Get The Latest Insights

By Caitlin Jones | July 19, 2022

Courtesy of Expert Insights

Billy Smith is the Managing Director at PhishLabs by HelpSystems. With a wealth of experience in the IT and cybersecurity industry, Smith is an expert in using curated threat intelligence to take down cyberthreats. In his role at PhishLabs, Smith enables organizations to proactively identify and remediate threats across their digital channels, including email, social media, open web and dark web, as well as leverage best-in-class training to transform employees into a robust line of defense against phishing attacks.

Mike Jones is the Senior Director of Product Management at Agari by HelpSystems. Jones started his career in cyber in the 90s, in the Network Operations Center at AOL, leading their team of programmers, investigators and analysts as they worked to block email threats. He joined Agari in 2010 and has since helped to develop the email security provider’s suite of email security products and email authentication standards.

At RSAC 2022, we spoke to Smith and Jones to discuss the evolution of social engineering attacks in today’s hybrid workplace, and how organizations can proactively fight back against phishing attacks.

Can you give us an overview of the PhishLabs and Agari solutions, and what sets you apart from other solutions in the email and account compromise protection space?

Jones: So, the Agari products are all focused around stopping advanced phishing attacks, particularly phishing attacks that involve identity deception and impersonation. So, we’re not a standard content analysis engine where we take the whole email in from the internet and do all the initial processing; we sit as an extra layer of security beyond that, and we focus on the purported identity of the sender, and whether that purported identity is actually who sent the email.

Our philosophy is that, if you’re not who you say you are in the email, it doesn’t really matter what’s in the email; you probably should not trust that email. And we were really the first email security company that took that approach because email security was all about analyzing the content of the message, analyzing the URLs, analyzing the malware, which is all important. But then the latest thing, around five to 10 years ago, became the social engineering attack. And these attacks don’t include those URLs or malicious links. So, if analyzing those is all you rely on, you have nothing to catch those business email compromise attacks.

Smith: On the PhishLabs side, we talk about phishing in a broad sense across the different types of digital channels; not just email but social media profiles, social media posts, mobile apps, and things of this nature. But in email specifically, we have our Digital Risk Protection phishing solution, which basically protects our customers’ customers. So, think about ABC bank, for example. One of their account holders is sitting at their home, and they get a phishing email that looks like the bank site, asking them to log in. And we protect them by using those lures to identify those attacks and take them offline.

We also have the ability for our customers to train their employees to detect and report suspicious emails when they receive them. And when we receive those reported emails, we analyze and monitor them for malicious activity, extracting those technical indicators, and we provide the intelligence for and capability to extract any malicious emails from the inbox.

Over the past couple of years, we’ve seen huge changes in the way people work and engage in digital services. What are the big security risks that you’ve seen since the last RSA conference in 2020, and where are things going?

Jones: When it comes to phishing—especially when it comes to social engineering and impersonation—the bad guys pay attention to what’s happening in the news in the world, and they try to take advantage of the latest things that are happening. So, when everyone switched to working from home, of course, there were a lot of COVID-based social engineering attacks. But then beyond that, the bad guys had the opportunity to use different lures, because they knew almost every company was remote. So, if they were emailing someone with an impersonation attempt, they didn’t have to worry that their target actually saw the person they were impersonating in the office that day. They could send an email and say, “Hey, I’m away from the computer and I’m really busy. Can you send me XYZ?” they wouldn’t have to worry about the fact that their target just bumped into that person in the office. It makes it harder for the good guys to fight back against those types of impersonation.

So, we definitely saw criminals double down on business email compromise impersonation attacks. And that hasn’t stopped. And now, of course, like the fallout of COVID is supply chain risk, and the bad guys see that too. And they’re moving to vendor impersonation because they know everyone’s supply chain is under pressure: “Vendors are under pressure, so that’s who I’m going to impersonate and attack.”

Smith: And the goals of these attacks have shifted, too. Prior to remote working and the pandemic, there was a lot more, “Hey, we’re going to send an email and try to get a piece of malware in an organization.” In the new world of work we’re living in now, that’s not as prolific as trying to harvest credentials and get access to something or trying to get someone to do something for you. It’s not necessarily about installing malware anymore. And because of this, the delivery method has evolved, too. So, you see more lures on things like social media, fake mobile apps, and other digital channels besides email.

Do you think people are more susceptible to attacks through these other communication channels than they are to ones delivered through email?

Smith: Our guard has been raised substantially when it comes to email, because of all the security awareness training that’s available. But when it comes to other delivery methods, not so much. So, with a mobile app install or a social media connection, we might be less likely to realise it’s not genuine.

