Their email filters missed these threats. Good thing the users didn’t.
By Jerome Doaty, Zakari Grater, and Brenda Gooshaw Samson
Technology is an important part of any phishing defense, especially perimeter tech designed to filter emails. But these systems, even those billed as “next-gen email security platforms,” don’t catch everything. Some phishes always get through.
Let’s look at a couple of real examples, straight from the inbox of organizations whose filters missed malicious emails. In both cases, users reported the emails to security teams who blocked the attacks. Working together, flesh-and-blood human beings kept credentials theft to a minimum, sealed off further network access, and prevented serious harm.
Real-Life Example #1: Spoofing the CEO
In our first example, an attacker used an already compromised account to send an email that convincingly spoofed the CEO. The compromise made it difficult for the email filter to spot the phish—the technology simply didn’t work fast enough. The email’s language had the same effect on employees. The attacker parroted language on the company’s website and within a matter of minutes lots of employees clicked.
Fortunately, users trained through Cofense PhishMeTM were alert and reported the email via Cofense ReporterTM, our email toolbar button that empowers users to “say something” when they “see something.” A human security analyst detected signs of compromise, investigated further, and escalated the matter. The security team blocked the phishing site the email linked to and extracted the email itself from employee inboxes.
In short order, this organization stopped a sophisticated phishing attack, thanks to human sensors who were the last line of defense.
Real-Life Example #2: Spoofing HR
This time, the attacker posed as an HR specialist, sending an email with the subject line of “Salary Adjustment.” No wonder users clicked! As in the previous example, the attacker smartly mimicked the company’s words and tone, plus included the brand logo and other “official” flourishes.
The email came from the .ga country-code top-level domain (TLD). Country-code TLDs often have looser security standards, making life harder for humans and machines alike. For whatever reason, the email filter missed the phish. It not only got past the perimeter but roamed around for several days, luring employees to click and enter network login credentials.
Finally, employees started reporting it—again, as simple as clicking one button thanks to Cofense Reporter—and the security team could act. Considering breaches often go undetected for 100 days, a lapse of two or three days, while not great, could have been worse. If the company hadn’t complemented its email filters with well-trained users, a dicey situation could have ended very badly.
Perimeter defenses have their place, but they’re not a magic shield. Hackers will always be able to move faster than technology. A solid security program must include human sensors, well-conditioned employees, to bridge the gap and block threats.
Learn more about Cofense PhishMe’s security awareness training.