Experts see surge in corporate phishing

Criminals are adept at spoofing financial institutions, mortgage lenders and Internet service providers, according to a study published March 3, 2017, by the Federal Trade Commission's Office of Technology Research and Investigation (OTech). Thus, the FTC advised business owners to implement advanced authentication technologies to protect against phishing attacks. Employees who click on fraudulent emails can expose individual identities and entire IT networks to malicious attacks, experts warn.

"All companies have one employee who will click on anything," said Brad Smith, President of Microsoft Corp., during a keynote address at the 2017 RSA Conference held Feb. 13 to 17 in San Francisco. "Ninety percent of intrusions begin with a phishing scheme."

Smith called cybersecurity a growing problem in need of new solutions. In the cyberspace battlefield, business owners are both the point of battle and the first responders, he noted, adding that this became more apparent after the Sony Corp. attack, which pitted a foreign power against a private company that had engaged in freedom of expression. Escalating geopolitical controversies will inspire more nation-state attacks against government and private infrastructures, he stated.

Digital cyberspace charter

Smith called on the world's governments to take a page from the 1949 Geneva Convention by establishing an independent organization to protect civilian infrastructures and address vulnerabilities.

He said a digital Geneva Convention would provide support in the following ways:

• Assist and protect customers everywhere.

• Refrain from aiding in any attacks on customers.

• Create trusted, national and global infrastructures.

Advanced authentication available

The OTech study analyzed leading ecommerce providers and their various methods for protecting networks from attacks. Researchers found that 86 percent of respondents had implemented sender policy framework (SPF) schemes, but fewer than 10 percent reinforced SPF with domain message authentication reporting and conformance (DMARC).

SPF enables Internet service providers to validate email messages by tracing their points of origin. DMARC notifies ISPs when it detects unauthenticated messages, giving ISPs a chance to block the messages before they land in a consumer's inbox. Mimecast, aninternational cybersecurity company, helps companies secure critical infrastructures by protecting their email systems. The Mimecast Email Security Risk Assessment 2017 revealed that phishing attacks are bypassing network security screens. The company's report was based on data from more than 25,000 clients that use its cloud-based email management, security and business continuity solutions. Clients have been increasingly targeted by spammers and advanced impersonators, report authors stated.

"Unfortunately email security strategies fall short and do not keep organizations safe," the authors wrote. "The reality is the entire industry needs to work toward a higher standard of quality, protection and overall email security."

Spam, malware, impersonations

Mimecast researchers cited the following popular techniques in phishing attacks:

• Spam email: In general, spam email messages are annoying but not lethal, the authors stated.

• Dangerous file attachments: Malicious file types with extensions such as .jsp (Java Server Pages), .exe (executables), and .src (source) files are rarely sent for legitimate purposes.

• Known malware schemes: Known malware, consistent with previously seen viruses, has been recorded in malware information databases and is mostly visible to malware detection engines.

• Unknown malware schemes: Unknown malware will generally not be blocked by commonly used endpoint anti-virus technology.

• Impersonation emails: These sophisticated attempts do not usually carry malware or malicious URLs and can be difficult to detect. "They are social engineering heavy emails that attempt to impersonate a trusted party, such as a C-level executive, employee or business partner, with the goal of prompting the recipient to do something they shouldn't," the authors wrote. "Examples of this are sending wire-transfers, W-2s, or other sensitive and valuable data to the fraudster under the guise of some business process."

Researchers concluded that many email security systems are vulnerable to today's "sophisticated, well-resourced and targeted attackers." Mimecast security analysts are working with participating organizations to identify and understand the email-borne threats that are getting through their current defenses, the company stated.

Editor's Note:

The Green Sheet Inc. is now a proud affiliate of Bankcard Life, a premier community that provides industry-leading training and resources for payment professionals. Click here for more information.

Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.