The race to outsmart corporate phishing attacks

Companies are constantly seeking new – and expensive – ways to protect against criminal hackers. But even the most advanced software can't keep unwitting employees from endangering corporate networks.

The onslaught of high-profile breaches over the past year at companies such as JP Morgan, Home Depot, and Sony Pictures forced businesses to spend exponentially more money to protect themselves online.

However, there's one major challenge to companies' cybersecurity besides the criminal hackers targeting them: their employees.

No matter how much money companies spend – or what kind of new and advanced technology they implement – they continue to struggle to prevent employees from falling for scams that could leave the door wide open for bad actors to steal customer information, hold critical company information for ransom, or even destroy files. 

"The weakest link is people not knowing whether data are critical or intellectual property, or understanding what a suspicious e-mail is," says Steve Rocco, global cybersecurity specialist at MSA Safety, a safety equipment provider.

The recently discovered Dyre Wolf campaign – a series of cyberattacks that stole more than $1 million from a handful of companies – puts a bright light on the importance of employee vigilance. 

Dyre Wolf included malware, but its success relied on their ability to perpetrate an old fashioned scam. The malicious software used in Dyre Wolf was delivered to computers through bogus e-mails sent to company employees. When employees opened the e-mails and clicked attachments, they inadvertently installed a program called Dyre onto their computers.

The program then recognized when users visited bank websites. At that point, Dyre delivered an on-screen prompt indicating the bank site was down and that the user should call the bank directly. When the user called the phone number provided, an English-speaking member of the criminal hacking group took the credit card information. 

The scam has been repeated thousands of times, according to the IBM researchers who discovered it. What's more, it's hardly the only cyberattack of its kind that involves tricking unsuspecting users. In fact, according to IBM, some 95 percent of all attacks involve human error.

But so far, even with all the advances in cybersecurity technology, there's no consensus on how companies can best protect themselves against phishing and social engineering campaigns. 

While some security experts say companies must train employees to spot scams and react responsibly, others say only new technologies can protect organizations from the human errors that leave them susceptible to breaches.

Wombat Security Technologies, a company created by a group of phishing researchers at Carnegie Mellon University, is in the first camp. They provide software to companies that focus on training employees to be more aware of their actions and spot which e-mails could be part of a phishing attack, since this kind of attack often targets individuals who are not tech savvy, they say. 

“A lot of social engineering tactics can’t be identified by technology," says Amy Baker, vice president of marketing for Wombat. "This starts with con artists. There is no technology that can prevent that. People need to learn to identify red flags." 

In order to get people to start paying attention to the warning signs, Wombat uses a simple scare tactic: mock attacks.

Simulated attacks convince employees they’ve fallen prey to a phishing attack. After opening a link attached to an e-mail that appears to be from a client or colleague, an employee is confronted with a message saying the company’s sensitive data is at risk. The attacks are meant to shock employees into realizing how vulnerable they really are to social engineering.

“It can be difficult to find a technology that works against every attack. While malware technologies and cyberattack strategies may change and innovate, the basic human errors that leave a company vulnerable are often the same,” Ms. Baker says.

The company boasts a 46 percent reduction in malware infections among clients. 

The reason, says Mr. Rocco, who is also a Wombat Security client, is that "the weakest link [in security] is people not knowing whether data is critical or intellectual property, or understanding what a suspicious e-mail is."

Despite Wombat’s success, however, some experts say it is almost impossible to train people to identify every single phishing e-mail – especially if the e-mail has been crafted specifically to trick that person.

“If you want to attack somebody it is fairly easy to go to LinkedIn, find out who they are connected with, get to know who they know, and then refer to that person. So it’s about getting a bit of information that an outsider wouldn’t have. That can get people to click on things,” says Phil Lieberman of Lieberman software, a cybersecurity company.

Since they know their employees will make mistakes, the savviest companies are building systems that can survive cyberattacks, Mr. Lieberman points out. One example, he says, is to say “anything sensitive needs to go through a proxy that monitors the traffic." 

Yet regardless of which technology a company chooses, Lieberman says he is convinced that training employees is not enough. “Statistics say people make mistakes," he says. "You need to make fundamental changes in the way the company operates.”