Spear Phishing: Do You Know Your Risks?How Mobile Devices, Social Media Have Made Hacking Easier
The widespread use of mobile devices and social media has fueled spear phishing by further eroding the so-called perimeter that once shielded corporate networks, giving hackers more opportunity to wage successful campaigns, says a panel of three financial fraud experts.
Today's cyber-attacks are almost always cross-channel, says Dave Jevans, co-founder of the Anti-Phishing Working Group and chief technology officer of security firm Marble Security. Spear phishing takes aim at users' corporate and personal e-mail accounts, as well as their social media profiles and mobile numbers, he notes.
"These attacks are multichannel," Jevans says in part two of the panel discussion. "They are sophisticated and take place over a long period of time. It's a chess game."
To effectively fight financial fraud, banks and credit unions must have holistic views of their networks, says Daniel Cohen, a threat researcher and phishing expert at security firm RSA. Banks and credit unions should know what is happening across all of their banking channels and network-access points simultaneously, which means fraud and security departments need to communicate more often, he says.
"We're seeing a convergence of information security and fraud today," Cohen says. "Within the banking security teams, there is a lack of information sharing."
And it's not just fraud and security departments that need to maintain regular communication - IT and anti-money-laundering departments, for instance, also need to share details about transactional anomalies and suspected fraudulent account activity, he says.
"Better communication and intelligence sharing are critical," Cohen adds.
Banking regulators also are encouraging more of this type of cross-departmental sharing, says Doug Johnson, senior vice president of risk management policy for the American Bankers Association. "It just makes good business sense," he says.
Institutions need to understand that the various channels their employees and customers use to access and share data have eroded the perimeters once relied upon for network security, the panel says. This erosion has allowed hackers to sneak into the network with phishing attacks that craftily socially engineer users through the exploitation of multiple channels, including mobile, Cohen says.
"All of these devices coming online - home devices and other devices, such as mobile - are further increasing the attack surface," he says. "Spear phishing is being used more and more because it works. The solutions that we come up with have to take all of that into account."
During this second part of a two-part panel interview, Cohen, Johnson and Jevans also discuss:
- How organizations can launch staff educational programs to address spear phishing vulnerabilities;
- How educating executives about the pitfalls of sharing too much information on social media sites can dramatically reduce phishing risks; and
- Why network segregation is essential to ensure hackers that get in through phishing can't work their way into critical systems.
Jevans is chairman of the Anti-Phishing Working Group, and founder and CTO of Marble Security Inc. His career in Internet security spans more than 20 years; he has held senior management positions at Tumbleweed Communications, Valicert, Teros, Differential and Iron Key. Serving on the CEO's technology council at Apple Computer, Jevans helped to develop the company's Internet strategy.
Johnson leads the ABA's enterprise risk, physical and cybersecurity, business continuity and resiliency policy and fraud deterrence efforts. He represents the ABA on the Financial Services Sector Coordinating Council, which advises the federal bank regulatory agencies on homeland security and critical infrastructure protection issues. And he serves on the BITS/Financial Services Roundtable Security Steering Committee.
At RSA, Cohen serves as the head of business development for the Online Threats Managed Services division, where he researches emerging malware attacks as well as other online risks.