Over the years we have seen an escalating number of spear-phishing attacks. Part of the increase may actually be due to increased reporting, however, I suspect that even in the criminal world there is a sense of fashion and easy money is quite fashionable.
The problem with phishing attacks is that technology is not well suited to combat them. Once the attack succeeds, anti-virus can block a malicious program – if the attacker wasn’t sophisticated enough to make sure he knew what AV solution was in use and that he had something it wouldn’t detect. Once an attack has succeeded, intrusion detection systems can help mitigate the damage by alerting IT to suspicious activity. Good network segmentation and access control can help mitigate damages. However, in the case of spear-phishing, sometimes the victim has legitimate access.
If you are going to effectively fight this prevalent form of cybercrime, you are going to have to have an educated workforce. Since most colleges don’t teach social engineering defense skills, it falls on the savvy employer to provide education for their employees.
I have long advocated phishing your own employees. I do not mean you should gather passwords and more, but, rather, collect just enough information to know who the victim is and then help them with education. You can have an email with a link to a website that asks for a username and password. There doesn’t need to be any code behind the field for the password, so that information would not be gathered.
The next step is approaching the employee from a caring and nurturing perspective. The idea is not to humiliate the employee, which can be a tall order for the IT professional who was just asked, “Which is the any key?,” but resist the temptation. You want to let the employee know that not only do you want to help them protect corporate assets, but you want to help them protect their own email, Facebook, and bank accounts as well.
Do not call them stupid. It’s all about fostering education to combat cybercrime. Remember, the enemy is not the uninformed employee, that employee is just a tool that the real enemy uses. Decrease the effectiveness of the tool for the cybercriminal and you have a safer environment.
One final thought: Most people who fell for viruses like Loveletter, or fell for a phishing attack that compromised their email or other accounts, have actually learned and are far more resilient than they were before. If you don’t educate your employees, a cybercriminal will gleefully do so for you – at your expense.