Image via
Image via

The email looks legit. It’s addressed to your work account from a sender you know well, and the message makes reference to intimate details only a friend would be familiar with. So you click on the link — and inadvertently expose your entire company’s network to some of the most sophisticated hackers on the planet.

You’re not alone. This type of attack – known as “spear phishing” – is becoming increasingly common. And it’s running rings around standard anti-malware systems.

Hackers go spear phishing to acquire usernames, passwords and credit-card details. They target specific individuals within an organization, using information available on sites such as Facebook, LinkedIn or Twitter, or stolen from an acquaintance of the target to create messages that appear real.

The answer to the spear phishing scourge, says Eyal Benishti, founder and CEO of Israeli security startup Ironscales, is education and training. Ironscales has built an automated system to teach users how to spot a fake email and not click the link.

It’s not an either/or situation – Israeli security powerhouse Check Point Software is not in danger of losing its cybersecurity business – but people-powered malware defense needs to become part of a complete solution, Benishti argues.

Eyal Benishti of Ironscales.
Eyal Benishti of Ironscales.

“Where traditional systems fail, employees can succeed. Our brain is the best anti-fraud system that exists inside of any organization.” Benishti claims that companies whose employees have gone through Ironscales training can see up to a 90 percent reduction in the click rate on fraudulent links.

Spear phishing is different than plain old phishing where the hacker doesn’t care what he gets as long as he nets a live one. Of the estimated $70 billion spent annually on IT security, nearly all goes to traditional defenses like firewalls, blacklists, anti-virus, anti-spam and security gateways. But they are mostly defenseless against spear phishing.

To counter this phenomenon, Ironscales sends fake emails to company employees; no two employees receive the same emails at the same time. If a recipient suspects a hoax and does nothing, Ironscales delivers increasingly sophisticated messages trying to get the employee to click. Anyone who finally falls for the ploy gets redirected to an informational screen with a short interactive tutorial.

Ironscales adds a feature that competitors like Wombat Security Technology don’t have – a mitigation button that allows employees to report a suspicious email.

Iron Traps

Benishti calls the most vigilant employees – those who never fall victim to an attack – “Iron Traps.”

If an Iron Trap presses the big red “Report Phishing Attack” button at the top of his email client, that email will be eliminated from all computers company-wide. If two employees with a high ranking, but who are not yet Iron Traps, both report an email, it also will be trashed.

Everything is tracked through a centralized dashboard in the IT department and employees are notified that a program will be starting (and can opt out). Ironscales runs as SAAS (software as a service), meaning it’s operated remotely and nothing has to be installed by the company.

Benishti suggests that if Sony had the Ironscales system in place, and a vigilant Iron Trap had spotted that initial phishing attack, the company’s 2014 debilitating data leak might have been prevented

An empty bucket of spam

Ironscales was founded in 2013, launched the following year and currently has 10 paying customers in Israel in the banking, telecom, insurance and capital market sectors. An online gaming company in the UK is an Ironscales customer, and the company is now signing up its first US customers.

Pricing is based on an annual license that starts at $15 per user but goes down as volume goes up. Remarkably, Ironscales has never taken any outside investment and Benishti says his three-person company is profitable.

Benishti already had experience stopping hackers in his previous job, as a malware analyst and reverse engineer for Radware.

“My friends and colleagues knew that I researched malware and they kept forwarding me emails they got, asking is this phishing or not, is it benign?” he explains. “So I started teaching them how to spot hints in the email and I realized that even people with a technical background lacked the skills to recognize some of the most trivial signs that an email is malicious.”

Benishti put together some simple tutorials for his friends. They worked so well that he quit his job and built a prototype for Ironscales.

And none too soon. A survey sponsored by Check Point found that 43 percent of the IT professionals surveyed said they’d been targeted by schemes like spear phishing. Security firm FireEye reported that between the first and second quarters of 2012, email-based attacks that successfully bypassed organizations’ security defenses increased by 56 percent, with the average organization receiving 643 web-based infections per week that succeed in getting through.

Benishti’s goal is that when that phishing rod is cast in the direction of an Ironscales client, the fish will not only fail to bite, but they will team up to pull the rod down, sending the malicious phisherman home with nothing more than an empty bucket of spam.

For more information, click here.