Blaming the Phishing Victim: Part 3
We recently wrote about employees who lost their jobs after being tricked by spear phishing attacks, including breached payroll provider Alpha Payrolland Austrian manufacturer FACC, which fired both its CEO and head of finance in response to a business email compromise.
Many people expressed the opinion that Alpha Payroll’s response was extreme and misdirected, and we weighed in to point out that this enterprise could instead have prevented the phishing email from ever showing up in the first place had it employed email authentication on its domain names.
This incident is reminiscent of a statement made by the Department of Homeland Security’s chief security officer Paul Beckman back in September of 2015. Beckman made the news when he publicly stated that federal employees who fell victim to phishing attacks should lose their security clearances. Beckman acknowledges that phishers can craft emails indistinguishable from real communication, stating, “They could probably craft [an] email that even I would be susceptible to.”
So before yanking security clearances (thereby losing good employees and presumably severely limiting the job prospects of those whose clearances were yanked), will the DHS take basic measures to prevent these mails from hitting inboxes in the first place? Let’s see what the DNS has to say.
The upshot: Despite identifying phishing attacks as an important vulnerability and contemplating cutting heads, in the intervening eight months the department hasn’t set up DMARC to eliminate these spear phishing attacks.
Maybe that’s the first step to take.