In research reported last year in Kaspersky’s threatpost, Aaron Higbee, the Chief Technology Officer at Intrepidus Group, stated that 70% to 80% of employees are fooled into taking compromising actions when they receive test spearphishing emails.

Spearphishing is a scheme in which targeted emails are sent to individuals to deceive the recipient into taking compromising actions, such as visiting a malicious website, disclosing sensitive information or installing malware.  You can see a demonstration of spearphishing at Spearphishing – The Movie.

The Kaspersky posting contains two specific suggestions.  First, train your employees to spot and avoid spearphishing emails.  Second, use email authentication.  At Iconix, we support both of these suggestions.  However, it is important to note that neither of these suggestions is a silver bullet.

Training. While it is possible to train people to detect suspicious emails, training relies on three key assumptions:

1. People pay attention to subtle clues about email authenticity.

2. People do not engage in automated responses driven by habit.

3. Spear-phishing emails contain clues that betray their nefarious purpose.

The first two assumptions were demonstrated to be problematic by the research of Arun Vishwanath, PhD, “Why Do People Get Phished?” The third assumption fails in the case of the most pernicious emails.  The most effective spearphishing messages are carefully crafted and highly targeted by smart bad guys who target their messages using intelligence gleaned from social networking tools. The examples of well-crafted spearphishing emails are too numerous to count. Lt. Col. Greg Conti of West Point summed it up in the New York Times –  

[emails] come in error-free, often using the appropriate jargon or acronyms for a given office or organization. You can read more about training in our whitepaper, Phishing Training – A Losing Cyberwar Strategy.

Email Authentication.  At Iconix we strongly support email authentication. Email authentication is an important step in providing integrity to email.  However, email authentication is subject to a number of technical limitations which make it ineffective against technically astute hackers.  You can explore the technical limitations of email authentication in our whitepaper, Defending Against Spoofed Domain Spearphishing Attacks.

How can a spearphishing attack be prevented?  What is needed is a method to deprive the attacker of his ability to deceive. Spearphishers deceive by masquerading as trusted senders.  At Iconix we identify trusted senders. Our identification system makes it easy for users to distinguish trusted senders from attackers masquerading as trusted senders.  SP Guard from Iconix provides the ability to distinguish real email from spearphishing attacks.  Click here to learn more. You can contact us at 408-727-6342, ext 3 or use our online form.