How real live phishing emails can help protect users [Q&A]
Phishing remains one of the most popular attack vectors for cybercriminals. But traditional defenses relying on filtering or raising user awareness via training aren't always effective.
We spoke to Lior Kohavi, chief technology officer at enterprise SaaS security specialist Cyren to discover how a new approach is using genuine attacks to help both educate users and keep phishing emails out of our inboxes.
BN: Why is phishing still such a big problem?
LK: Phishing is probably one of the biggest attacks right now and the main question is what do you do with that as an industry? On one hand it's happening because your defenses are not blocking it. And on the other hand, users, despite the fact that we as an industry have tried to explain to them as much as we can, still click phishing emails or forward phishing emails and fall under imposters’ and impersonators’ spell.
BN: How can you use these real phishing emails to educate users?
LK: What do you do when you have an email that you receive and that email is phishing? The main issue is you don't want the user to get it, you want them to be aware, someone needs to block it. But we at Cyren believe you will learn only based on real examples, you will learn based on the traffic you have. So for that we are continuously providing a crowdsourcing capability that is looking over your shoulder, so to speak, and giving you visibility of every email that you get in your mailbox.
BN: How is this different from conventional security approaches and awareness training?
LK: Most of the security solutions will take the email away or will give you a kind of warning banner, 'this is phishing'. If you have a training, people will ask you to click the button and report on the message. We think there must be something better, because the training is inherently artificial.
So, if we know for sure it's phishing, or if we know for sure it's not we can take appropriate action -- move it to a junk folder or let it through. But what if we want to give you a kind of a heads up that this may or may not be fishing but the behavior of the message looks suspicious? It might be the first time you get an email from that address or, although it appears to come from someone within your company, it might be the first time that you get an email with a link to, say, shared locations on Google Drive. This is not giving you a spot test, it's not asking you to say whether you think it's suspicious or not and trying to train you, it's really giving you a warning that something may not be right.
We then give you the option to report the email as phishing immediately or to scan it. If you opt for a scan then in a few seconds you'll get recommendations that will help you to make a decision on whether to open the email or not.
The key thing is we're not not sending an email that looks like phishing in order to test the user, we're utilizing the real everyday traffic in your inbox.
BN: So this is supplementary to a spam filter?
LK: It's much more than a spam filter because they're usually dealing with cleaning up the mailboxes or the spam before it arrives in your mailbox. With a filter the majority of your mailbox will be clean, but some might be suspicious and the most dangerous ones will be the phishing spam. Unlike a spam filter, which is zero or one, yes and no, this is learning with you and adapting all the time. It's like having a little genie sitting in your mailbox, glancing through your emails and simulating and watching. What if you receive a link? Is that like a phishing link right now? If it is, or it is suspected to be, the system will give you information to help you make a decision.
BN: Is the system learning from other people's emails as well as your own?
LK: Absolutely, crowdsourcing is automated at the back end based on machine learning and identifying, but the system is also based on user input. Let's take as an example a completely new phishing attack that reaches my mailbox and your mailbox. We are sitting at different organizations but I was triggered enough by an information message, or by other knowledge, and I click the Cyren button for scanning. The system will identify similar emails, in this case in your mailbox, and if it's positively identified as phishing it will either be remediated completely and taken away from your mailbox, or at least give you an indicator that this email looks suspicious. We also take account of user reports. From our research we have identified that 50 percent of users reporting phishing attacks are actually accurate.
The reality is that training has been with us for many, many years and unfortunately it's not solving the problem. Sometimes it is annoying though. In a regulated company you need to do that, you need to make sure your insurance, your bank and so on know you are following the codes of conduct. When you work with vendors you get training about what you are allowed to do and what you're not allowed to do, what you can get from where, what you can share. We are trying to solve the security element but also giving you awareness, because at the end of the day you will be more cautious dealing with real time attacks but without any need to artificially send simulations.
Office 365 users can try Cyren Inbox Security free for 30 days.