As phishing attacks continue unabated, vendors and banks alike are scrambling to find better solutions.
In a warning issued this week, the FBI said it’s seen a 270% increase in identified victims and exposed losses due to business email compromise since January 2015. Business email compromise or “CEO fraud” phishing targets businesses that frequently perform wire transfers. Perpetrators compromise email accounts through social engineering, for instance by sending an email to the CEO that appears to be from his CFO, urgently asking for a wire transfer or for sensitive information. From October 2013 through February 2016, the FBI received reports from 17,642 victims, amounting to more than $2.3 billion in losses. The overwhelming majority of victims are located in the United States.
And 73% of corporate finance and treasury executives surveyed by the Association for Financial Professionals reported that their companies experienced attempted or actual payments fraud in 2015. That’s up from 62% in 2014.
While the association's membership spans many industries, payments fraud usually hurts banks along with their customers. So what to do? The options for fighting phishing – generally, fake emails containing malware, malicious links and/or instructions tricking the recipient into complicit behavior – include email verification; email filters; user education and training; and the cordoning off or “sandboxing” of suspect emails.
Verifying the Sender
An email authentication standard called DMARC is being adopted slowly in financial services – 19% of banks use it, according to a study conducted by Return Path, an email security software provider. Bank of America was the first bank to deploy it in 2012 and is a founding member of the DMARC coalition.
The DMARC protocol provides a set of checks that verify an email truly came from the domain in its address (e.g. that email@example.com really came from Chase). Emails that don’t check out can be monitored, quarantined or rejected outright, so they don’t hit anyone’s inbox. DMARC can’t protect against emails that use slightly off addresses (for instance, firstname.lastname@example.org).
“DMARC is your first, most important step in trying to secure the email channel,” said Steven Jones, executive director of DMARC.org. “If you look at the number of ways you can craft a misleading or fraudulent message, the variety is staggering. But that’s not a reason to throw your hands up and walk away. You have to start with the things that are possible, practical and effective today, which includes securing your domain with DMARC.”
PayPal is another DMARC member and user. The technology reduced phishing attacks against it to 30% of those against all payments systems in 2014, an improvement of 14 percentage points in 2013, the company said, citing a Kaspersky Lab report.
Why don’t more banks use DMARC? In its report, Return Path posited that IT complexity is an obstacle.
“This industry’s legacy IT systems tend to be more complex compared to newer industries like social media companies,” the report stated. “Their email ecosystems tend to be more complex, too. … Banks also have lower tolerance than others for the risks that system-wide changes represent, making DMARC adoption more challenging for their security and IT teams.”
Jones suggested banks tend to have a lot of constituents who have to be convinced that something is the right way to go and become willing to spend on it.
“People look at email as a solved problem,” Jones said. “It’s something people are so used to for the past 30 years.” But heavy losses are getting banks more interested, he said.
Implementing DMARC usually means using anti-phishing software programs with the protocol built in. Agari, Return Path, Dell, Cisco and Proofpoint are among vendors that support the standard. Banks can also create their own filters using open source code.
Agari this week launched Agari Enterprise Protect specifically to stop spear phishing attacks. It builds behavioral “trust models” based on the identity of the email sender.
“Every legitimate sender of email has a unique behavioral pattern, a fingerprint of their legitimate email,” said Vidur Apparao, Agari's chief technology officer. “If the message comes in trying to spoof a domain, even if it uses a cloud service, it has to match the pattern of a legitimate sender. That’s very hard or impossible for a criminal to do.”
Agari has found that 85% of phishing attacks come from public cloud services like GoDaddy and Rackspace’s Mailgun. “Criminals were able to find loopholes or open policies that let them send emails from the servers of GoDaddy and Mailgun that knew the exact email address of the party they were spoofing,” said Apparao. Some use popular email cloud services like Gmail and Yahoo – there’s camouflage here because no one can blacklist all Gmail or Yahoo addresses. There are too many of them.
Analyzing Messages for Signs of Trouble
Markus Jakobsson, former principal scientist of consumer security at PayPal, has formed a new company called ZapFraud. Its software analyzes not only the source of the email but also its content, looking for red flags like an urgent request for W-2s.
“If the content of an email says, ‘I need W-2s,’ that’s a huge sign of trouble,” Jakobsson said. “'I need a wire transfer this afternoon, can you take care of that,’ is another. We’re reducing everything to conceptual components, reading and looking for potential evil.”
For such software to work, it would have to be very adaptable. “We’ve seen instances where criminals spend a lot of time getting to know the business,” said Al Pascual, research director at Javelin Strategy & Research. “Over time, they’ll learn to take a more professional tone, and avoid certain indicators.”
The newest technology solution is sandboxing. Here, the user can only open emails with attachments or links in a protected environment like a virtual machine. Mimecast recently launched a product called Attachment Protect. Fortinet, Forcepoint, Sophos and Websense are among the vendors that offer similar software.
Such solutions make sense in financial services, where regulators are giving more attention to fraud prevention and security issues, Pascual said.
Changing Minds and Habits
Many banks conduct phishing tests – sending fake emails to all employees to see who is likely to click on an email they shouldn’t. This has somewhat limited effectiveness. A local FBI official recently admitted that the head of security at his office failed a phishing test she had administered, because she was multitasking. People also forget their training and the lessons from phishing tests.
Arun Vishwanath, associate professor of communication at the University at Buffalo, has done social-psychological research on phishing and found “ineffective cognitive processing” to be the key reason victims fall for fake emails. Even after training to detect deceptive emails, people tend to quickly sink into bad habits, he said.
Risk beliefs, including misperceptions about device security, are another factor. “We ask people, what do you think is safer, a PDF or a Word document?” Vishwanath said. “What do you think is safer, an iPhone or Android device? People have these beliefs about what is safe and what is not, and most of them have nothing to do with malware attacks.”
iPhone users, for instance, are more likely to click on malicious links than Android users, falsely believing they’re safe. Targeted training can help people shift such beliefs.
Vishwanath’s research team recently built a model that accounts for the "cognitive, preconscious, and automatic processes that potentially lead to being deceived by phishing.”
It’s called SCAM and it surveys employees to ferret out all the errors in thinking and behavior they’re prone to making. Then training can be catered to fix those specific problems. The University is working with a few local banks to help them improve their anti-phishing training.
Despite everything, phishing attacks will continue to succeed for now, by sheer force of volume. Many other lines of defense have to be in place – antimalware software; fraud detection software that monitors transactions for signs of foul play; strong authentication and dual authorization for wire transfers; and two-way mobile alerts on high-value transactions.
As with all security questions, there’s no one answer.
Editor at Large Penny Crosman welcomes feedback at email@example.com.