Email fraud is a huge problem. Phishing attempts are getting more sophisticated and likelihood of problems has increased steadily over the past 5 years.(1) One of the industry tactics to solving this issue has been look at the human engineering side of the issue. Of course we can implement email filtering tools but they only seem to go so far and it is an arms race between good guys and bad guys. Human training, however, can provide immense value to stopping the problem. A successfully orchestrated training program at your organization includes a fake phishing campaign that tried to bait users into providing credentials. Users that fall for the trap are posted on a wall of shame, or quietly reminded on how to spot a scam or fraud attempt.
A common response to our recommendation on implementing a phishing campaign is “no thank you, I just want to solve this with a technical solution”. Don’t we all. There’s good reason we hear this response and it’s due to the respondent’s position in the organization. If you are a CIO or CTO, you are an “officer” and you are able to adjudicate a decision that involves mass communication to staff and re-prioritization of staff responsibilities. If you control and are responsible for the technology of an organization, you are an administrator and although you have expert control of the complex software and hardware components, it’s simply too daunting and risky to look at the people problem.
If your reaction to a phishing campaign is “no thank you”, it’s important that someone within your organization is made aware of the technological gap with the phishing problem. It’s the same issue administrators and engineers have with aging hardware. When we have hardware that cannot be updated anymore because it’s too old and needs to be replaced, we may need to scream loudly and let other outside of IT know that we can’t solve a problem with a software checkbox.
Sometimes, administrators, technicians, and engineers are faced with solving problems with only technical solutions. In the case of phishing, there are many “checkboxes” we can apply that do help but you’ll really need an army. The technology solution to problem involves using modern two factor, multiple email filtering tools from multiple vendors, network stateful inspection, endpoint security, a lot of whitelisting (not blacklisting), layer 7 control, and a fine-tuned web guidance tool. Each one of these items need to be monitored and tracked DAILY.
Source: (1) WSJ https://www.wsj.com/articles/email-scammers-are-savvier-and-more-successful-than-ever-11582808400
Scott Morabito is a technologist and founder of TechTonic. He was trained as a computer scientist and resides in Concord MA.