A different kettle of phish ­— Cofense’s Tonia Dudley

Cyberattacks are on the rise and companies are having a difficult time keeping up. To make matters worse, the threat actors starts with an advantage; they know where, when, and through which mechanism the attack will happen.

At times, security professionals might feel like they are spinning plates. But where better to start, according to Cofense’s Tonia Dudley — than with phishing?

What is phishing?

Phishing is the use of links inserted into spurious emails to compromise computers and security networks. Through social engineering — the right choice of language, fake personas, or bogus rationale — the threat actor convinces the unsuspecting computer user to click on something that they really shouldn’t.

Traditionally, this has been a link that might access a treacherous webpage or cause a malicious file to be downloaded directly. Now, even a Word document can be embedded with macros that will execute malware once downloaded.

Generally, where they operate, threat actors are expert. While many of their target-victims certainly are not. That is why phishing is such a cost-effective attack vector for cyberattacks, in all their forms. Not only does it take one person to click, but the scalability and tunability of phishing make it versatile.

Notably, over 50% of phishing threats are credential-based, Dudley says. As organisations move to cloud entrusted services, when hackers get these credentials, they gain access to the organisation’s network, moving through it as a legitimate user.

“We know that over 80% of incidents start with a phishing email,” Dudley explains — “So what we’ve done over the years, with our cofounders, is invented this process of simulating phishing message campaigns.”

The need to educate the worker, the individual, in what to look out for, and what not to do, is self-evident. As ever, the greatest network security liability is the employee. And this has become truer in the era of the remote-working cloud model.

Cofense, and its peers, offer simulated attacks on their client organisation’s innocent employees. The idea is that if people in an organisation get caught out by the good guys, they will put far more effort into following robust cyber hygiene in the future. This hopefully means that criminals will have a harder time getting the better of them.

It is important to get this right, however; a company-wide phishing readiness “test” can have negative consequences on morale, if performed at the wrong time. For instance, during the first waves of the pandemic, while many organisations were testing their already stretched employees’ defences, Cofense actively discouraged phishing simulations. The logic was that there is a time and place for such things.

Tonia Dudley

Know thy phish

Organisations have gotten better at defence in general, Dudley says.

“We see that the mean time to detect [cyber threats] has gotten a lot shorter,” she emphasises. But threat actors are constantly changing their tactics and evolving. They know that as organisations increase their defences, new methods are required to overcome those defences. And as criminals become more sophisticated, so must cybersecurity providers.

That is why it is no longer enough to simply learn to identify a phishing email. Dudley and her colleagues encourage, more than just teaching people how to identify phishing attacks, doing more with what is there.

There is usually value in that phishing email, Dudley explains. Indicators in a message can help well-informed security teams discover who might be behind the attack, or who else might also have gotten the email and clicked on the link. These clues can be used to understand, identify, and then filter out suspect emails.

Finding signals

Turning phishing noise into phishing insight has become Cofense’s calling.

The company’s security solutions combine technology with human insights. Cofense holds 27 patents, with its customers reportedly including 50% of the Fortune 500. The company has also delivered more than 500 million phishing simulations. Where once it focused on phishing awareness and education, it has expanded to end-to-end phishing detection and response.

Knowing what to do with phishing emails once they are flagged by employees is what it is all about. With Cofense, phishing emails become their own source of intelligence; this can then be used to fine tune blockades on certain categories of emails, or to better protect the organisation in other ways.

“If I tune my [secure email] gateway to the highest configuration that it allows, then I also impede the business,” Dudley notes. As such, there is a balance to be found. That is why Cofense’s anti-phishing solution is strengthened with the human element.

Cofense’s detection solutions include employee conditioning for phishing attack readiness, computer-based training, and a system allowing employees to quickly report phishing emails to security teams with one click.

In the domain of response, the company offers a phishing identification, analysis, and mitigation solution, Cofense Triage, as well as an automated phishing quarantining solution, Cofense Vision. Along with these, Cofense provides human-computer phishing threat intelligence for businesses.

In 2021, Cofense was named in the top 10 for Phishing Protection solutions and Security Awareness Training for business by Expert Insights.

Mark Swift is a Scottish freelance journalist and writer based in Paris. His work covers business, technology, European politics, and EU policy. Before writing for 4i-mag, he was a journalist for Young Company Finance Scotland, covering investment in Scottish technology start-ups. Mark's portfolio can be found here: