Paul Walsh

@Paul__Walsh

Rethinking Anti-Phishing Security For iPhone Email

A comparison of an email that is not protected by MetaCert and an email that is protected by MetaCert

You’ve installed ProofPoint or another security solution, but phishing is still a problem. Why? In this post I will explain how and why MetaCert is rethinking email security to address this growing concern.

This post is mostly for:

  • people who worry about opening the wrong link inside an email, and;
  • people who work in cybersecurity or IT, and worry about other people opening the wrong link at their company.

This is a long, detailed look at how, and importantly why, MetaCert is doing things differently. So if you’d like to jump straight to a 30 second video demo, here it is…

Statistics show that over 90% of hacks are generally known to target email, and 76% of organizations surveyed in a Wombat 2018 State of the Phish study, say they experienced phishing attacks in 2017.

If 91% of breaches begin with spear phishing and 90% of them target email, you can’t help but come to the conclusion that existing security solutions are not working as well as we’d like them to. A brand new approach is needed.

It’s technically impossible for any cybersecurity company in the world to detect and prevent every newly created phishing website.

Why existing solutions aren’t keeping you safe

Hundreds of millions of phishing emails are sent each day, and new phishing sites are going live every minute, so it’s impossible for any security company to detect every newly created phishing campaign. With the massive amount of scams out there, all the machine-learning and AI in the world can’t possibly detect every new phishing link. This is why MetaCert is doing things very different to help reduce the risk of people falling for a phishing attack.

Education is good, but it’s not working

Constantly reminding people what to look out for just isn’t working. Some companies mandate their employees to sit through a 2 hour video of anti-phishing training. Seriously?! 🤪 If it takes 2 hours to explain what to look out for when opening links or visiting websites, we’re doing something wrong. If this type of training was working, you wouldn’t be concerned about phishing — the fact you’re reading this post means you’re less likely to fall for a phishing scam than the average person — yet, here we are ✌️🔐

Don’t get me wrong… I don’t think MetaCert should be seen as a replacement for ProofPoint and other existing solutions that do a great, but imperfect job. I see MetaCert as a complementary service that acts as a last line of defense to significantly reduce the risk of you opening the wrong link. It’s anti-phishing security + user awareness built-in. I expect our new approach will reduce training from 2 hours to a single sentence;

If you don’t see a green shield next to a link, don’t open it.

or

If you see a grey shield, make sure you proceed with caution as it could be a new phishing site.
MetaCert’s visual indicators to tell you what’s safe and what’s not

How I know there’s a desire for something different:

Let’s Encrypt has issued 15,270 “PayPal” certificates to sites used for phishing.

Bad actors use free, automatically issued SSL certificates to trick users into thinking a site is safe, when in fact they are phishing sites. Let’s Encrypt, a free, automated certificate authority has issued 15,270 “PayPal” certificates to sites used for phishing.

With over 10% of all money raised through Initial Coin Offerings (ICOs) and Token launches stolen, we decided to do something different at MetaCert, to reduce this number. Remember I said that 91% of breaches start with spear phishing? Well, you can assume that goes for crypto exchanges too. So while you might think “hacking” is the #1 cyber threat in crypto, it’s not — phishing scams are the #1 problem, by an order of magnitude.

Thanks to almost every crypto company installing our security integration towards the end of 2017, we completely eradicated phishing on Slack — I digress, but if you want to learn more about that, here’s a podcast interview I did with Laura Shin on Unchained.

A New Green Shield of Trust

We built a browser add-on called Cryptonite. The concept was simple. Once installed, Cryptonite adds a black shield to your browser toolbar. This shield turns green whenever you visit a verified crypto website or social media account. If it’s not green, assume it’s potentially a new phishing site that hasn’t been detected and classified yet.

While Cryptonite actively blocks phishing sites in real-time, almost every user we speak to, relies on the green shield — some don’t even know it blocks phishing sites. Our social experiment worked! Our hypothesis was right. There’s a desire for a new green shield of trust on the Internet.

I’m proud to say that no Cryptonite user has ever fallen for a phishing scam since its release in December 2017. 🤩

MetaCert’s new security solution, which went into beta this week and was announced on TechCrunch, is VERY different to existing security solutions. I’ve used “very different” quit a lot — mostly because so many security companies claim to do things differently when in fact, they’re doing pretty much the same thing as legacy systems, with a little bit of AI or machine-learning added or good measure.

