“In 2017 the FBI estimated that Spear Phishing attacks were responsible for $12.5bn in losses globally.”
With anti-spam and anti-phishing filters now in place at most enterprises, bad actors have been forced to find a more intelligent way to break through to their targets. In recent years there has been a dramatic shift in inbound email attacks toward a new type of threat, spear phishing.
Unlike spam and phishing, spear phishing is highly targeted toward a specific individual within an enterprise and will often impersonate the identity of a trusted person in order to trick the target into taking some form of action (e.g. paying an invoice, sending data, downloading malware). These characteristics make spear phishing much more difficult to filter from a technological perspective and thus mean that attackers have a much higher likelihood of success.
The foundation of a successful spear phishing attack is in the impersonation of another person or company which tricks a target into taking a desired form of action by the attacker.
Due to the rise in spear phishing in recent years, email providers and legacy Secure Email Gateway platforms have attempted to build in some Rule-based controls to prevent these kinds of attacks by detecting basic patterns which highlight an impersonation attempt.
However, there are a wide range of spear phishing impersonation techniques and these Rule-based controls (as we will demonstrate) are only effective at preventing certain specific cases. At Tessian, we categorise spear phishing impersonation techniques into two classes:
- Weak-Form Impersonation: Less advanced forms of impersonation which can be detected and prevented by Rule-based systems.
- Strong-Form Impersonation: More advanced forms of impersonation which cannot be prevented by Rule-based systems. Strong-Form impersonation can only be detected with a machine intelligent anomaly detection model sat on top of a real-time relationship graph mapping all trusted historic email communications within your enterprise.
In 2017, the FBI began tracking a new kind of crime type achieved through spear phishing used by criminals to extract money from organisations, Business Email Compromise. The statistics released by the FBI were alarming. They estimated that Business Email Compromise may have been responsible for $12.5bn in losses globally. There were more than 40,000 incidents of Business Email Compromise or other email account compromise attacks in 2016, 2,370% up from the start of 2015.
Fake invoices are the #1 disguise for distributing malware.*
Spear phishing emails are composed of four key elements.
- Target: They are directed towards a specific person or organisation
- Impersonation: They are trying to impersonate someone/or some entity that the target trusts
- Intent: The email has some form of intent, they want the target to do something
- Payload: The email contains some form of payload to get the target to take the desired action.
95% of all attacks on enterprise networks are the result of successful spear phishing**
+ Facebook and Google were conned out of $100m in phishing scheme (28th April 2017, The Guardian)
Over a two year span, a malicious 3rd party successfully defrauded Facebook and Google of almost $100m by using strong-form impersonation spear phishing emails which mimicked the identity of a trusted hardware supplier to both companies, Quanta Computer, and requested for fraudulent invoices to be paid.
+ Australian millionaire loses $1 million to major e-mail scam (18th December 2017, Bloomber)
The office of an Australian millionaire was duped into transferring $1m due to a strong-form impersonation spear phishing email which mimicked the identity of a trusted 3rd party and requested a transfer of funds. The email in question used the technique of homograph domain spoofing (in this case, a single character difference between the fraudulent domain and the real domain).
+ Fraudsters steal $450,000 from Brisbane City Council in elaborate scam (15th August 2016, Brisbane Times)
Brisbane City Council employees were duped into wiring $450,000 over a series of nine payments to the bank account of a fraudulent 3rd party. The employees were tricked by a series of phone calls and through the use of “legitimate-looking emails” which mimicked the identity of a trusted supplier.
By the end of 2017, the average enterprise user was receiving 16 malicious emails per month.*
A critical flaw in the existing controls provided by email platforms and legacy Secure Email Gateways is that they rely on pre-defined, one-size-fits-all conditions to define which emails are spear phishing and which are not. These systems have absolutely no intelligence or understanding of pre-existing email relationships in order to determine when an attacker may be attempting to impersonate somebody. Read about why the Rule-based approach to spear phishing is failing here.
To prevent strong-form Impersonation spear phishing attacks a totally new approach to email security is needed. Tessian creates machine intelligence to secure enterprises from threats executed by humans, rather than threats executed by code, in order to keep the world’s most sensitive data and systems private and secure.
Tessian is building the world’s first Human Layer Security platform to fulfil our mission to keep the world’s most sensitive data and systems private and secure. Using stateful machine learning to analyze historical email data, Tessian’s Parallax Engine can predict for this user, at this point in time, does this email look like a security threat?
Book a demo to learn more about our email security platform.