How can we thwart email-based social engineering attacks?
More than 99 percent of cyberattacks rely on human interaction to work, Proofpoint recently shared. More often than not, the principal attack method is phishing emails.
When hitting enterprises, attackers love to impersonate Microsoft the most, as Office 365 is increasingly the heart of companies, providing the essential services (email, chat, document management, project management, etc.) that businesses depend on to run.
They also constantly refine their tools and techniques. “While one-to-one attacks and one-to-many attacks were more common when impostor attacks first began to emerge, threat actors are finding success in attacks using more than five identities against more than five individuals in targeted organizations,” Proofpoint researchers noted.
Armorblox CEO Dhananjay Sampath told Help Net Security they’ve also witnessed attackers using a variety of emails, hoping one of them would be able to fool phishing filters and do the trick.
“BEC scams are, for example, continuously evolving in ways to evade security tools that organizations have in place. We’ve seen them evolve from sending a single email with malware or a phishing link, to using multiple emails and social engineering methods, such as mentioning out-of-office responses, or injecting personal information such as details of a real estate purchase, or using workflow information, (e.g., in cases of invoice fraud where the scammer is familiar with the company’s hired vendors or contractors).”
There is no one foolproof solution
All companies should invest in teaching their employees how to spot phishing emails – and many do – but multi-layered defenses are a must because each layer has exploitable holes.
Phishing filters employed by email service providers are not very efficient, employees overestimate the efficacy of their workplace’s email security strategy, and attackers are constantly coming up with new tricks aimed at bypassing protective technology and exploiting employees’ weaknesses.
“With the astronomical increase in SaaS apps used by organizations, it is incredibly hard for security teams to look for IoCs within millions of emails. We’ve seen organizations invest in employee training, but social engineering attacks are so sophisticated that it’s difficult for people to recognize them for what they are,” Sampath said.
Social engineering attacks – including phishing and BEC scams – target loopholes in business processes.
“Industries with public-facing information about their business transactions and processes can present attractive targets for BEC schemes,” the Financial Crimes Enforcement Network (FinCEN), a division of the US Treasury, has pointed out in an advisory released earlier this year.
When planning their schemes, BEC attackers take into consideration industry, company size, existing relationships, and potential financial counterparties. They identify processes vulnerable to compromise by taking advantage openly available information about their targets (e.g., info from the company website) or through cyber reconnaissance efforts. Finally, they insert themselves into communications by impersonating a critical player in a business relationship or transaction.
“A scheme’s probability of success and the potential payout from fraudulent payment instructions often depends on the criminal’s knowledge of their victim’s normal business processes, as well as weaknesses in the victim’s authorization and authentication protocols,” FinCEN noted.
Stolen funds might be initially sent to an account in the US, but by the time the organization realizes that they’ve been scammed, the funds have often already been wired overseas and difficult to recover.
Improving detection technology
Phishing and BEC scams are continuously evolving to evade security tools that organizations have in place, Sampath noted. But an effective analysis of email language, links and attachments should catch most (if not all) email-based social engineering attacks.
“One of the hardest challenges in understanding textual data has been processing sentences of variable lengths. Tokenization approaches, including n-grams, have had very limited success in the past two decades, defaulting to keyword-based matches at best,” he explained.
“But deep learning techniques combined with reduced cost and easy availability of computational resources has helped rapidly reduce the gap in textual understanding by dynamically adjusting for variable structures within data. Further, with the advances in Transformers architecture, it has become easier than ever to apply deep learning techniques for tasks such as detection of PII/PCI, confidential data and compliance violations.”
Natural Language Processing (NLP) and Natural Language Understanding (NLU) can not only help with preventing data leaks via emails and other forms of digital communication, but also with detecting phishing/scam emails.
“NLP and deep learning can be used to examine the context, sentiment, and tone of emails and analyze the identities of the senders, the recipients, their writing styles, and their normal communications patterns,” Sampath opined.
“NLU can combine these factors, create a baseline for what is normal, and alert about what looks suspicious, helping organizations detect BECs and data leaks that were previously difficult to detect. And all of this can happen seamlessly, without impairing user experience.”