Phishing is old news, which is part of why it is so dangerous today.
Many bank employees learned long ago what a phishing email is and how to look out for one. But the threat has evolved, leading some banks to worry about whether their users have grown too confident in their years-old training to face today's attacks.
Successful phishing attacks can gain crooks access to debit or credit card accounts and to a customer’s online banking service.
In recent years, phishers have refined their strategies to make their emails more targeted and, thus, more convincing. Several high-profile data breaches have been attributed to a targeted phishing email opened by someone within the victimized organization.
Banks are consequently taking more interest in using simulated phishing attacks to test their resistance to the real ones, according to the vendors that offer such services. This new interest stems from the realization that phishers might be overcoming traditional defenses.
"It's a constant cat-and-mouse game, … [and] accepting the cat-and-mouse game is really an important part for [information-technology] organizations," says Aaron Higbee, the chief technology officer and co-founder of PhishMe Inc.
Many bank employees rely on their technology departments to screen emails for either plain phishing attacks or those that use attached viruses. To fight this, phishers have begun to use Google Docs, a cloud-based document-sharing system from Google Inc.
Instead of sending an infected file to a user, a phisher would send a link to a Google Doc file, Higbee says. Such an email might slip by a filter that is looking primarily for attached files.
One of the biggest threats today is spear-phishing, Higbee and other experts say. Spear phishing is not new, but it is growing in prominence and in sophistication.
Such attacks are designed to be more convincing to a narrow group of users, such as employees of a specific company. PhishMe, a Chantilly, Va.-based unit of Intrepidus Group, sends simulated spear-phishing emails to its clients' employees to determine which employees are susceptible to such attacks.
"They are individually phished, with [follow-up] training on what spear-phishing is," Higbee says. Those that fall for the phishing trickery are immediately instructed on how to avoid such scams in the future.
Wombat Security Technologies of Pittsburgh takes a similar approach to phishing education.
The moment a user falls for a simulated phishing attack is "a teachable moment," says Ralph Massaro, Wombat vice president of sales and operations. "People have been humbled."
Banks are taking a greater interest in the services that such companies as Wombat and PhishMe offer because they realize that their email filters and education are being overcome, Massaro says.
Both companies have been operating since 2008 and both work with banks. Neither would name their clients.
Spear-phishing is becoming more devious because of the recent surge in social-media use, Massaro says. For example, if an employee posts a message on Twitter about attending a conference, phishers might then impersonate the conference's organizer. If the employee was expecting emails from the conference staff, he or she would be less likely to suspect that one of those emails is malicious.
Spear-phishing is "not really new, but there's just more and more of it going on; … it's just getting easier to spear-phish" because of social-media use, says Avivah Litan, vice president and distinguished analyst at the Stamford, Conn.-based market research company Gartner Inc.
And even conventional phishing attacks remain a threat since anti-malware tools generally cannot respond to every threat as it is developed, Litan says. Antivirus tools typically have to wait for new virus signatures before they can properly block those viruses, she says.
Educational services from such companies as PhishMe and Wombat are useful tools in fighting the fraudsters, but no bank should count on them exclusively Litan says.
"It's helpful to be more aware. … [But] if that's what you're relying on, God help you," she says.
What do you think about this? Send us your feedback.
