Curb Your Enthusiasm: A.I. Will Not Save Us From Phishing

Posted June 26, 2018

Phishing is by far the biggest security threat to any organization. It’s the most common source of attacks and has been at the root of spectacular cyber incidents like the Sony hack and the Petya ransomware attack. Due to the grave danger that phishing poses, remedies are highly sought after. Lately, companies have turned to machine learning and artificial intelligence, the supposed solutions to all societal problems, to combat phishing.

It’s a seductive proposition: AI-based products promise flawless security – “it’s a machine, it doesn’t make mistakes!” - alongside convenience, since they automate the process. One implementation of this is Microsoft’s Office 365 “Advanced Threat Protection” security, which checks emails for words and phrases that could hint at malicious activity, such as impersonating legitimate companies (e.g. Apple or Microsoft) and sentences asking for payments or password resets.
However, researchers at Avanan revealed on June 19th how hackers can bypass Microsoft’s tool by adding random words to the email body at font size zero (‘ZeroFont’), which will appear to the scanner as unstructured, non-malicious gibberish. To the recipient, the ZeroFont text is invisible, thus creating an entirely different email.
You read that right! A technique used by students to pad their assignment papers is enough to fool a cutting edge algorithm.

This is not the first time scammers have duped algorithms using simplistic methods: a few weeks earlier, Avanan also discovered that something similar was possible with URL links.
It is likely that hackers will continue to study how these bots function and find new ways to fool them. These criminals are creative, adaptable and unpredictable, whilst the machine defender is uncreative, inflexible and predictable. As such, these tools could lead to more breaches, as they teach consumers to switch off their scepticism whilst the AI serves up scams as “trusted messages”.
Luckily, there are simple behaviours and habits that humans can learn to spot phishing attempts. For example, it is not possible to change the font in the sender address field. Therefore, one look at the sender lets you to identify a phishing mail, even if it slipped through the filter.
In order to truly protect yourself against phishing, learning ways to spot a phishing mail rather than relying on a machine will prove to be more sustainable. It takes humans to outsmart other humans.
Posted March 14, 2018
Think you’re too small to be hacked? Do you have “nothing to hide”? Well then, listen to this cautionary tale from our own experience.
One Thursday afternoon, whilst I was returning from the gym, Alex called me:  “Have you had a look at the website? I think we’ve been hacked”. My mind raced: How did they get in? What was compromised? Is any sensitive data at risk? I knew hacks happen to companies much larger than us, but we’re supposed to be a security company!

Posted October 31, 2017
In May 25, 2018, the new General Data Protection Regulation (GDPR) will become binding law, affecting thousands of companies inside the EU and around the world. Whilst this law contains many protections for citizens’ privacy, it puts a significant burden on companies to become complaint and threatens harsh fines for any data leaks. Since such a penalty could spell bankruptcy for many small and medium businesses, the law has led to a lot of fear and confusion in the business community. In this blog post, I’ll give a short overview of the most important things that you need to know when it comes to the GDPR.

Scroll to top