The first time I became aware of phishing was in spring 2000. The startup I was working for had just hired new employees and the eight of us were working out of temporary office space. One of the new hires, Mike, was settling in, setting up his email, learning our CRM tool, and starting to prospect his territory. Although our local office was tiny (in size and number of people), we were part of a larger organization with offices and employees across the US. It was therefore not unusual—or suspicious—to receive an email from an unfamiliar colleague. When Mike received an email “from” a fellow salesperson, although the subject line seemed odd—it read “ILOVEYOU”—Mike clicked, not wanting to ignore his new coworkers. The email content instructed Mike to open an attachment, and … you know what happened next: The “Love Bug” spread to every contact in Mike's address book, including the CEO.
Because it was 2000 and because little information was on or accessible by Mike’s machine (he’d just started and we had only local access to the CRM database) minimal damage was done. Mike was embarrassed, but the IT team was able to contain further internal spread and prevent important files from being corrupted or deleted. Not every company was so lucky, and the “Love Bug” introduced the dangers of phishing to the average worker’s consciousness.
For several years after "LoveBug,” phishing remained a prevalent scam, but one that was recognizable. Silly subject lines, like “ILOVEYOU” were the norm, obvious grammatical mistakes were rampant, and requests within the email body were often huge tipoffs (No, you don’t have a long lost uncle from whom you will inherit $10 million if you just click on this link and pay $100 first). Yet, these phishing scams worked—and still do.
At the same time, awareness about phishing was on the rise. Companies warned employees about the insecurity of clicking on links and opening attachments, and IT and security teams deployed email security tools and anti-virus to help reduce what could get into or out of the organization. As companies got better at filtering out the obvious, scammers got better at creating campaigns that could evade detection. Employees no longer had to be on the lookout for a Nigerian prince; now, HR professionals had to be wary of resumes attached to emails, finance professionals needed to be suspicious of requests for payment information, and logistics teams couldn’t blindly open emails with information about a missing or delayed shipment. The game was increasingly more sophisticated.
By the end of the decade, phishing had become the top vector for exploit by cyber criminals, yet companies couldn't rely on busy employees to identify every threat, and current technology wasn’t doing enough to prevent malicious emails from landing in employees’ inboxes. Rohyt Belani and Aaron Higbee weren’t satisfied with the idea that security awareness training, alone, was the way to win the war on phishing. In 2011, the pair co-founded PhishMe, now Cofense, to go beyond basic awareness and data collection.
The company’s initial products were phishing training tools IT and security teams could use for education and metrics. What they found, Belani told me, was that as employees were trained and gained more knowledge, they started proactively alerting their companies' IT teams about suspicious emails. While IT was positive about employee engagement, the process of random reporting was difficult to triage. Thus, based on this feedback, PhishMe/Cofense developed an email plugin to provide employees a single-click mechanism to report such emails and a tool to help customers manage incoming reports, complete with classification and scoring.
This same customer feedback loop is what has helped Cofense innovate and evolve. They were the first company to automate phishing detection, but today, in addition to triage, Cofense customers can leverage intelligence, automate analysis, and remediate threats before they become network exploits. Using a crowdsourced model, the company’s eight products allow customers to identify patterns, classify campaign types, correlate data across several organizations, and even contextualize indicators of compromise. “It’s about operationalizing knowledge of phishing and spam,” said Belani. “We don’t just want to be companies’ phishing simulation and training provider,” he said, “our goal is to allow secure interaction and collaboration between employees, doing so by codifying intelligence around the content of phishing attacks.”
This all being said, anti-phishing providers seem to be a dime a dozen. Every vendor in the category will claim to have a customizable solution that allows users to test and train employees, collect metrics, and analyze data to improve detection and determine remediation. Why, then, should security teams implement Cofense, I asked Belani? “Tons of companies have phishing simulation, training, and awareness,” he responded, “but the key is being able to do this at scale, being able to do this without having to ask every endpoint security vendor to whitelist your technology, replicate active threats known to bypass the customer’s secure email gateway (SEG), and to go beyond phishing. Phishing is only the beginning. We were the first to market with an automated phishing solution and we learned a lot about customers. Phishing isn’t only a technical attack. Phishing is emotional because it targets humans. No one wants to be caught falling for a phishing scam. Training is only the steppingstone; if you focus on phishing only, you’re missing a big component.”
To that end, he explained how Cofense’s various technology components combine to provide an intelligence-based service for secure communication and collaboration. Beyond basic training and detection, Cofense solutions collect intelligence on what types of phishing attacks are bypassing even the next-generation secure email gateway (SEG) and can predict which future attacks will evade common tooling; they analyze the characteristics of phishing campaigns and recommend where customers should focus efforts; they leverage intelligence from millions of daily messages to identify new and emerging threats; and (maybe most importantly) Cofense enables security teams to remove malicious emails from users’ inboxes, thereby lowering the threat of compromise. “It’s an active, threat-based system powered by humans, seeded by machine learning” said Belani.
Phishing has progressed far past Love Bug-type campaigns, which is why it’s so hard to stop its success. Many endpoint or email gateway technologies can identify low-hanging fruit—more-obvious phishing campaigns and those already observed in the wild. But it takes more than simple technology to combat today’s phishing threats. Attackers are known to use sophisticated techniques and convincing tactics—some even employ marketing and design personnel—thus defenders need to fight back using equally sophisticated technology and user training. Although we all endeavor to love working for our bosses, no one wants to profess their love through a clumsily-crafted email containing the gift of malware. Cofense is a leader in the phishing prevention space for a reason, and we recommend taking a look at their offerings.