twitter facebook rss

Phishing: detection and prevention

Posted by on April 26, 2015.

Organizations can be divided into those that have been successfully phished, and those that will be successfully phished. In fact, there is nothing more certain in life than death, taxes and phishing. At a recent internal roundtable discussion on the problem among CISO members of Wisegate, a poll showed that 100% of participants had been phished, and 80% had been successfully phished. This meeting had convened to discuss an MSc dissertation by one of the members. It asked the question: can increased user awareness and/or improved technology successfully detect and prevent phishing?

The study analyses published reports, an online survey and detailed one-on-one interviews with other CISOs. The conclusions are not promising. User awareness training only works up to a point. It is relatively easy to train users to be suspicious about unexpected emails full of bad grammar, typographical errors and strange URLs – but is altogether more difficult, if not impossible, to train anyone to detect a personally targeted email that uses social media pretexting.

A good recent example came in the latter half of last year. A tech journalist at the Telegraph newspaper challenged John Yeo of Trustwave to hack her personal computer – and hack her he did, by spear-phishing. The details can be found in an article written by the journalist; but the point here is that a tech-savvy security specialist who was specifically expecting to be hacked still got phished. What was true for this journalist is true for everyone.

The dissertation study also finds a dearth of effective technology to prevent phishing. The problem here is that as soon as anything proves effective, the phishers simply adapt their techniques. Technology cannot keep up with the attackers. Two bald figures leap from the study. The first is that 90% of those companies taking part have some form of technology defence against phishing; but that 95% have still been successfully phished. The implication is clear – technology simply doesn’t work against phishers.

So can anything be done? Not much to be frank. Several recommendations were made, but phishing is a global problem that really needs a global solution. It requires better international threat intelligence sharing and globally harmonized legal definitions and sanctions. The former is slowly happening between many law enforcement agencies (not necessarily down to the company level); but a truly international legal treaty… the US, EU, Russia, China, Iran, North Korea all sitting around the same table? It’s not likely.

One thing that would help would be a publicly available master database of dirty URLs – but that would require altruism above the norm. It would require the FBI and other national law agencies to combine their intelligence with a large number of otherwise competing private security firms who actually base their products on their own proprietary intelligence.

But it’s not all doom and gloom. The CISOs did share some of their own best practices:

  • sandboxing – a security measure that allows code to be executed in an isolated environment. Sandboxing malware is always useful, because you test the suspect malware in safety.
  • in-line stripping – this approach automatically strips out links within emails and optionally replaces them with a link to a company warning or training page.
  • behavioural practices – one of the CISOs described relative success by simply getting all staff to forward any mail with a suspect link to Security for evaluation. He has no formal method of measuring the success of this approach, other than every week he receives ‘a ton of emails’ sent to Security. It is based on the unscientific security policy known as ‘paranoia pays’, and its success depends upon making staff paranoid about security.

But despite this rather gloomy picture the CISOs are not downhearted. They know that they cannot prevent phishing; but what they seek to do is reduce the risk to an acceptable level. “If I can increase the detection of phishing emails from, say 10% to 50/60% then I will consider that a success,” explained one. “It is then up to me to have enough other internal controls to catch anything that gets through.”

So the conclusion from this particular discussion amongst CISOs is that you cannot stop phishing. There is no silver bullet. All you can do is catch as many phishes as possible, and trust to your other security controls to mitigate any that you miss. One thing, however, is certain – this is a problem that won’t go away. In fact we saw last week that the phishing threat is likely to increase over the next few years. The US migration from mag stripe to Chip & PIN cards will drive criminals to seek easier targets and methods, such as phishing.


see also: EMV Rollout in the US – Keep Calm and Carry On


Insights is a unique commentary inspired by and drawn from the peer-to-peer conversations of some of the most senior CISOs and CIOs in the world. All are members of the gated Wisegate community where they meet virtually to discuss issues and problems in information security.

Leave a Reply

Your email address will not be published. Required fields are marked *

Submitted in: Insights | Tags: , ,