Banks Fight Phishing with … Phishing?

Phishing is old news — which is part of why it's so dangerous today.

Many bank employees learned long ago what a phishing email is and how to look out for one. But the threat has evolved, leading some banks to worry about whether their users have grown too confident in their years-old training to face today's attacks.

In recent years, phishers have refined their strategies to make their emails more targeted — and thus, more convincing. Several high-profile data breaches have been attributed to a targeted phishing email opened by someone within the victimized organization.

Banks are consequently taking more interest in using simulated phishing attacks to test their resistance to the real ones, according to the vendors that offer such services. This new interest stems from the realization that phishers might be overcoming traditional defenses.

"It's a constant cat-and-mouse game … [and] accepting the cat-and-mouse game is really an important part for IT organizations," says Aaron Higbee, the chief technology officer and co-founder of PhishMe Inc.

Many bank employees rely on their technology departments to screen emails for either plain phishing attacks or those that use attached viruses. To fight this, phishers have begun to use Google Docs, a cloud-based document-sharing system from Google Inc.

Instead of sending an infected file to a user, a phisher would send a link to a Google Doc file, Higbee says. Such an email might slip by a filter that is looking primarily for attached files.

One of the biggest threats today is spear-phishing, Higbee and other experts say. Spear phishing is not new, but it is growing in prominence and in sophistication.

Such attacks are designed to be more convincing to a narrow group of users, such as employees of a specific company. PhishMe, a Chantilly, Va., unit of Intrepidus Group, sends simulated spear-phishing emails to its clients' employees to determine which employees are susceptible to such attacks.

"They are individually phished, with [follow-up] training on what spear phishing is," Higbee says. Those that fall for the phishing-trickery are immediately instructed on how to avoid such scams in the future.

Wombat Security Technologies of Pittsburgh, Pa., takes a similar approach to phishing education.

The moment that a user falls for a simulated phishing attack is "a teachable moment," says Ralph Massaro, Wombat's vice president of sales and operations. "People have been humbled."

Banks are taking a greater interest in the services that companies like Wombat and PhishMe offer because they realize that their email filters and education are being overcome, Massaro says.

Both companies have been operating since 2008 and both work with banks. Neither would name their clients.

Spear-phishing is becoming more devious because of the recent surge in social-media use, Massaro says. For example, if an employee posts a message on Twitter about attending a conference, phishers might then impersonate the conference's organizer. If the employee was already expecting emails from the conference staff, he or she would be less likely to suspect that one of those emails is malicious.

Spear phishing is "not really new, but there's just more and more of it going on … it's just getting easier to spear-phish" because of social media use, says Avivah Litan, a vice president and distinguished analyst at the Stamford, Conn., market research company Gartner Inc.

And even conventional phishing attacks remain a threat, she says, since anti-malware tools generally cannot respond to every threat as it is developed. Anti-virus tools typically have to wait for new virus signatures before they can properly block those viruses, she says.

Educational services from companies like PhishMe and Wombat are useful tools in fighting the fraudsters, Litan says, but no bank should count on them exclusively.

"It's helpful to be more aware … [but] if that's what you're relying on, God help you," she says.

For reprint and licensing requests for this article, click here.
Bank technology
MORE FROM AMERICAN BANKER