Gone spear phishing: how to protect from email threats

Since COVID-19 kickstarted the remote working revolution, companies have been forced to change how they operate – moving to the cloud and implementing technology to enable employees to work from anywhere.

As with all good things, though, inevitably comes the bad: with the increase in remote working comes an increased risk of cyber threats. The risks of employees falling victim to phishing attacks, in particular, have been heightened under the boom in remote working. 

According to Deloitte, this is because cybercriminals are adapting their tactics to target people in their homes, which, in many cases, is now their office, too. “As working from home becomes a gateway to new forms of data theft, companies face increased cyber risk,” it says. Meanwhile, according to Microsoft’s New Future of Work Report, 80% of security professionals have experienced increased security threats since shifting to remote work. What’s more, 62% of these professionals noted that phishing attacks have increased more than any other type of threat. 

“Organisations have long been under the threat of phishing emails that impersonate a co-worker or a manager,” explains Todd Marlin, Global Forensic & Integrity Services Forensic Data Analytics Leader at EY. “You might get an email that appears to be sent by a colleague asking you to follow instructions to ‘transfer money’, ‘send financial data’ or ‘allow access to confidential product information’.”

“In the past, you might have called out to someone in the next cubicle to ask for verification, but if that’s not an option, you may automatically click on the link. As employees lose face-to-face contact, the risk of being victimised increases exponentially.”

Costly phishing attacks are on the rise

Not only are phishing attacks on the rise, but they are becoming increasingly sophisticated. With such a transformation in how workers operate remotely, the cyber risks faced by organisations have increased significantly. If a remote worker falls victim to a phishing email, the consequences for the business can be significant, ranging from major IT downtime and business disruption to the loss of important data. According to a report by IBM, phishing attacks prove costly for businesses as well as time consuming, costing firms an average of US$4.65mn.

As Josh Yavor, Chief Information Security Officer at Tessian, comments, email accounts represent a valuable target for would-be attackers. “We all rely on email at work and at home,” he explains. “As the gateway to valuable data and access, email accounts are always a valuable target to adversaries – especially those seeking to compromise businesses. We can also expect threats to continue to expand into other communication platforms, like instant messaging tools, personal email or social media accounts, as attackers seek to evade detection.”

Unlike traditional phishing attacks, which prioritise sheer quantity and can be relatively unsophisticated, spear-phishing attacks are highly targeted to a specific potential individual or set of individuals, and often feature highly-detailed personal information intended to deceive. 

As this type of attack is more personalised, the success rate for the attacker is higher. According to cybersecurity firm FireEye, spear-phishing emails have an open rate of 70%, with 50% of recipients opening enclosed links.  

Spear-phishing attacks can be particularly hard to detect, as network security company Barracuda says. Traditional email security relies on reputation analysis, block lists, and signature-matching of malicious attachments and URLs. Spear phishing attacks are carefully designed to pass these checks and go undetected. They often do not have a malicious payload that traditional security can detect, and they often come from high-reputation sender domains or already compromised accounts.

“It's getting harder and harder for regular users to recognise targeted phishing emails and spear phishing attacks,” Keiron Holyome, BlackBerry’s Vice President – UKI, Middle East & Africa, comments. “This means that when employees are working from home or outside the office, they must be extra vigilant, working with their employer to defend effectively against phishing. 

“Employees are essential in preventing phishing attacks by adhering to security policies, ensuring all of their devices are secured by security software, and immediately installing automatic updates,” adds Holyome. “Employers may increase employee knowledge of phishing by providing regular staff training as well as endpoint security measures for both company-owned and employee-owned devices that can be used both online and offline.”

Implementing zero trust

With the rapid increase in remote working, how can organisations overcome security threats? As Srinivas Mukkamala, Ivanti’s Senior Vice President of Security Products, explains, the answer could be in implementing zero trust.

Zero-trust security requires organisations to continually verify any and all devices that are connected to its network every single time with zero exceptions. As part of a zero-trust strategy, organisations should leverage machine learning to conduct continuous device posture assessment, role-based user access control, and location awareness before granting access to data. e, which will ultimately improve security behaviours.”

“In this new era of remote work, the threat surface has expanded, so implementing zero trust has never been more important,” Mukkamala comments. “There are three simple principles for Zero trust: secure the user, secure the device, and secure access.  

“Passwords are the biggest point of weakness for organisations that still use them prolifically. They are easily forgettable, and it is difficult to authenticate users through them as they are quite commonly shared amongst colleagues, and easy to give away through phishing. Passwordless authentication such as the use of biometrics is much more secure and will alleviate the password rest burden on already short-staffed IT teams.”

AI enabling the future of phishing

With infosec teams needing to move quickly to stay ahead of the curve, AI could also prove to be the future of cybersecurity issues, with AI-generated phishing attacks become more convincing. Research by cybersecurity company WithSecure shows that business email compromise (BEC) scams could be generated using AI systems. Through models such as OpenAI’s ChatGPT, for example, bad actors can automate the creation of credible yet malicious content at incredible speed.

“The generation of versatile natural language text from a small amount of input will inevitably interest criminals, especially cybercriminals – if it hasn’t already,” said WithSecure’s report. “Likewise, anyone who uses the web to spread scams, fake news or misinformation in general may have an interest in a tool that creates credible, possibly even compelling, text at superhuman speeds.”

“By now, everyone has seen fake videos produced by deep learning (DL) and AI techniques, better known as ‘deepfake’ videos,” says Heather Gantt-Evans, Chief Information Security Officer at identity security firm SailPoint. “However, imagine receiving a phishing email with a deepfake video of your CEO instructing you to go to a malicious URL. Or an attacker constructing more believable, legitimate-seeming phishing emails by using AI to better mimic corporate communications. Modern AI capabilities could completely blur the lines between legitimate and malicious emails, websites, company communications, and videos.”

As Tessian’s Yavor concludes, to keep employees secure on email, organisations should be proactive in delivering security training that addresses the common types of threats on email that’s tailored and personalised to their role and department. “Company cultures also play a significant role in protecting employees,” he says. “Security leaders should emphasise a culture that builds trust and confidenc