Once you install, MetaCert’s device profile security magic integrates with the default Mail app on your iPhone.

MetaCert’s new security solution for the native iOS Mail app supports every email service provider with IMAP support— business domain email, Gmail, G Suite, Hotmail, Microsoft Exchange, Office365, iCloud, Yahoo!, AOL et al.

A new green shield of trust for email

MetaCert uses a color-coded system to show you which links are safe, which are dangerous, and which links you should question. It places a red shield next to links that are classified as Phishing and are automatically blocked before harm can be done to your personal data or your mobile device.

A green shield is placed beside links that have been verified as safe. But, most important of all for combating new phishing attacks, a grey shield goes next to links that are classified as “unknown,” because newly created phishing websites that go undetected by existing security solutions will be allowed through to your email. When you see the grey shield from MetaCert, you know that it means you should proceed with caution or avoid opening it altogether.

Impersonation attacks are the most difficult to detect and the most critical issue to be solved in the secure email gateway. MetaCert’s verification system helps to address this by indicating when a new unverified domain has been shared in an email.

Phishing attackers are also infiltrating email systems with account takeover attacks and exploiting access by posing as business partners using legitimate email accounts. Because these are legitimate accounts, this is a much harder problem to solve. If such an insider threat does occur, MetaCert’s grey shield will be present whenever the malicious actor shares an unverified link, which can go a long way towards mitigating any damage and also provide an indicator that might help in rooting out an imposter.

Since they are so widespread, no one is safe from phishing attacks. Big and small organizations across all industries are routinely affected, and according to the FBI’s 2017 Internet Crime Report, email scams cost businesses as much as over a half-billion dollars ($676 million) over the year.

Tackling spear-phishing 🎣🔨

Part of the reason phishing is so popular with cybercriminals is that it provides them with direct access to the most vulnerable part of any network — the end users. Attackers aren’t just wasting the opportunity to get in front of employees with typical spam messages, either. They have moved on from easy-to-spot tactics with much more sophisticated techniques that even careful users may not catch until it’s too late. One of those techniques is called Spear Phishing, and this is where MetaCert’s solution will be of particular interest to enterprises that spend vast amounts of money on training courses and videos for anti-phishing.

A phishing victim tends to be vulnerable to future attacks. Scammers who hijack accounts through phishing sites often get access to a number of other associated logins, which means a great deal of private information suddenly becomes available to them. This leads to a sort of chain reaction where personal data turns against the targeted individual, aiding a criminal whose interests lie in identity theft and getting their hands on bank accounts, credit card numbers, or digital assets such as cryptocurrencies.

Looking to the future

Without a means to combat/address email fraud, the issue will only get worse, and our continuing reliance on technology only serves to fan the flames of phishing attacks. A study by Gartner suggests that 80% of tasks performed by workers will take place on a mobile device by 2020. As more and more workers come to rely on email based communication through personal, or company-supplied mobile devices, the benefit of an email messaging classification system to expose potentially malicious links is self-evident. MetaCert has built that system in the form of our email security tool, which will continue to protect everyone who uses it for years to come.

Behind the scenes

Even though it takes less than a minute to set up, and only seconds to comprehend, MetaCert’s security solution is powered by an established cyber threat intelligence system, which has been in the making for years.

MetaCert’s threat intelligence system

About MetaCert

It all started when I co-instigated the creation of the W3C Standard for URL classification in 2004, formally replacing the old Standard called PICS in December 2009. I also hold a full patent for anti-malware and anti-phishing security detection and prevention inside a mobile app WebView.

With over 10 Billion URLs indexed across sites and social media accounts to protect consumers from malicious threats, MetaCert provides world-class security solutions for Slack and Telegram for everyone including small companies, right up to FTSE 100 corporations. 📫

📫 https://upnext.metacert.com 🔐

Don’t forget to click 👏🏻 to let me, the MetaCert team and others know how much you appreciate this post. You can also share this post on Twitter if you think it’s worth the extra click. 🙏🤓

Join our Telegram channel where you can engage with the core team and our blockchain community. https://t.me/metacert

More by Paul Walsh

Topics of interest

More Related Stories