How to Fight the Phish


Posted on by Kacy Zurkus

According to the 2019 Verizon Data Breach Investigation Report, “Phishing was present in 78% of cyber-espionage incidents and the installation and use of backdoors and/or C2 malware was found in over 87% of incidents.” The National Cybersecurity Alliance asserts that attackers have had continued success with phishing campaigns throughout COVID, which is likely one reason why this week’s Cybersecurity Awareness Month theme is Fight the Phish!

While fighting the phish may sound like an easy battle, the adversaries are growing increasingly sophisticated. We must stop blaming the users and accept that there is both personal and corporate responsibility in elevating security awareness.  

Boyd Clewis, VP & CISO at Baxter Clewis agreed that the average person is not going to understand what phishing is or how to detect a phish. “Cybercriminals are banking on that. Educating individuals to not fall victim to opportunities that seem too good to be true and being able to identify the subtle things that are indicative of phishing will help,” Boyd said.

Though he’s not alone, Boyd said he’s received phishing emails. He talked about an email from a sender purporting to be the IRS. Unlike many unsuspecting victims, he knew to look at the email header, to seek out any misspellings, and to hover over the sender’s email. What he confirmed was that the message was not actually from the IRS. These are just a few steps that anyone can take to protect themselves at home and at work.

Preying on Fear

Despite all the education and phishing simulations that companies have invested in, at the end of the day, human beings want to be helpful. They want to do a good job, and malicious actors are good at taking advantage of that natural human desire to please others.

“We’ve also been conditioned to respond quickly, which is why education is so important, but so is slowing down and paying attention to see what you are actually responding to,” Boyd said.

Thanks to social media platforms, it’s easier for malicious actors to learn a lot about their target victims, whether those victims are individuals or corporations. LinkedIn profiles reveal people’s professional connections, but Boyd said, “It’s also easy to go online and find out the format for a corporation’s email address, and cybercriminals then create scripts and target multiple people at one location.”

Think Before You Click

Because it’s so easy for criminals to use automation, it’s easy and affordable for them to cast a wide net and send out hundreds or even thousands of phishing messages. All they need is one person to click, which is why Boyd said companies need to focus on the thought process and methodologies that people should implement.

“Take a moment and think about what you are being asked to do. Email is not considered a secure means of transporting, so you don’t want to send sensitive information via email, nor will legitimate senders ask you to do so.”

Moreover, security practitioners need to lead the charge, Boyd said. “Most end users don’t have the same knowledge they do. They should be leading phish test initiatives and when there is a click, have a conversation and leverage that teaching moment so that it translates into education that matters to them as a person.”

The goal of Cybersecurity Awareness Month aligns with what Boyd said should be the primary objective for companies: Empower the people who are in positions to impact the security of our networks. It’s fair to say that technical controls are not going to solve everything, which means that we all have to do our part. Fighting the phish is everybody’s responsibility, and it’s also the responsibility of security practitioners to slow down and teach employees, or Boyd said, “they will make a mistake.”

Contributors
Kacy Zurkus

Content Strategist, RSA Conference

RSAC Insights

phishing email security endpoint security insider threats security awareness

Blogs posted to the RSAConference.com website are intended for educational purposes only and do not replace independent professional judgment.  Statements of fact and opinions expressed are those of the blog author individually and, unless expressly stated to the contrary, are not the opinion or position of RSA® Conference, RSA Security LLC or any other co-sponsors. RSA Conference does not endorse or approve, and assumes no responsibility for, the content, accuracy or completeness of the information presented in this blog.


Share With Your Community