Phishing is an old game, but the rules are always changing. I was quoted extensively, along with experts from companies like PwC, EY and McKinsey & Company, in a story for SC Magazine on developments in phishing of which CISOs, leaders and companies of all sizes need to be aware.
Click the image below to read the full article.
I’m mainly quoted in the sections on multi-factor authentication and small-batch spam. I elaborate on my thoughts on these topics below, as well as another key development in phishing.
Hackers are learning to beat certain kinds of MFA
The value of multi-factor authentication (MFA) can't be understated — whatever you do, don't stop using it — but it's not the foolproof line of defense against phishing that it once was. Today's hackers are patient. They may phish an email account just to bypass MFA later on a system that houses more valuable data.
MFA using email or text was once sufficient for large companies. Today, there's more reason than ever to use an MFA application with a token tied to a certificate that provides an extra level of protection.
I continue to be shocked by mainstream players that do not offer MFA or at least don’t make it easy to enable. There still are heavily used monitoring tools on the market that don’t incorporate MFA.
At some point it could result in the end game if you don’t employ MFA within your product.
Recently, I was talking to an IT executive at a large company who said he didn't feel the need to enable MFA for employees logging on to company systems within the office.
In his view, people within the office walls had already come through one factor by scanning their badge at the front door.
I don't want to discount the value of the badges — physical security is important — but as far as the hackers are concerned, that is not MFA and those employees are vulnerable to phishing.
Low-volume attacks highlight need for customizable filters
Low-volume phishing attacks are becoming more frequent and slipping past controls that usually flag volume.
Hackers are sending phishing emails in smaller batches, both because of the trend toward increased personalization, but also because they are reverse engineering what the volume threshold is and creating batches of emails just below it.
Think about it — a hacker can buy a solution like Barracuda, install it, and start testing. What gets in? 999 emails? 499? 99? 49? It would be pretty easy to determine the limit if you can run experiments, and there's no reason hackers can't.
This is not all that different from research marketers conduct to keep their emails out of spam filters as well. Savvy IT executives seek out a spam filter that lets you get under the hood and twist the knobs.
Settings like low, medium and high strength just aren't going to cut it if you want to stay ahead of trends like small-batch spam. So volume filters aren't catching spam anymore — what happens if blacklists or sender masking stops being reliable as well?
You need to be able to compensate and adjust these settings in real time. Does your spam-filter provider use reputable blacklist sources? Is it configurable? Can you manually adjust the volume threshold? What other settings can you tweak at a micro level?
The more the better.
I often talk to IT executives who are using the built-in spam filter on Microsoft 365 (formerly Office 365). This is a minimum of what you should implement for spam control, but there are other third party products that may give you more granular control over your filtering.
The key takeaway is to do your homework and don’t assume that Microsoft's built-in spam filter is your only choice.
If large companies are not getting the results they need from existing products, we could potentially see them create their own custom, proprietary spam filters in-house. If hackers can't buy a solution, it's going to be hard for them to learn anything about how it works.
I know of at least one company that has done this.
The difference between write and wrong
English skills of hackers are improving. While spelling, grammar and syntax errors have been a fairly reliable indicator of phishing emails in the past, the value of this "red flag" is diminishing.
Hackers are essentially running illegal businesses, and like any other industry, they refine their product and practices.
It no longer seems like they are relying on Google Translate. It appears that some hackers have hired native English speakers to write for them or have taken English classes, and it is paying off.
Sadly, in addition to hackers showing off better writing and design skills, I'm seeing legitimate sources let their standards slide.
I recently had to double check with a major, reputable IT vendor if a communication they sent to clients was valid because it was riddled with errors. It was valid, and to be honest, that's embarrassing.
There is more than one reason you can't trust that something poorly written and pixilated is spam these days, and it's not just because hackers are stepping up their game.
