Did you know that the average large company loses $3.7 million every single year to phishing attacks? When an email attack reaches an employee’s inbox, the last thing an organization wants is the employee wondering whether to open it or ignore it while the attacker moves on to the next target.
But what if employees could know for certain if a suspicious email was malicious? What if they had immediate, on-demand threat analysis to tell them “Yes, this email is safe to open” or “No, this email is malicious and has been removed from your inbox?” That’s game changing.
Phishing attacks account for 91 percent of successful data breaches and are the No. 1 delivery vehicle for ransomware and other malware, per Verizon. Current phishing techniques have grown so sophisticated and convincing that even the savviest corporate email user can be fooled. In fact, one in 14 users are tricked into following a link or opening an attachment and nearly 30 percent of phishing emails are opened by targeted recipients.
Back in October, cybersecurity firm EdgeWave launched new technology that applies machine learning plus human analysis to take the guesswork out of suspicious emails. EdgeWave ThreatTest is the only service to use a hybrid approach to provide the end-user with real-time analysis of suspicious emails, identifying hard-to-detect phishing campaigns bypassed by machine-based systems with a single click. EdgeWave CEO Lou Ryan sat down with Inside Counsel to discuss why the average large company loses $3.7 million every year to phishing attacks.
These days, companies can experience big financial losses from a phishing attack because employees are tricked into interacting with malicious emails. This can happen because an employee with access to company bank accounts was tricked into wiring money to a cybercriminal; losses due to the cost of a data breach remediation after an employee was tricked into opening an email attachment or visiting a malicious website; or regulatory fines associated with the data breach when it’s made public.
“When an employee forwards an email to IT for review, that requires IT resources to investigate and determine if the message is malicious or not,” he explained. “In most cases, IT staff are already overwhelmed with other duties and they don’t always have quick access to threat intelligence data needed to check the validity of the message and reply to the employee.”
Employees can be trained on what phishing attacks are, and tips to spotting suspicious emails, but this is only as good as the knowledge retained and their level of awareness when interacting with their email. Because most employees aren’t working in cybersecurity, aren’t a subject-matter expert and don’t have tools at their disposal to validate suspicious emails, there isn’t a sure way they could know for certain if a suspicious email was malicious.
Hackers use spoofing techniques to mask the real intent of the email to where attachments appear legitimate, web URLs appear safe, etc. So, most employees wouldn’t be able to analyze this information to make an informed decision. Simply deleting the email would be remediation to stop a phishing attack. Some companies even require employees to forward suspicious emails to IT, but this doesn’t remove the message from the network and it furthers the chance that someone else will take the bait and click on it.
“If employees could self-report suspicious emails to a cybersecurity subject-matter expert and get instant review and response, this would eliminate the uncertainty and any wait time and thus improve productivity,” said Ryan. “Auto removal of the suspicious email from their inbox would minimize the phishing dwell time in the organization’s network and minimize the chances that the email would be sent to others. Having a way to self-report would also encourage security awareness and reinforce any organizational policies already in place for training.”
For example, spear phishing campaigns are highly targeted and made to appear legitimate to the end user based on the email subject and how it relates to their role. These attacks are sophisticated with careful planning done even before emails are sent to their potential victims and even the savviest business email users can be tricked through social engineering, responding because they think they know the email sender and the request is directly related to the job duties they perform.
Today, employees are tricked via social engineering techniques and when not fully trained, can be an organization’s weakest link in protecting sensitive data from a data breach. A hacker targets a company and uses social networks and other data to find employees with access to company data and systems. Following the social trail, they identify other people the employee knows and develops their plan of attack. The hacker then sets up a fake but recognizable email address, created to impersonate a colleague or boss and they send a personalized email to the targeted employee from the fake address with a link or attachment.
According to Ryan, when the email arrives at the employee’s inbox, the employee opens the email because they “know” the sender and clicks on a link or opens the attachment which is what the email text tells them to do. The link opens a malicious/fake website which enables credentials to be stolen or malware to be installed. The attachment causes malware to infect the endpoint and opens a backdoor. This embedded exploit alters the endpoint, which then calls back to a command and control server, and additional, encrypted malware or updates are installed, and more callbacks are made leading to data exfiltration.
“The hacker has created a backdoor to steal sensitive company or customer information, resulting in a successful data breach and can sit in an organization’s network monitoring and listening for some time, unless/until it’s discovered and stopped,” he said.
To prevent this, Ryan advises continual employee training to increase the odds that an organization can minimize a possible data breach through shared responsibility and heightened awareness. However, empowering the end users with tools to report suspicious emails directly from the inbox provides real-world investigation, response and remediation.
Amanda G. Ciccatelli is a Freelance Journalist for Corporate Counsel and InsideCounsel, where she covers intellectual property, legal technology, patent litigation, cybersecurity, innovation, and more.