KnowBe4 Security Awareness Training Blog

Spearphishing Boils Down to Basic Social Engineering

Written by Stu Sjouwerman | Apr 23, 2019 11:13:50 AM

While spearphishing attacks may employ various tactics and tools, they all rely on the same underlying human weaknesses to achieve their goals, according to Asaf Cidon from Barracuda Networks. Cidon appeared on the CyberWire’s Hacking Humans podcast last week, where he discussed his company’s research on spearphishing and social engineering.

Cidon categorized spearphishing attacks into three classes: brand impersonation, employee impersonation, and blackmail or sextortion emails. Brand impersonation is when an email purports to come from a company or service used by the target.

Employee impersonation, also known as business email compromise (BEC), is a very effective technique in which the attacker poses as a co-worker or executive within a company. The use of blackmail and sextortion emails is a relatively recent trend which is rapidly growing in popularity. All three of these attacks create a sense of urgency to make the victim act quickly and without thinking.

“Attackers employ several different social engineering cues or techniques to really get the recipients to do what they want, and one of those is urgency,” he said. “So, urgency serves several purposes. Probably the most important one – it makes the recipient, you know, quickly respond to the email and do so before they realize that this email is fake.

So, either, you know, if you're asking the recipient to send you a wire transfer, or if you're asking them to click on a link because there's some urgent security alert on their account, right, you really want to make the recipient take action.”

When asked which employees are most likely to be targeted by spearphishing, Cidon said that, generally, the targets were “across the board.”

“Oftentimes, attackers are just trying to get in, no matter through whom,” said Cidon. “And oftentimes, it's easier to get in through kind of lower-level, mid-level employees, or even employees that are not in sensitive departments.”

To defend against these attacks, Cidon recommended implementing a modern, AI-based security solution to help flag these emails, since legacy email security systems won’t catch them. The root of the problem comes down to human manipulation, however, so employee training is another fundamental layer of defense.

“All of these emails are really taking advantage of our weaknesses as – you know, our psychological weaknesses, our weaknesses as humans,” he said. “And so, security awareness training – you know, effective security awareness training that actually also tests, you know, these types of scenarios, like tests emails coming from your boss or, you know, phishing links that are coming from services that you use every day is also really helpful in mitigating these attacks.”

Spearphishing attacks are becoming more common and more sophisticated. Artificial intelligence tools can be useful, but they are not a complete substitute for educated and aware natural intelligence. New-school security awareness training is one of the best ways to help your employees defend against this extremely effective threat.

The CyberWire has the story: https://thecyberwire.com/podcasts/cw-podcasts-hh-2019-04-18.html