick the user into clicking on a malicious link or opening a malicious attachment so that they can ultimately establish a foothold,” he wrote. “What an attacker does from there will depend on their motive, which is most frequently monetization.”

For years, government agencies have been issuing reports -- intended for workers and the public at large, too -- describing what to look out for in phishing attacks. For instance, a 2013 document from the Securities and Exchange Commission warns that phishing emails may look like they come from legitimate sources, even copying a company or agency logo; the “from” line could contain the names of real people who work at the company; and URLs might look authentic. Additionally, phishing messages often include a sense of urgency or a threatened consequence if the recipient doesn’t act quickly.

A Federal Trade Commission article encourages people to be careful about opening attachments or clicking on links in emails, to look up websites and phone numbers through a web search rather than trusting those provided in the message and to call agencies directly to find out if the email is legit.

But phishing shows no sign of slowing down. In the second quarter of this year, phishing attacks worldwide totaled 233,040, compared with 180,577 in the fourth quarter of 2017, according to a report by the Anti-Phishing Working Group, an international coalition working to standardize the response to cybercrime.

Agencies can use multifactor authentication, keep security and antivirus software up-to-date and backup files to an external hard drive or cloud storage to limit damage. Because there is no silver bullet to avoiding falling for a phishing lure, the most effective way fight attacks is through a defense-in-depth approach covering technology, procedures and education.

Still, agencies remain vulnerable. “Technology can be used to help prevent users from being exposed to these attacks to begin with, but this will never be 100% effective,” Wynne said. In fact, “the human brain can be trained to detect malicious intent better than even the most advanced machine learning model. Of course, education isn’t foolproof either and some attacks are so well crafted that they are not only able to bypass advanced technical controls but can even trick the most well-educated users.”

That’s because phishers are masters of deception, appealing to even the least vulnerable computer users by using open source intelligence and personal information that has been disclosed in data breaches, which dramatically increases their likelihood of success, Wynne said. They also use timing to their advantage. For instance, anything related to paychecks typically goes out toward the middle or end of the month.

“How likely are you to question a flawlessly-crafted email that appears to be from a senior executive in your organization?” Wynne asked. “In many organizations, you wouldn’t question a request from a person at this level so there’s a fear that not complying will put your job in jeopardy. Combine all of this with a sense of urgency, and you have the perfect recipe to override a person’s better judgment.”

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.