A Better Way to Respond to Phishing Attacks
An employee at payroll service provider Alpha Payroll got fired for falling victim to a phishing scam, as CSO Magazine’s Steve Ragan reported recently.
You can read about it at the above link, but the brief recap is that in response to a breach, payroll service provider Alpha Payroll informed the New Hampshire attorney general of the breach and the action the company was taking in response, including the fact that the duped employee was terminated.
This last fact has invited a great deal of comment, the gist of which is that the employee in question was tricked by a sophisticated social engineering attack, one that very commonly is successful, and that firing someone who is not an IT security specialist for being the victim of a highly effective computer attack seems both unfair and counterproductive to overall security. Indeed, these attacks can be very convincing. Have a look at a recent, actual spear phishing attack and ask yourself what level of confidence you have that you, too, would not have been fooled.
Of course, we don’t know the full backstory behind this employee and this termination. That is true. However, we do have the opportunity to know whether or not the company in question has taken advantage of established email authentication open standards to protect its employees from this kind of attack.
It is common for spear phishing emails to alter (“spoof”) the email address in the From field of the message, making it match the domain name of the target in order to lure recipients into believing that the email originated from a co-worker. That is one form of what we call an impersonation attack. Alpha Payroll’s letter confirms that the attack did indeed include an email spoof, “…the sender represented himself or herself to be the CEO of Alpha Payroll and disguised his or her email address as that of the CEO.”
The letter states that upon learning of the breach, “Alpha Payroll leadership promptly terminated the employee, hired experts to assist in the investigation and response, and has been in contact with law enforcement, including the Criminal Investigation Division of the IRS and the FBI, regarding the incident.”
What Alpha Payroll leadership did not do is to implement DMARC authentication. We can tell so because any domain’s DMARC status is publicly visible in DNS. Here are the results as of posting time from our own DMARC viewing tool.