In 2018, learn to call attackers’ bluffs.
People often ask me about the future of phishing. What can we expect to see and how should we prepare?
As we move from 2017 into 2018, I think we need to play a better hand against attackers.
Think of it this way: in the game of poker, you want to understand an opponent’s betting patterns and physical tells. Last year in the game of phishing, we saw attackers bluff a lot.
Attackers want you to fold.
A bluff is simply designed to induce a fold by an opponent with a better hand. The size and frequency of a bluff determines its profitability to the bluffer, just as the frequency of specific phishing scams can show us what’s working for hackers. Business email compromise (BEC) and certain ransomware attacks offer prime examples.
A BEC phish is nothing more than an authority bluff designed to get employees to bite on a deceptive email. In fact, BEC phish contain at least two bluffs: (1) appearing to be from an authority figure and (2) stating something false, like a bill is past due or a supplier isn’t being paid.
This model plays itself out across multiple platforms, not just email. Consider phone scams that prey on the medical needs of the elderly or consumers unable to pay off credit card debt.
Why do we know this type of attack will continue in 2018? One, it avoids the standard security controls offered by modern technology. And two, it’s been profitable for con-men not just this year but for centuries.
Bluffs are nothing new.
The first ransom note in American history shows that playing on fear and the unknown is a well-worn method of extracting money. In 1876, the kidnappers of Charles Brewster Ross sent a ransom note demanding $20,000 for his return.
The note begins, “Mr Ros, be not uneasy, you son charley bruster be all writ we is got him and no powers on earth can deliver out of our hand.” And it contains the following threat, “You wil have to pay us before you git him from us, and pay us a big cent to,” the note read. “if you put the cops hunting for him you is only defeeting yu own end.”
While you can read more about that event in the Smithsonian article here, notice the similarities between that early ransom note and modern ransomware. Because real ransomware attacks have been so wildly successful, we now see “ransomware bluffs,” emails that falsely say a user is compromised and his/her files encrypted.
Making matters worse in 1876, once the kidnapping and ransom became public knowledge, con-artists came out of the woodwork to attempt to cash in. “But the search also brought out con artists… who jumped at the chance to say they had information about Charley Ross… spiritualists offered their services and parents dressed up their children—boys and girls of every age—in the hope that they could pass as Charley and capture the reward money.”1
As you can see, the game hasn’t really changed. Such cons are simply more profitable now, thanks to the ease and scale technology enables. Also, on your end, it’s impossible for technology alone to detect and mitigate phishing threats. Some threats will always get through and human beings will need to recognize them.
To play your strongest hand, enlist your people.
We should be honest with users and consumers and admit we need their assistance. We need them to identify and report the bluffs.
In the coming year, you’ll win when users help you crowd-source phishing intelligence. So, coach them in the physical tells of a phishing email. Encourage them to trust but verify information, especially when their gut tells them something isn’t right.
In 2018, malicious actors will continue to take the path of least resistance: scams that avoid technological detection to reach end users. While tech has its place, human beings will always be your last line of defense. They can help you shuffle the cards and deal yourself a better hand.
To learn the latest on phishing tactics and how PhishMe customers are staying prepared, view our 2017 Phishing Defense and Resiliency Report.