There’s no single defense against phishing and other social engineering attacks, according to Kevin O’Brien, CEO and co-founder of email security company GreatHorn. On the CyberWire’s Daily Podcast, O’Brien explained that the social engineering tactics used in phishing attacks are well-documented, but the attackers still use them because they’re effective.
“What you're looking for whenever you're talking about social engineering in high-risk events is something that creates a sense of urgency on the victim's behalf,” O’Brien said. “So global events that everybody is nervous about – and the pandemic that we're currently experiencing certainly qualifies – would be a good example case of that.”
O’Brien said COVID-19-themed phishing attacks are a manifestation of a wider strategy in which criminals exploit emotional response to trick people. In many cases, these attacks are predictable if you know what to expect.
“You can also see it where an organization might have people who are nervous about their taxes,” he said. “So every year you get a spate of phishing attacks that are focused around tax season – your W-2 is attached. Why? Because money is involved, and that's something that creates a sense of urgency. Oh, my taxes are due, or I owe on my taxes, or I'm going to get paid money from the government because I overpaid. People are inherently like, I want to go look at that right now. So, money, health, family, jobs status – those are all the sorts of things that create high-risk moments.”
O’Brien added that attackers are increasingly putting in more effort to execute more convincing social engineering attacks, so users need to be constantly vigilant for new tactics.
“And social engineers and attackers who get this understand how to condition people to certain responses,” he explained. “And it’s trivial to send you an email that says, oh, I’ve got your COVID-19 update from the boss. But you know, more advanced and sophisticated attackers will do this over the course of days or weeks or months, and you don't even realize you're being played. It’s just another con. And it can be a short con or a long con. Email is just a convenient delivery mechanism because every professional has an email address.”
O’Brien concluded that organizations need to implement defense-in-depth to maximize their security posture.
“The problem is, there's no one thing that you do,” he said. “There is almost this assumption that this is a problem that can't be solved because it's difficult to solve....[T]hat is really the thing that we need to challenge – the assumption that this is an intractable problem – because it is not. And I think that overcoming that fatigue is the story behind the story. Why are things like COVID-19 emails out there? Because they work. But we can still address that. We can do better, but we do better by thinking about this strategically and laying out a defense-in-depth strategy around security posture rather than, here's a thing you can buy.”
New-school security awareness training can provide your organization with an essential layer of defense by enabling your employees to recognize and thwart social engineering tactics in the real world.
The CyberWire has the story.