Title: The Impact of Spear Phishing on Organizations and How to Combat this Growing ThreatAbstract: In recent years, cyber security threats have become increasingly dangerous. Hackers have fabricated fake emails to spoof specific users into clicking on malicious attachments or URL links in them. This kind of threat is called a spear-phishing attack. Because spear-phishing attacks use unknown exploits to trigger malicious activities, it is difficult to effectively defend against them. Cyber criminals use phishing emails in high-volume and spear phishing emails in low volume to achieve their malicious objectives.
Hereby they inflict financial, reputational, and emotional damages on individuals and organizations. These spear phishing attacks get steadily more sophisticated as cyber criminals use social engineering tricks that combine psychological and technical deceptions to make malicious emails as trustworthy as possible. Such sophisticated spear phishing emails are hard for email protection systems to detect. Security researchers have studied users’ ability to perceive, identify and react upon email spear phishing attacks.
In this study I have surveyed recent works on understanding how to prevent end-users from falling for email spear phishing attacks. Based on the survey I design and propose a novice method that combines interaction methods of reporting, blocking, warning, and embedded education to harness the intelligence of expert and novice users in a corporate environment in detecting email spear phishing attacks.Keywords: Phishing, Email, APT attack, IT security, Social engineering, Spam, URL links, CybercrimeI. INTRODUCTIONIn a world where spear-phishing is one of the most common attacks used to steal confidential data, it is necessary to instruct technical and non-technical users about new mechanisms attackers can use to generate these attacks. I want to focus on phishing attacks, where a social engineer communicates a deceitful message to their victims in order to obtain some confidential information, because of recent advancements in the field. Nowadays, with all the information most users provide online along with the advancement of fields such as data mining, it is more difficult for users to distinguish between malicious and benign communication. If the attack is designed to target a specific user with the knowledge of his or her information, it is called spear phishing. Spear-phishing attacks tend to be more successful than other attacks due to their targeted nature. Spear phishing is on the rise because it works . Advanced Persistent Threat (APT) attacks that enter an organization via spear phishing represent a clear shift in strategy for cyber criminals. They no longer need mass spam campaigns. The return on an APT attack is much higher if criminals do their homework and target their victims with precision, expertly-crafted spear-phishing emails that can spoof senders and look completely legitimate. 84% of organizations said a spear-phishing attack successfully penetrated their organization in 2015. The average impact of a successful spear-phishing attack: $1.6 million. Victims saw their stock prices drop 15%. Spear phishing uses a blend of email spoofing, dynamic URLs and drive-by downloads to bypass traditional defenses. A whopping 91% of cyberattacks and the resulting data breach begin with a spear phishing email, according to research from security software firm Trend Micro. This conclusively shows that users really are the weak link in IT security. Traditional security defenses simply do not detect and stop it. From a cyber criminal’s point of view, spear phishing is the perfect vehicle for a broad array of damaging exploits. For example, threat actors are increasingly targeting executives and other high-level employees, tricking them into activating malware that gives criminals access into their companies’ environments. This might be ransomware that encrypts company data, then extorts fees from the victim to remediate the situation. Other malware includes banking and point-of-sale reconnaissance Trojans that target businesses in the retail and hospitality industries. The targeted executives are usually key leaders with titles such as chief financial officer, head of finance, senior vice president and director. Spear phishing emails are created with enough detail to fool even experienced security professionals .This study draws upon understanding how to prevent end-users from falling for email spear phishing attacks and focuses on the most effective measure to safeguard your business against being the victim of a successful Spear Phishing attack which is staff security awareness. Guidelines or preferably a policy endorsed by the chief executive should be issued to all staff instructing them that they MUST NOT click on website links or attachments in unsolicited emails or emails from untrusted sources. If in doubt, they should check with the IT security manager. Issue regular reminders to this effect and highlight this requirement in any security awareness training [3, 10].II. LITERATURE REVIEWThe goal of the research is to propose a novice method that combines interaction methods of reporting, blocking, warning, and embedded education to harness the intelligence of expert and novice users in a corporate environment in detecting email spear phishing attacks. Fig 1: An example of a spear phishing attempt by emailSpear phishing is an advanced form of cyber exploitation that targets and exploits the vulnerabilities of human users, often the weakest link in the security chain of a computer system, by means of social engineering. A typical attack of this type would involve an attacker contacting targeted