Graphus' Amelia Paro on Why Phishing Has Exploded Since 2020How Hackers Have Upped Their Game With DIY Phishing Kits and the Dark Web
The shift to work from home caused by the novel coronavirus pandemic came loaded with a spike in phishing attacks, says Graphus Director of Channel Development Amelia Paro.
Work from home means reading corporate email on personal devices and opening messages while distracted by children or pets, increasing the chances employees will click on a malicious link or open a malware-loaded attachment, Paro says. The U.S. Census Bureau estimates the number of Americans who primarily work from home tripled between 2019 and 2021, rising to roughly 27.6 million people.
Attackers have used the opportunity to send more advanced phishing bait, whether by taking advantage of DIY kits or information purchased on the dark web to more convincingly impersonate a legitimate sender (see: The State of Phishing and Email Security).
"Phishing emails nowadays are way more sophisticated than they used to be," Paro says. "Anyone with even mediocre technical aptitude - if they know how to get on the dark web and where to go to purchase these things - can leverage sophisticated attacks against organizations."
In a video interview with Information Security Media Group, Paro also discusses:
- Why phishing is such a major challenge for businesses;
- The impact of the pandemic on the threat landscape;
- How AI can help with investigating email-based threats.
Paro leads the channel team across all of Kaseya including Graphus, working with MSPs and channel partners around the globe. She has over 10 years of experience in the technology industry in B2B and B2C environments, and her past sales experience includes IT hardware/software and IT consulting and services. Paro has managed and grown a successful MSP in Arizona and worked with clients across the U.S. in the financial sector, nonprofits and unions, and Fortune 500 retail organizations. She experienced great success using Graphus and ID Agent's services during her years as an MSP and is passionate about seeing partners gain the same success and profitability.
Michael Novinson: Hello, this is Michael Novinson with Information Security Media Group. I'm joined today by Amelia Paro. She is the director of channel development for Graphus. Good morning, Amelia, how are you?
Amelia Paro: I'm doing well. Thanks for having me.
Novinson: Thank you for coming by. I want to do a deep dive today on phishing and advanced email security. To start with, I'd love to get your perspective on why phishing is such a big threat for businesses?
Paro: That's a great question. So a couple of main reasons why it's such a huge threat - now more than ever. COVID changed a lot of things for a lot of businesses and when the workforce went remote, it opened up more opportunity for cybercriminals to leverage email and digital attacks. The sheer volume of emails that is handled on a daily basis - sent/received - has exploded as well. We've seen a 74% increase in just the sheer numbers of emails being handled by by employees and by individuals. And the line between personal and work has also blurred too. We are using mobile devices more than desktop computers. And so if you think about end users, employees, sitting in bed in the middle of the night checking email, scrolling through, it gets hard to tell what's real and what's not. And also distraction. So there's a lot of different things that have come to light since COVID. But COVID was the catalyst that got all this. This started and got the ball rolling. So, number of emails, the sheer volume and on the cybercriminal side, phishing is their number one attack vector of choice, because it's easy, right? It's easy to deploy, they can do spray and play where they can send out many, many, many hundreds of thousands of emails, and all they need is one person - one person at an organization to be distracted or not have enough education, or just be unaware, whatever the reason. All it takes is one.
Novinson: Very interesting! Let's double click here on the COVID-19 piece, and I'd love to get a little bit more color for you around what impact the pandemic has had on the phishing threat landscape?
Paro: When everybody went remote and virtual. IT teams businesses weren't prepared for that, for the most part. And as I mentioned in my response to the last question, the lines between personal and work have blurred. And we were all stuck at home. And so you've got the dogs barking, and the kids screaming, and the spouse trying to talk to you. And so distraction was one of the number one reasons that people cited for falling for a phishing email. And phishing emails nowadays are way more sophisticated than they used to be. They're employing social engineering tactics, as well as the vast network of resources that is available the cybercrime underground virtual market known as the dark web, anyone can buy on the dark web, a highly sophisticated DIY done for you phishing kit that's literally plug and play. And so anyone with even mediocre technical aptitude, if they know how to get out on the dark web and where to go to purchase these things, they can leverage sophisticated attacks against organizations. So couple of things went into play - just the change in the environment and the work environment and all the distractions and also the availability of these types of attacks, and that they're the favorite method of cybercriminals.
Novinson: So, I know you'd mentioned the phishing kits. What are some of the other ways the sophistication of phishing attacks has changed in recent years?
