As with most computer software issues, cybersecurity is badly misunderstood by the vast majority of people, including, sadly but as usual, most computer professionals. The result of this is that the vast majority of people have wrong ideas about the source and methods of security breaches and how they can be prevented. Unfortunately, sometimes these wrong ideas have major consequences.
A Typical Phishing Attack
Phishing is a kind of attack on a user by a bad guy. The bad guy sends the target an email that contains something to tempt the target to click on it. Clicking on the hyperlink is like a fish biting the bait on the hook -- you're caught!
I've been the target of a slew of phishing attacks in the last couple of months. Here is a typical email I've received:
What a scary email! It's to me, from my company's email administrator, and I'd better do something about it!
An amazing number of recipients of such an email would have clicked on the red "Resolve Errors Now" box. I wouldn't because:
- I know that my email admin person's domain is not "team-admin.net"
- There are multiple suspicious minor grammatical errors.
- Why would the final line be a copyright?
And many other reasons.
I went to the trouble of digging a bit. I exposed the URL at the hyperlink I was supposed to click and copied it. Here is the place I would have gone had I done what the phisher intended me to do:
Yup, it's a one-time domain set up by the phisher with the information about who I was so that the right next hacking steps could be executed -- that's the string after the question mark. This is not an amateur phisher!
There are more where that came from.
The email above was hardly an isolated example. Just yesterday I received an email from someone I knew at another VC firm, asking me to click to download an important document. Half an hour later, I got a legit email from the firm's admin saying sorry, the sender's account was hacked, please don't click on the email, and if you did, you may want to change all your passwords.
Here is another I recently received, apparently from DHL instead of apparently from my email administrator:
Yes, the place they want you to click is totally bogus -- and bonus points for doing an exceptional job mimicking DHL!
Cybersecurity Experts Know all about Phishing Attacks!
Sure they do. It's on everybody's list, and they all put "solutions" in place. Solutions that don't work.
A colleague of mine has been a top tech executive in major financial institutions. He told me how none of the anti-phishing solutions work because too many valid emails end up in the "spam" folder, and/or too many phishing attacks are passed through as OK. If users know there's a phishing filter in place, they tend to assume that every email in their inbox is OK, and click away, making the problem worse.
The executive tried phishing education for users. He ran several different kinds of education, and sent test phishing emails to people as tests of the education. Net result: no form of education improved the practical willingness/ability of users to notice and avoid clicking on phish attacks. Conclusion: highly paid office workers are too stupid to be educated on this subject.
The Place of Phishing Attacks in Cybersecurity
Regardless of your familiarity with computer security, I suspect you've got the image nearly everyone has about it -- an image that is like a medieval castle with high walls and ponderous, thick gates that are heavily guarded. It's all about those evil bad guys roaming around out there, always probing for ways to get around the gate or over the wall to get inside and wreak havoc.
This is a fun image, and accurately reflects something which is part of the truth. Phishing attacks, along with insiders who have become bad guys, are an important part of the rest of the truth. While there are "solutions" to phishing, they're mostly badly-performing filters that dump loads of emails into a "spam" folder, many of which are perfectly legit. Making you manually go through it anyway. What's the point?
Phishing and bent insiders are the poor step-children of cybersecurity, always acknowledged as being part of the family, but surviving on hand-me-downs and left-overs as best they can. This in spite of the fact that they continue to be the source of the most flagrant "breaches" of security we know about! High-end retail stores and even libraries have had working solutions to this kind of problem in place and working since before computers were invented, but there's something about being a fancy-shmancy computer science cybersecurity expert that prevents such solutions from being considered. Among other things, check out:
https://www.blackliszt.com/2017/05/computer-security-problems-solutions.html
Conclusion
The image of bad guys cackling in distant, dark rooms lit with screens, as they manage increasingly devious attacks against the walls and defenses of the innocent computer systems of the world continues to cause regulators, cybersecurity experts and the other grandees of computer administration to ignore the real threats -- the ones that work, the ones that actually lead to failures of computer security. It's hard to grasp the full extent of combined stupidity, self-satisfaction and blindness that leads the ongoing non-response to bad actors recruiting insiders to do their work for them.