Tonia Dudley, Director at Cofense: it might not be you the threat actors are after
You wake up to an email of a Nigerian princess telling you a fascinating story of her money being trapped back home. She is in urgent need of receiving your banking credentials to use you - a kind stranger - as a middleman to getting her funds back. In return, you will get as much as 20% of the sum, amounting to millions of dollars. Sounds too good to be true? This is a popular phishing technique - and it's not the only one hundreds of thousands of people in the US alone fall victim to each year.
Phishing remains a prevalent threat even for the most skeptical and IT-knowledgeable people. However, it could surprise you that it's not you the threat actors might be after, but rather the company you work for. We reached out to Tonia Dudley, Director and Security Solution Advisor at Cofense, to discuss the latest phishing trends, best cybersecurity tactics, and Cofense's strategies for protecting email users.
What benefits does your Phishing Detection and Response platform bring to email users?
As phishing attacks continue to become more sophisticated, persistent, adapt to legacy security defenses, and bypass secure email gateways (SEGs), demand for end-to-end phishing defense solutions is at an all-time high. The Cofense Phishing Detection and Response (PDR) Platform provides a comprehensive approach to stopping phishing attacks through global crowd-sourced phishing intelligence from 30 million people combined with advanced automation.
Those human reporters use the Cofense Reporter button to report suspicious emails and notify security teams in real-time — with just one click. Users flag potential threats and the original email and other valuable information are sent directly to an organization’s SOC, is quickly analyzed and the attack stopped. Instant feedback reinforces user training, strengthening the front line of defense. This data contributes to our proprietary, global collection sources that provide an extensive real-time view into threat campaigns observed in the wild, which delivers high-fidelity, phishing–specific alerts and intelligence to our customers, providing accurate and timely assessments of both the current phishing threat landscape and emerging trends.
Cofense’s PDR platform is designed to deploy as an integrated suite of products or delivered as a comprehensive managed PDR service through the Cofense Phishing Defense Center (PDC). Both options effectively stop phishing attacks and combat the savviness of attackers through a combination of people and automated technology to quickly reduce and remove the risk. With Microsoft’s security controls plus Cofense, organizations have a complete email security solution.
Give us a small insight into your Phishing Awareness Training: what are some types of phishing and how do malicious actors even get access to user email addresses?
A phishing awareness and education program not only helps to stop attacks but supplies vital threat intelligence to security teams. The vast majority of data breaches against businesses today begin as phishing attacks or other forms of “social engineering,” a fancy term for manipulating unwitting victims. It’s the work of scam artists, part of an arsenal that includes counterfeit, forgery, and lies of all kinds. Phishing attackers play on human emotions like fear and urgency, so victims will take action before they stop and think—clicking a link to activate malware, filling out a login form with username and password, or greenlighting the transfer of funds to a bogus account.
Cofense PhishMe is part of our PDR platform and allows companies to easily and efficiently run phishing simulations and manage their security awareness program. Carefully crafted simulations are based on real – not theoretical – phish to immerse users in the experience of being phished from end to end, improving an organization’s resiliency to attacks.
Sometimes, a phishing attack is simply an email with an embedded link. When you click, you either unknowingly activate malware or are directed to a webpage that looks perfectly legitimate but is designed to harvest your information. Phishing attackers often send emails with attachments containing malware. When you click, watch out. Many times phishing attackers use popular document types such as Microsoft Word or Excel or even Adobe PDFs. They take advantage of the trust people place in popular business tools. A BEC phishing attack is good old-fashioned fraud. BEC emails typically don’t use malware but simply try to manipulate the target into sending money. Traditionally, BEC phishing attacks try to get employees in the finance department to authorize wire transfers, for instance, to a “vendor” or “partner.” The phishing attackers might pretend to be the CEO or CFO to spur quick action.
What are the main dangers of phishing?
