Why Training on Its Own Doesn’t Work as a Spear Phishing Defense
A recent IT World Canada article discusses a presentation from June’s SC Congress security forum in Toronto. This presentation by security leaders from two large Canadian banks, RBC and CIBC, covered the topic of training end users to avoid phishing attacks. It’s clear from reported statements that these security professionals are pessimistic about employee training as the primary method of guarding against spear phishing.
The article states of CIBC director of cyber security Jeff Stark,
User awareness training doesn’t work, he added — in fact he thinks it should be abandoned…
RBC’s director of data protection, security consulting, and application security Manish Khera expressed a similar viewpoint
RBC does monthly phishing tests and awareness training, Khera said, and tracks click response with some success. But he suggested some people are hopeless — he gives up on those who click on bad test email six times or more.
The article goes on to discuss some nuances of training including the amount of time it takes for training to sink in, the different challenges for large and small organizations, and the potential efficacy of public shaming. But it misses a critically important point in this whole discussion, which is:
There is no detectible difference between a BEC-oriented spear phishing attack and a real, legitimate business communication.
A spear phishing attack spoofs the identity of a real figure inside the enterprise under attack, typically someone higher in the organizational food chain than the attack target and oftentimes a C-level employee, including the CEO or CFO. The attack requests behavior that the targeted individual is capable of doing and that is an accepted part of that target’s job. And the requested behavior would be perfectly appropriate to come from the spoofed executive.
Apart from the unfortunate fact that the message is not real, a spear phishing attack matches acceptable behavior in every way.
Let’s take an example. One staple of BEC (business email compromise) is the wire transfer scam. In this scenario an email thread pretending to be from a high-ranking employee such as the CEO requests an urgent wire transfer to provided account details. These attacks work routinely (this blog recently wrote about a CEO and CFO pair who recently lost their jobs after giving more than $50 million in one of these BEC attacks). And for good reason.
Companies wire money. Businesses abound with valid reasons for doing so, and it would be mighty hard to be in business without wire transfers. CFOs authorize and see to these transfers, and CEOs decide to spend the money that causes the transfers to happen. These are all legitimate business processes and are legitimate things for CEOs to ask CFOs to do.
Another spear phishing staple is the W2 breach, in which a well meaning HR employee shares W2 data or other PII with what appears to be a trusted internal employee, such as the CEO, CFO, or VP of HR. Again, it’s legitimate for businesses to have this information and for the ostensible requesters of the information to need it. The sole trouble, once again, is that the requester is not real and the email leaves the company and winds up in the hands of an identity thief.
Now, perhaps with enough process and internal checks these attacks can be stopped more often. But this idea that somehow we’re going to train our employees to spot one of these identity attacks without additional outside help is not viable.
The incoming email:
- Has the exact appearance of a real communication from a real employee
- Asks for behavior that matches the target’s job description
- Makes a request within the authority of the apparent requester
We all get those emails every day. They are called business communication. If CISOs actually were successful in training employees not to respond to these spear phishing messages, it would be by training them not to respond to email. And I don’t think the rest of the business would accept that.
But if we knock out the ability to spoof an internal email address, we just took a huge bite out of the phisher’s took kit. Now the spear phishing mails have to come from some other address, such as a cousin domain or a fake personal address or even something entirely different.
It may be that the target would still fall for that, but now there is a huge clue available to distinguish the real from the fake. Now training actually stands a chance. Even if employees don’t notice on their own that something is wrong with this mail, the company can train them to ensure that email addresses are real before sharing sensitive information or taking other sorts of action.
And that’s an employee training strategy that can work.