May 18, 2016

A Better Way to Respond to Phishing Attacks

Email-Mistake

An employee at payroll service provider Alpha Payroll got fired for falling victim to a phishing scam, as CSO Magazine’s Steve Ragan reported recently.

You can read about it at the above link, but the brief recap is that in response to a breach, payroll service provider Alpha Payroll informed the New Hampshire attorney general of the breach and the action the company was taking in response, including the fact that the duped employee was terminated.

This last fact has invited a great deal of comment, the gist of which is that the employee in question was tricked by a sophisticated social engineering attack, one that very commonly is successful, and that firing someone who is not an IT security specialist for being the victim of a highly effective computer attack seems both unfair and counterproductive to overall security. Indeed, these attacks can be very convincing. Have a look at a recent, actual spear phishing attack and ask yourself what level of confidence you have that you, too, would not have been fooled.

Of course, we don’t know the full backstory behind this employee and this termination. That is true. However, we do have the opportunity to know whether or not the company in question has taken advantage of established email authentication open standards to protect its employees from this kind of attack.

It is common for spear phishing emails to alter (“spoof”) the email address in the From field of the message, making it match the domain name of the target in order to lure recipients into believing that the email originated from a co-worker. That is one form of what we call an impersonation attack. Alpha Payroll’s letter confirms that the attack did indeed include an email spoof, “…the sender represented himself or herself to be the CEO of Alpha Payroll and disguised his or her email address as that of the CEO.”

The letter states that upon learning of the breach, “Alpha Payroll leadership promptly terminated the employee, hired experts to assist in the investigation and response, and has been in contact with law enforcement, including the Criminal Investigation Division of the IRS and the FBI, regarding the incident.”

What Alpha Payroll leadership did not do is to implement DMARC authentication. We can tell so because any domain’s DMARC status is publicly visible in DNS. Here are the results as of posting time from our own DMARC viewing tool.

As you can see, the company has not implemented DMARC nor SPF for alphapayroll.com. Had it done so, it would not have been possible for the offending employee to see the spear phishing in the first place. The mail would have failed authentication, and then the receiving systems would have quarantined it or deleted it outright.

Had the employee not seen the phish, no W-2s would have been compromised, an embarrassing letter would not have gone to a state’s attorney general, and presumably an employee would still be sitting at a desk.

Why wouldn’t companies like Alpha Payroll implement DMARC? Common explanations include:

  1. They not aware of it.
  2. They don’t realize the power of DMARC against this kind of impersonation attack.
  3. It’s hard to get email authentication right.
  4. Too much faith is placed in employee education as a response.

We saw an interesting example of the last point when the FTC recently issued a bulletin with elaborate instructions for trying to detect the identity of false emails such as “…when you hover your cursor over the link, does it really go to a trusted website?”

Bulletins. employee training sessions, and firing victims of phishing attacks are sure to be ineffective defenses against attacks that contain no distinguishable visible difference from the actual communications they mimic, as indicated by this recent McAfee study.

Instead, companies need to prioritize the implementation of DMARC to catch these messages before they arrive in the targets’ inboxes. And if DMARC is outside the company’s internal expertise, they don’t need to worry. Companies like Valimail are here to help.

Subscribe to our newsletter