Almost every day, we hear of some tech executive being hacked via a spear phishing email, and we all probably ask the same question: How can people who know better have been so stupid? Doesn’t everybody know that you don’t click on a link or open an attachment in a suspicious email?
The answer is, yes, they know, but something in the email made them override their normal caution filter. Something promised by the link made them take the risk. What exactly was it?
I’ve explored this idea before in past posts (Phishing with Naked Women and Romantic Lures and How to Write a Spear Phishing Email). I’ve also identified something I refer to as, salmon phishing. This is the tendency of people to override normal logic to attain some emotional or otherwise self-fulfilling satisfaction (like a salmon does when it kills itself going upstream to spawn). This ‘salmon’ tendency can be seen in high-profile politicians (and others in the public eye) who risk their reputations, careers, and families to have an affair. Point out the logical problems to them as you may, they will either ignore the warnings or rationalize them. My investigations into this area found that men are more ‘salmon-like’ when the promise of sexual satisfaction is offered while women are more easily fooled by promises of romance (see An Analysis of a Romance Scam Letter).
German security researcher, Zinaida Benenson, has also explored this phenomenon in some depth but has extended her investigations to discover why those who should be most knowledgeable, security professionals, will click on malicious links. Since 2012, she has taught future security professionals that security design must take into account the psychology of the network user. “The core idea is to communicate to the students that people do not make these decisions fully rationally, but also based on intuition, emotions and social inﬂuence.”
Benenson will be presenting some of her findings at the upcoming Black Hat Conference in August, 2016. She will discuss an experiment she did in trying to make college students click on a link in a message from someone the person wouldn’t know. The message claimed the link led to pictures from a recent party. Of course, if the receiver of the message hadn’t been to any parties, they would likely ignore the message. However, 56% of students who received the email clicked on the link when the email addressed them by their first name, and 38%, who received a similar Facebook message, did the same. Oddly, the use of a first name did not seem to matter much with Facebook messages as even those without a first name led to clicking on a link 42% of the time. However, if the email did not refer to the receiver by their first name, the link was only clicked on 20% of the time. Although most message recipients (82%) realized there was danger in clicking on such links, those that did so claimed they clicked because of curiosity about either the pictures or the sender.
Benenson concludes, as do many researchers on this topic, that anyone can be tricked into clicking on a malicious link. If a person gets an email from someone they know, especially if that person has some authority, they may not even question that email’s authenticity. But, according to one study, 39% of employees admit they’ve opened emails they suspected were dangerous. Only 36% felt confident that they could recognize and avoid an email phishing attack. And the situation only gets worse when social media is involved.
The graph below shows the seriousness of the situation. Almost half of the employees surveyed said they would accept invitations on social media from total strangers, at least some of the time.
In other words, attackers don’t even need to be sophisticated to compromise some corporate networks. They just have to target the right person at the right time.
You would think that we’ve come a long way from the Nigerian prince scam which took advantage of a person’s greed to scam them out of money, yet, every year, according to the F.B.I., millions of dollars are still lost to these scams. The Better Business Bureau has been warning people for years.
“Ignore individuals representing themselves as foreign government officials asking for your help in placing large sums of money in overseas bank accounts.
Be leery when strangers are eager to place unexpected, large amounts of money at your disposal, in exchange for your bank account number or other personal or financial information.
Cashier checks and money orders can be counterfeit. When a stranger sends a check or money offer to purchase a product or service from you, consult with your bank about the time it will take to verify the check, and wait for the funds to clear.”
Nonetheless, new variations on the scam continue to pop up. The latest version asks you for money to help a Nigerian astronaut return from a secret space mission during which he became stranded… for 14 years. No, I’m not making this up. According to legal experts, lawyers are most likely to fall for these Nigerian scams. Who says lawyers are only concerned about money? Another study found that women were more susceptible to phishing emails than men. “Gender and age are two key demographics that predict phishing susceptibility. Specifically, women click on links in phishing emails more often than men do, and also are much more likely than men to continue on to give information to phishing websites.” The study found no reasons for this.
So if these scatter gun phishing emails still work, what about well-designed spear phishing emails which research a victim before they target them? As it turns out, such targeted emails have an amazingly high success rate. According to cybersecurity firm, FireEye, “84% of organizations said a spear-phishing attack successfully penetrated their organization in 2015. The average impact of a successful spear-phishing attack: $1.6 million. Victims saw their stock prices drop 15%.” The preferred vector for these attacks is through emails followed by mobile devices and social networks. The point to be made here is that if someone really wants to get into your network via spear phishing, they probably will.
In the final analysis, phishing emails are a form of marketing. To do their jobs, however, they have to get through your email server’s spam filter. Some spam filters are better than others. In my experience, Yahoo tends to let more spam emails through but Gmail tends to block more legitimate mails. There are many services to help a sender get their spam into someone’s inbox. Of course, they don’t refer to it as “spam”. They call it “email marketing”. In any event here is one such site’s advice on avoiding the spam filter.
So let’s assume that good phishing scams use the same advice and can, with assorted other tricks, manage to get into a victim’s inbox. Once there, they have to use certain marketing strategies to get the victim to click on that vital link or open that attachment. These links often take victims to some sort of login page that looks legitimate. If they’ve made the email recipient click through to that page, according to Google, the attackers have a 45% chance of getting the information they want. That’s pretty scary.
In some cases, attackers just want this information to make financial gains. In other cases, they may be trying to launch a more sophisticated attack on a company or organization and need to get information from an employee to accomplish this. Companies realize that they are vulnerable to spear phishing attacks, with up to 75% of them naming spear phishing as their greatest threat and employee behavior as their most vulnerable point. Here is what one study found when investigating this risk.
The truth is that irresponsible employee behavior is what will most likely compromise a company network. The problem is that human instincts are not easily circumvented. As long as employees are human, they can be emotionally manipulated by phishing and spear phishing attackers. No amount of training can completely eliminate this human tendency. You cannot spear-phish a robot.
There is a solution to the human frailty problem. New technology developed by InZero Systems allows users to be as irresponsible as they want. No matter how many bad links they may click on, this hardware separation solution prohibits attackers from crossing the hardware barrier and penetrating the corporate network.