Phishing and account takeover are two of the most common, and arguably most harmful cybersecurity threats facing businesses have faced today. How have these attacks evolved over time to becoming a major challenge for businesses, and do you expect these attacks to continue getting worse?

Smith: A big trend has been underway for a long time with single sign-on, where you have one credential to access many things, and organizations might be using multi-factor authentication, but it’s hit or miss as to how well deployed and configured it is. So, I would say that there’s been a shift so that getting to that credential has become more important than getting control of the system. Before, adversaries would try to trick users into installing malware with the idea of getting control of the system. Now, it’s shifted toward getting control of that credential so they can just log in.

Jones: Yeah, if you think back to 20 years ago, the social engineering scams were targeted at individuals. It would be like, “Hey, I’m a Nigerian Prince,” or, “I’m stranded in Europe, I need you to wire me some money so I can get home”. And then that evolved because the bad guys realized, well, businesses have a lot more money than an individual, and the same people that work in a business are the people I’m scamming at home, so why can’t a business fall for it, too? And that’s when they started shifting that attack and realized how much money they can make from that.

And I don’t see why it would change—as long as the bad guys feel like they can make money at it, they’ll continue to take that approach and try to find new way to probe. And it’s up to us to make that harder for them.

What steps should organizations be taking today to protect their users against social engineering and account takeover attempts?

Jones: The awareness training aspect is important, but it shouldn’t all be on the end users. You can’t expect your end users to be experts, but they have to be aware that this exists so that they can at least have their guard up some. And most organizations train their employees, but it also needs to be an ongoing thing because, like I was saying earlier, the bad guys are going to keep looking for new ways to social engineer these attacks. So, if you’re training your employees to recognize a wire fraud attack, that might not be what they’re going to get next month. They could get something related to the conflict in Ukraine, for example. So, you have to keep reinforcing that with them; it’s not a static thing. There’s always something new.

But there’s also the idea of fighting back a little. Do something a little proactive, instead of just sitting back and trying to block everything as it hits you. The proactive things that we’re doing together with PhishLabs are going above and beyond the traditional phishing site take down, we’re taking down more of their infrastructure as much as we can. And all of that has an impact because it makes it more expensive for them to try.

Smith: We used to actually have a marketing slogan about by fighting back, because that’s basically the history of what we do; the disruption, getting phishing sites taken offline, getting social media profiles shut down, extracting emails from inboxes.

Could you tell us more about how you disrupt attacks and help businesses fight back?

Jones: So, we have something that we call Active Defense, which I think is really cool, because it emphasizes turning the tables on the criminals a little bit and putting some of the hurt back on them. Business email compromise, especially using social engineering, is very low effort for the adversary. They don’t have to produce malware or create phishing sites; they just have to send an email and have a bank account that someone can wire money to. So, it’s very low effort for them, and if they fail, they fail. Then they just send more emails.

What Active Defense does is answer those emails, and we try to prod them into giving us some of their information so we can get their bank accounts, report them to the banks, shut them down and things like that. And that starts raising the cost for these criminals. So, their ROI isn’t like it used to be. And doing creative things like that is important, because otherwise, why would they ever stop? If there’s no penalty to them for failing and they can just keep trying indefinitely, why would they stop?

Smith: Ultimately, we’re trying to make it harder for the attacker. We also get intelligence around failed DMARC, then we’re able to use that to take down the infrastructure that was sending the emails. And if we can get the infrastructure shut down, it’s a lot harder for them to move to some other IP address, for example. So that disruption aspect is something that we’re doing as well.

Finally, what is your advice for organizations; how can they best protect their users against social engineering, phishing, and account compromise?

Smith: The obvious one is to keep the awareness stuff going. But the other piece is—and it seems so cliche, but it’s true—recognizing that there’s no perimeter anymore. Everybody’s everywhere, on every device, all the time. When it comes to digital risk, we often focus on traditional firewalls, email gateways, endpoint detection systems and so on, but things that are happening outside of those is where the real damage is occurring, be that reputational damage or financial loss. It’s happening on personal devices, and impacting the business. So, I think it’s a mental shift that’s got to change there; monitoring what’s happening outside versus trying to protect the device or server.

Jones: I’d advise organizations to be vigilant and never feel like you’re done. No matter what you successfully implement, in security, you have to stay on top of things. This is what we’re doing all the time at HelpSystems. We collaborate on these things like infrastructure takedown and active defense, because we know that, just because we might be doing well stopping business email compromise now, things will change. And we always have to be looking ahead at what’s going to change, and what you need to be on top of next. You can’t sit back and think, “We stopped that, we’re successful.”