Spear Phishing: How Not to Get Hooked Expert Panel Says Banks Must Understand Attack Methods
Spear Phishing: How Not to Get Hooked
Daniel Cohen, Dave Jevans and Doug Johnson

Spear phishing attacks are increasingly sophisticated. Banking institutions must learn more about how fraudsters dupe one's customers and employees, says a panel of three financial fraud experts.

Spear phishing -- a malicious e-mail that targets specific recipients by including either personal or corporate information that fools them into trusting the source -- has heightened the need for more employee education and network defenses.

"Specifically looking at spear phishing, it's the No. 1 indication of the deteriorating perimeter," says Daniel Cohen, a threat researcher and phishing expert at security firm RSA. "These spear phishing e-mails are getting past the perimeter so easily. We have to change the way we think about security," which means organizations need to focus more attention on strengthening corporate identities with digital technologies and moving away from known signatures.

The rise in spear phishing is concerning for banking institutions, because not only are their employees vulnerable, but so are their customers, says Doug Johnson, senior vice president of risk management policy for the American Bankers Association.

Fraudsters have found that by spear-phishing certain corporate customers, they can quickly monetize their attacks, Johnson says.

But it's not just these targeted campaigns that are posing increasing risk for banks and credit unions, adds Dave Jevans, co-founder of the Anti-Phishing Working Group and chief technology officer of security firm Marble Security.

According to the APWG's just-released quarterly phishing trends report, more third-party payments providers are being targeted by phishing campaigns, and that means more risk for banking institutions.

"Why is this game continuing to get bigger?" Jevans asks. "Because our attack service is dramatically expanding every year. ... Attackers are striking more targets."

During this first part of a two-part panel interview on phishing trends and solutions, Jevans, Johnson and Cohen discuss:

  • Why the so-called network perimeter no longer exists;
  • How attackers are increasingly using social media sites to select their spear-phishing targets;
  • How organizations are increasingly using technology and training to enhance their phishing defenses.

Be sure to check back for part two of this panel discussion, when Jevans, Johnson and Cohen discuss why the advent of mobile devices and bring-your-own-device policies have further deteriorated the perimeter by giving hackers more opportunity to wage successful phishing campaigns, and why organizations must pay more attention to the segregation of systems.

About the Panel

Jevans is chairman of the Anti-Phishing Working Group, and founder and CTO of Marble Security Inc. His career in Internet security spans more than 20 years, having held senior management positions at Tumbleweed Communications, Valicert, Teros, Differential and Iron Key. Serving on the CEO's technology council at Apple Computer, Jevans helped to develop the company's Internet strategy. He also worked in the advanced technology group at Apple and ran an engineering project involving advanced operating systems.

Johnson leads the ABA's enterprise risk, physical and cybersecurity, business continuity and resiliency policy and fraud deterrence efforts. He represents the ABA on the Financial Services Sector Coordinating Council, which advises the federal bank regulatory agencies on homeland security and critical infrastructure protection issues. And he serves on the BITS/Financial Services Roundtable Security Steering Committee.

At RSA, Cohen serves as the head of business development for the Online Threats Managed Services division, where he researches emerging malware attacks as well as other online risks.




Around the Network