Phishing attackers strike with emails because it’s easy and effective. Email addresses are easy to get and, when you think about it, emails are basically free to send. With minimal effort, phishing attackers can gain access to valuable data. According to our Phishing Defense Center, 90% of data breaches start as phishing attacks and they cost an average of $1.6 million for mid-sized businesses. In fact, the 5-year cost of BEC alone is $12 billion. Additionally, phishing attacks are dangerous because they can come in all shapes and sizes from URL links to malicious attachments to fake log-in pages. The most dangerous part of phishing attacks is how easy it is for an attacker to launch. With emails being many people’s main form of business communication, hackers can gain access to valuable data and victims can find themselves dealing with malware infections, identity theft, and data loss.
How can one easily identify phishing?
Attackers may use social engineering techniques to make their email look genuine, so it is especially important for people to triple check the small details of a request to click on a link, open an attachment, or provide other sensitive information such as login credentials. There are many ways to spot a phishing email: bad grammar and spelling mistakes, if it is demanding action, uses an unfamiliar greeting, includes suspicious attachments, has inconsistencies in email addresses, links, and domain names, requests you to login credentials or sensitive data… and of course, emails that look too good to be true are probably phish. Those emails incentivize a recipient to click on a link by claiming there might be a reward of some nature.
Run us through some of the current/most prominent phishing threats.
Phishing is constantly evolving, so it’s important to be aware of the latest trends in phishing attacks. If we learned anything from 2020, it’s that threat actors’ ability to quickly adjust their methods to world events can be lightning fast. Threat actors improved their methods and adapted to world events, bringing new trends to the phishing threat landscape in 2021. In the millions of emails our Cofense Phishing Defense Center (PDC) analyzed in 2020, we determined:
- 57% were credential phish
- 12% delivered malware
- 6% were business email compromise or CEO fraud
- 45% of the credential phish were Microsoft-themed
- 17% were finance-themed
- Of the 255,000 malicious emails, they found nearly 100 unique malware families
COVID-19 was certainly the source of the most disruption in 2020. During the peak of pandemic-themed campaigns, phishing emails predominantly delivered credential phishing and Agent Tesla keylogger, but threat actors also delivered ransomware, keyloggers, remote access Trojans, and information stealers.
Has the pandemic altered the way you approach combating phishing?
At the end of the day, our message has remained the same: no matter the subject matter or theme of the attack, people need to be trained, with reinforcement, to spot phishing attacks. Whenever there is a major disaster, phishing emails follow because attackers like to play on human emotions like fear and urgency. These emails spread as fast as COVID-19 itself. Cofense saw a stark increase in phishing email campaigns relating to the COVID-19 pandemic that spoof trusted health services to deliver credential phishing or malware. Credential phishing makes up the majority of the campaigns analyzed, with the minority ranging from simple to complex delivery chains and malware samples. With some companies quickly adopting work-from-home (WFH) policies, threat actors are poised to take advantage of the newly created security gaps by playing on pandemic fears.
What are some of the new anti-phishing tools you have implemented?
We recently acquired Cyberfish, a provider of next-generation phishing protection powered by Computer Vision and advanced Machine Learning (ML) technology. Computer Vision is a field of artificial intelligence that simulates how humans see. Last year alone, our Computer Vision technology scanned more than 180 million emails and more than 545 million URLs, offering real-time threat intelligence on what had bypassed secure email gateways (SEGs) and neutralized those threats. To support managed service providers (MSPs) tasked with protecting small and medium businesses (SMBs) against phishing attacks, we have launched Cofense Protect MSP, which pairs Computer Vision with Cofense PhishMe’s real-world simulation training.
Are there any specific personal cyber hygiene rules people need to follow to avoid phishing?
Threat actors with corporate targets in sight sometimes go after individuals first. The personal accounts we use as consumers are known to be the “soft underbelly” to threat actors who seek to gain a foothold in organizations. Organizations should make sure their staff is well-trained to identify phishing emails, which can help thwart targeted attacks on their personal emails. In turn, these employees will also report any phishing emails received to their company inbox to their security team. Training users to protect their credentials and ensuring they are logging into legitimate sites is also crucial.
Share some of your upcoming plans with us!
With the recent acquisition of Cyberfish, we are leveraging Computer Vision to eliminate the need for legacy email security solutions and stand-alone security awareness offerings. We have our sights set on totally disrupting the email security market.