Phishing continues to be a serious business risk, but most people aren’t confident that they or their employees can spot and avoid a phishing attack in real time.  If you’ve been a victim of phishing, you are unfortunately not alone.

Traditional email security approaches continue to be ineffective.  This is because this approach relies on social engineering, personal interactions, and human decisions, so even the most sophisticated artificial intelligence (AI) can’t figure out what a phishing email looks like.

But we have some ideas that will help strengthen your phishing defenses. 

Pay attention to which emails seem to deviate from the norm.
Statistics show that about 0.1% of email received by a business is definitely malicious, while another 0.8% are statistically anomalous.  This means that at least 0.8% are potentially malicious. You can apply technology controls to remove the known bad 0.1%, but it’s difficult to determine which of the remaining 99.9% contains the possibly risky 0.8%.  

The solution is to focus on anomalies in an email.  These include things like a misspelled email display name, a statistically unusual URL, a sender the user doesn’t recognize or expect, or an email that refers to money transfers or account information.
Then provide users with context-specific alerts and visuals that advise the user that the email may be malicious

Why the concept of “caught vs. missed” emails is not the right approach.
Standard email security products identify problems such as malicious attachments and links and therefore can offer protection against known issues. But they are much less useful against zero-day malware or websites that seemed safe when the email was sent, but were then attacked and weaponized with credential-stealing hacks.  

State-of-the-art email security products are coming out with machine-learning (ML) algorithms, but these still rely on a detection-based approach.  For example, advanced algorithms won’t prevent someone in your finance department from being social-engineered into providing bank account information or transferring funds to a fraudulent account.

Knowing about and dealing with the phishing “kill chain”.
“Kill chain” is a term for understanding a hack attempt.  It divides the attempt into 3 separate processes that include tracking, locating, and getting the user to take action.  These 3 pieces are distinct:

• Vectors: These include malware, malicious links, and unauthenticated mail. Hackers continuously find new ways to utilize these vectors.
• Delivery: Hackers deliver malware or malicious links, getting a user to click on something malicious.  Attackers use targeted social engineering to gain user trust.
• Exploitation: Hackers convince users to do something like download attachments, share private or sensitive data, click links, or transfer money.

Breaking the kill chain at any of these 3 points will thwart an attack.

How to implement phishing defenses that actually work.
First, get your email-security fundamentals down by utilizing your email platform’s built-in data-loss protections. Also, make sure your network is properly configured with authentication protocols such as DomainKeys Identified Mail (DKIM), Sender Policy Framework (SPF), and Domain-based Message Authentication, Reporting, and Conformance (DMARC).

Make sure you have packet tracking at each point in your network topology — before the firewall, at the firewall, at the switch, and at each endpoint on your network (servers and PC’s).  Packet tracking will enable you to flag all suspicious activity so that your IT staff can then review.

Also, make sure you have methods and procedures in place to mitigate risk.  For example, if your finance department needs to be able to transfer funds, be sure to implement a threshold amount and then raise a red flag, making sure the CFO approves the transfer.

You can apply controls at every step of the phishing kill chain.  Make sure you implement controls around unknown senders, anomalous relationships, unusual header data, and misspelled URL’s and domain names.  You can also take actions such as user quarantine, file removal, link rewriting, and dynamic user alerts.

By implementing a layered set of AI and M&P controls, you can break the phishing kill chain at one the chain’s 3 processes and protect your business from phishing disasters.