Too smart to fall for a spear-phishing message? Think again

Post a Fraud Alert:

Let’s face it, phishing attacks—where cybercriminals disguise their malware-laced digital messages to give the appearance of official communiqués—are way more successful than anyone would like. Verizon’s 2017 Data Breach Investigations Report (DBIR) states:

“There were a little over 1,600 incidents and more than 800 breaches featuring social actions in this year’s [2016] corpus (all external actor driven). Phishing was again the top variety, found in over 90% of both incidents and breaches.”

The DBIR continues:

“In last year’s report, we discussed how the majority of remote breaches began with the same chain of events; phishing to gain a foothold via malware, then leveraging stolen credentials to pivot off of the foothold. It also holds true this year—95% of phishing attacks that led to a breach were followed by some form of software installation.”

Digital bad guys hope to keep spear phishing—a more work-intensive, but lucrative form of phishing that focuses on a specific victim or company—off the radar screens of cybersecurity professionals. Experts at GreatHorn, a cloud-security company with a vested interest in spear phishing, write in the company’s 2017 Spear Phishing Report that more than 90% of phishing emails captured from March to November 2016 contain spear-phishing components designed to impersonate a person familiar to a business user in order to fool the recipient into thinking the message came from a trusted source.

SEE: Information Security Management Fundamentals Online Course (TechRepublic Academy)

istock-487606829.jpg


New research about spear phishing

For several years, security researchers Zinaida Benenson and Robert Landwirth, both from Friedrich-Alexander-Universitat, along with Freya Gassmann from Universitat des Saarlandes, have been interested in what they consider unexplored territory related to spear phishing. In their paper Unpacking Spear Phishing Susceptibility (PDF), the researchers explore the decision-making process of users when they are enticed by an advertised link in a variety of spear-phishing messages.

Once the researchers were happy with their spear-phishing messages and survey questions, they recruited volunteers. The selected participants were sent either an email or a personal Facebook message with a link from a non-existing person, claiming the link led to pictures from a party. “When clicked, the corresponding webpage showed an access denied message,” write the report’s authors. “We registered the click rates, and later sent the participants a questionnaire asking about their clicking behavior.”

SEE: Video: How to protect your employees from phishing and pretexting attacks (TechRepublic)

Results of the survey

Out of 720 participants, 117 clicked on the link, 502 did not, and the remaining 101 participants could not remember if they clicked or not. The proverb “curiosity killed the cat” seems applicable, as the number-one reason for clicking on the link (Figure A) was curiousness. “The participants explained that they knew the pictures could not be for them, but were interested in the supposedly funny or private content,” write Benenson, Landwirth, and Gassmann.

Figure A

spearphishingfiga06202017.jpg

As to why 520 participants did not click on the link, the number-one reason (Figure B) was not knowing who sent the message.

Figure B

spearphishingfigb06202017.jpg

Findings of interest

After analyzing the survey results, the researchers came up with the following:

  • Participants tend to trust their instincts when deciding whether to click on the link or not. “Many participants indicated they suspected the link to contain malware or be fraudulent without explaining how they arrived at this conclusion,” explain the researchers. “It seems they relied on their intuition.”
  • Facebook users were more click-happy, with over 40% clicking on the link compared to 20% of those using email. As to why, Benenson, Landwirth, and Gassmann suggest social networks such as Facebook or LinkedIn might be considered more trustworthy by users.
  • Using first names to personalize messages made a significant difference, particularly when it came to email participants.

SEE: What kinds of people fall prey to identity theft, phishing, and hacks? It’s not who you think (TechRepublic)

Realistic considerations

The researchers show a refreshing awareness of how challenging it is to defend against spear phishing because of the perceived legitimacy of the message’s fake content. Benenson, Landwirth, and Gassmann add, “Because of this ambiguity, asking people to be permanently vigilant when they process their messages might have unintended consequences.”

The researchers offer an example:

“If a person’s job requires processing invoices sent via email, they might click on an infected file called ‘invoice,’ as it fits their job expectations. And if they are taught to be careful with invoices, they might start ignoring real ones, which stands in direct conflict with their job requirements. Under these circumstances, the employees are likely to disregard their training, as the only way for them to get their job done in time is to process their emails as quickly as possible.”

The researchers also offer insight into the practice of testing users by sending them fake phishing emails. “Trying to involve users in perimeter defense by means of catching them clicking links in fake phishing emails might have negative consequences,” state the authors. “For example, employees of an organization may become disgruntled and unmotivated if they find out they are being attacked by their own security staff.”

If that’s not bad enough, Benenson, Landwirth, and Gassmann conclude their research paper in a rather alarming way:

“By careful design and timing of a message, it should be possible to make virtually any person click on a link, as any person will be curious about something, or interested in some topic, or find themselves in a life situation that fits the message’s content and context.”

That is a chilling thought, however, knowing that is half of the battle. The other half is to remain vigilant and not always take the path of convenience and try to determine the legitimacy of the link being asked to click on.

Also see