victims via email which can be seen in figure 1, using the relevant contextual information and timing to trick them into divulging sensitive information. Spear phishing attacks have been aimed at individuals and companies, but also at government and defense organizations to exfiltrate classified data, as reported. The high success rate and the potentially significant damage caused by a spear phishing attack has motivated cyber researchers and practitioners to investigate a more effective but ambitious defense strategy: defending against the attacker, rather than defending against an attack. Having knowledge of the potential offenders allows an organization to complement existing reactive, passive and tactical detection techniques with proactive and strategic approaches, and to potentially decrease the potency of successful attacks by holding those responsible for an attack legally and financially accountable, thereby deterring other potential offenders.Solving the problem of spear phishing attribution is very desirable, albeit very challenging. Information gathering through a spear phishing technique is the privileged choice for a terrorist . Cells of terrorists could use this attack method to spread malware and hack into computers and mobile phones of persons of interest with the intent to collect information on their social network and related to the activities they are involved in. Spear phishing could allow terrorists to collect information on a specific target or to access information related to investigation on members of the group. Let’s imagine a spear phishing attack on personnel of a defense subcontractor that could give the terrorist precious information about security measures in place in a specific area that the terrorist cell intends to attack. On the other hand, spear phishing is highly targeted, going after a specific employee, company, or individuals within that company. Spear phishing has lately been described as one of the fiercest e-scam (InfoSec Institute, 2016) as it targets specific individuals and sends personalized e-mails, which make it more likely for the targeted persons to open them and hence initiating the attack. Over the recent past years, spear phishing attacks have become more common though businesses and institutions are often reluctant to reveal any details once they are attacked as this might damage their reputation and negatively affect their returns. This approach requires advanced hacking techniques and a great amount of research on their targets. Spear phishers are after more valuable data like confidential information, business secrets, and things of that nature. That is why a more targeted approach is required; they find out who has the information they seek and go after that particular person. A spear phishing email is really just the beginning of the attack as the bad guys attempt to get access to the larger network.A later study on educating the internet users about phishing, as well as the implementation and proper application of antiphishing measures, are critical steps in protecting the identities of online consumers against phishing attacks. Further research is required to evaluate the effectiveness of the available countermeasures against fresh phishing attacks. Also, there is the need to find out the factors which influence internet user’s ability to correctly identify phishing websites .III. PROPOSED SOLUTIONAn IT platform is only as secure as its users make it. In other words, you are only as secure as the weakest link; thus, employees need to be trained properly when it comes to network security. Security awareness shall be the first line of defense against any sort of phishing or more so spear phishing attacks. Limit the data you post about yourself, for example, mail discussions, Facebook or LinkedIn. The closer to home details you share, the simpler it is for digital attackers to make a spear phishing email that seems significant and certifiable.Cyber-criminals are increasing their schemes to exploit any personal information discovered from social engineering. Anyone can become a target of a spear phisher, so combating this problem requires continuous awareness training for all users for them to be vigilant about the information they share and to avoid revealing too much about themselves online so as to be victims of identity theft. Figure 2 shows the life-cycle of phishing detection. Fig 2: The life-cycle of phishing detection.To stop spear phishing attacks requires getting everyone to see that today’s integrated security posture is not enough to overcome this threat. Technical solutions can only aid in trying to identify malicious e-mails, and only proper training can help, although not prevent, users from falling preys of social engineering schemes or legitimate-looking e-mails. The fact that government agencies and security companies have been at the center of spear phishing attacks of great proportions is proof that, regardless of the magnitude of the technical security solutions employed, the actions of even just one unaware user can be potentially disruptive . Fig 3: Phishing attack incidentsAccording to RSA monthly online fraud reports, phishing attack is increasing vigorously over years as shown in Figure 3. No matter where you are in the organizational structure, attackers may choose you as their next spear phishing target to snoop inside an organization. It is important for businesses of all sizes to defend their data; building human firewalls before employing any other technical and regulatory barriers can help strengthen their cyber security capabilities. At a minimum, through awareness training, users can learn to: Check the landing page (URL) in any suspected e-mails, Avoid opening suspicious e-mail attachments and following links sent in e-mails, especially when the sender is unknown, Learn to recognize the basic tactics used in spear phishing emails, such as tax-related fraud, CEO fraud, business email compromise scams, and other social engineering tactics. Be mindful of e-mails that just don’t sound right, A strange request from a coworker or supervisor, a bank or merchant requesting PII, usernames and passwords via e-mail, take measures to block, filter, and alert on spear phishing e-mails that will improve detection and response capabilities . Many of today’s browsers have a built-in phishing filter that should be enabled for additional protection, as mentioned by the FBI’s Internet Crime Complaint Center web page; Web browsers filters can help prevent the messages from being directly delivered to an inbox. Because email is the most common entry point of targeted attacks, it is important to secure this area against likely spear phishing attacks. Employee education is highly critical to combat different phishing techniques. Training employees to spot misspellings, odd vocabulary, and other indicators of suspicious mails could prevent a successful spear phishing attack. Additionally, enterprises need an expanded and layered security solution that provides network administrators the visibility, insight, and control needed to reduce the risk of targeted attacks regardless of vector of choice. To stop spear-phishing attacks security teams must first train users to recognize, avoid and report suspicious emails it is important for every employee to recognize that their roles grant them access to different data, the currency of the information economy. Second, security teams must implement, maintain and update security technology and processes to prevent, detect and respond to ever-evolving spear-phishing threats. Finally, security teams must strive to stay ahead of attackers by investing in actively updated threat intelligence and expertise to meet their needs. One thing is clear: You cannot discover a new spear-phishing attack by looking at it in isolation. This is how conventional point products such as antivirus and anti-spam software operate. While they can detect some known threats, they will fail to detect unknown threats and spear-phishing attacks .Those who may have fallen victim to a spear phishing attack or lured into phishing schemes can report them to the Internet Crime Complaint Center and file a report; suspicious e-mails can be forwarded there for verification. Alternatively, APWG’s Report Phishing site is another place to submit a suspected phishing e-mail. Filling out an Anti-Phishing Working Group (APWG) eCrime Report provides valuable data to the Phishing Activity Trends Report each year .IV. CONCLUSIONSpear phishing is one of the most common sources of data breaches today. Clearly, spear phishing poses as a real threat, as it can bypass normal technical anti-threat barriers and exploits users to infiltrate systems. Therefore, phishing prevention activities and training are the best steps to avoid proactively such threats. It is fundamental to train employees to recognize phishing messages to protect them against most attacks.When it comes to spear phishing, the best line of defense are users themselves at any level of an organization who must step up their game as cyber defenders to effectively deter and recognize the subtlest e-scams. Unless users are helped to recognize various types of phishing techniques and learn what this threat consists of, they will be unable to reduce their risk of falling victim to this type of attacks, as even the most secure infrastructures can potentially be taken down through the mistake of a single user. Such pervasiveness, relative ease of execution and high ROI, make spear phishing one of the most dangerous cyber threats of the latest years. Time will tell if spear phishing will be an even bigger concern in 2019.REFERENCES A. Martino, X. Perramon, “Phishing secrets: History effects and countermeasure”, International Journal of Network Security, vol. 12, no. 1, pp. 37-45, Jan. 2011. F. Aloul, “The need for effective information security awareness”, Journal of Advances in Information Technology (JAIT), vol. 3, no. 3, pp. 176-183, 2012. L. Muniandy, “Phishing: Educating the Internet users – a practical approach using email screen shots”, IOSR J. of Research & Method in Education (IOSRJRME), vol. 2, no. 3, pp. 33-41, 2013. B. Parmar, “Protecting against spear-phishing”, Computer Fraud & Security, no. 1, pp. 8-11, 2012. Y. Zhang, S. Egelman, L. Cranor, J. Hong, “Phishing phish: evaluating anti-phishing tools”, Proc. of the 14th Annual Network & Distributed System Security Symposium (NDSS), Feb. 2007. P. Kumaraguru, Y. Rhee, A. Acquisti, L.F. Cranor, J. Hong, E. Nunge, “Protecting people from phishing: The design and evaluation of an embedded training email system”, In Proc. of the SIGCHI Conf. on Human Factors in Computing Systems, pp. 905-914, Apr. 2007. S. Egelman, L. Cranor, J. Hong, “You’ve been warned: an empirical study of the effectiveness of web browser phishing warnings”, Proc. of the Conference on Human-Computer Interaction (CHI), pp. 1065-1074, 2008. R.C. Dodge, C. Carver, A.J. Ferguson, “Phishing for user security awareness”, Computers and Security, vol. 26, no. 1, pp. 73-80, 2007. R. Dhamija, J. Tygar, M. Hearst, “Why phishing works”, In Proc. of SIGCHI ACM, 2006. S. Sheng, M. Holbrook, P. Kumaraguru, L. Cranor, J. Downs, “Who falls for phish? A demographic analysis of phishing susceptibility and effectiveness of interventions”, Proc. of the Conference on Human Computer Interaction (CHI), 2010.