Paro: So we've seen a lot more account takeovers, now these are going to be attacks that are coming from a trusted source. So historically, your standard email gateway, which is what most spam filters, most email security historically, that's the technology that they have employed. Now, your standard email gateway is only going to catch known threats. We all are aware of the Nigerian prince scam, right? We kind of use it as a joke now, right? Somebody will get an email, it says, "Oh, I'm a Nigerian prince and I want to send you $3 million. I just don't know your address and phone number, but it's gonna cost a little bit of money in order for me to send you your million of dollars," whatever it is, right? But the wording, the syntax was awful. And there was no punctuation. And it was just it was a phishing email. And the known threats, like links in emails are generally known to take you to a, like a website that has malicious payload in it, or an attachment, right. And then the goal is you open the attachment, and it's going to automatically download a malicious payload. So those are known email threats. Well, nowadays, you've got very sophisticated email threats that include account takeover, which you're, for example, a CEO of a company. His email account is compromised and taken over. So then when an email goes out to the entire company from the CEO, it's his email, your standard email security tools are not going to catch that. It's coming from a trusted source, right? There's no hyperlinks in it, there's no attachments. It just says, "Hey, I need you all to buy some gift cards." And then there's the zero day attacks, which again, goes back to the level of sophistication and threat actors are constantly upping their game, evolving their tactics to avoid detection. So makes it harder for seasoned professionals, those in cybersecurity, and the tools that we use to help us combat against this threat or to catch those types of threats. So that's where advanced technology, like advanced email security tools that use machine learning, that use advanced technology like AI to help combat against those advanced phishing attacks.
Novinson: Let's turn our attention to that and the use of AI and ML in advance email security, specifically in terms of AI. How can that help with the investigation process?
Paro: So it helps in a couple of ways. So first and foremost, it's automating things, and doing them quicker than humans have the time, the bandwidth to do. For example, one of the components of Graphus are email security tool, what the AI does is it uses the speed of machine to analyze over 50 different components of the communication habits, styles and patterns of the employees, the end users, the way they communicate, with whom they communicate, the times that they communicate, what devices they normally communicate from, where geographically they communicate from, and it's doing all of this work in the background, very quickly, way more infinitely more quickly than a human would be able to do. And so it's taking all of that information, it's assimilating it into what we call a trusted communication profile. Now, it's a baseline, the tool allows the employees to contribute to the learning the trusted profile, as the interactions with it continue. But if you just think about the sheer volume of work that the AI has now been able to accomplish in literally in minutes. I think that is in my opinion, one of the ways where AI is a critical component in the fight against advanced phishing emails.
Novinson: I know you talked some about the benefits of AI-specific automation. Also wanted to get into how AI can be used to reduce the workload for IT security teams. Can you give me a little bit more color around that?
Paro: Absolutely. So I talked about how the AI creates this trusted profile and allows the end users to contribute to the learning. So there's a couple of ways that it does that. The employees will interact with the email when a warning banner is attached to an email with the tool. Things might be suspicious for various reasons. And if it gives the employee the ability to respond and say "yes, this is a phishing email," click or "no this is safe" click now. Either one of those responses will teach the tool, right? "Yes, it's safe" - It adds that that communication to the trusted profile. "No, it's not safe" - Now, this is where the automation helps reduce the workload. So if it is marked as phishing, the tool will automatically pull that phishing email from any other inbox that may have reached automatically, immediately, regardless of where that inbox geographically is located. So in thinking about how, historically IT teams, technology teams, when they have to respond to a lot of false positives, investigations, they're spending time figuring out "okay, is this a real phishing threat? Is it not?" And if it is a real phishing email, who else in the entire organization may have opened it? They have clicked on a link. If there's no link, there's no attachment, or done what was requested in that phishing email - went out and bought gift cards or change the direct deposit location of an invoice payments, right? These types of things a normal SVG wouldn't pick up. So as the tool gets smarter, it's going to reduce the amount of time that teams are spending investigating, following up, hunting down, releasing false positives. And as the longer you use it, the smarter it gets. So the amount of time that teams will be spending is generally minimized.
Novinson: Let's talk to you about Graphus specifically. When you gaze into the crystal ball, what do you feel customers and prospects should be watching for from the company as we head into 2023?
Paro: It's a great question. So we are focusing more on increased automation and also smart integrations with other tools that IT teams use regularly. Best of breed tools that provide different functions, but can work together with Graphus. For example, a ticketing system, or a remote management system, or a documentation network/documentation tool. So taking the like the ticketing system specifically, right? So ticketing system would be if an end user needs IT support. They would send an email to IT support @company.com and that gets logged into the ticketing system of the IT team on the backend. Now, with an integration with Graphus, as soon as Graphus identifies a phishing threats, it will connect to the ticketing system, it will create a ticket immediately include all the phishing email details that the tool has identified. And allowing teams to not only document what they've done to resolve it, but creating a cohesiveness and letting them solve it quicker.
Novinson: Interesting stuff. Amelia, thank you so much for the time.
Paro: You're very welcome. It was my pleasure. Thanks for having me.
Novinson: Of course. We've been speaking with Amelia Paro. She is director of channel development for Graphus. For Information Security Media Group. This is Michael Novinson. Have a nice day.