The Inadequacy of Sophistication in Phishing Campaigns: Unpacking Akamai’s Latest Insight and the Systemic Failure of Current Anti-Phishing Measures

Akamai’s recent article spotlighting a “sophisticated” phishing campaign against hotel guests may serve as an alarm bell, but it misses the mark on actual security impact.

This multi staged threat showcases the evolution of sophisticated phishing attacks. Malicious actors are finding new and creative ways to infiltrate unsuspecting targets with scary precision.

This supposed “sophistication” and “precision” doesn’t change the game for security vendors like Akamai, Cisco, Okta, or MetaCert. The bottom line is protecting people from phishing-led cyber threats. Security products must safeguard individuals at the point of entry: the dangerous link or malicious download. Fail at this singular choke point, and you’ve failed altogether.

Interestingly, when anti-phishing vendors like ProofPoint recognize the limitations of security controls that rely on trying to detect signs of danger, their next move is to delve into anti-phishing awareness training. Why the paradox? If these systems are so adept at detecting threats, why does clicking an email link still induce fear in their customers? The reality is glaring: these security solutions are fundamentally flawed. Given any anti-phishing system, I can demonstrate its failure to detect deceptive URLs in less than a minute. My confidence level in this assertion is 99.9%, supported by consistent test outcomes and the inability of any security system to thwart my evaluations.

Akamai’s article accentuates multi-step social engineering as a novel aspect, but this embellishment doesn’t diverge from the root issue that has been present since phishing emerged on the AOL network in 1996 — where I was one of the first people on the Internet to have their screen name impersonated by hackers inside emails, chat rooms, and IM (sound familiar?). Despite rising cybersecurity budgets, each year since 2016 has set a new record for phishing incidents. And the general understanding amongst professionals in this space is that 90% of all attacks start with a form of social engineering. This discord is due to the design flaw inherent in all current security systems today: the futile attempt to detect dangers associated with yet-unused URLs. It’s not just ineffective; it’s disingenuous to say that it’s possible.

“We’re all in this together (until you’re breached, and then you’re on your own”

I’ve spotted a new emerging trend in the cybersecurity industry: a narrative advocating collective responsibility for tackling cyber threats. While the phrase “we’re all in this together” might seem collaborative and comforting, it’s a notion that demands rethinking. This narrative implies that end-users, often employees, must bear some burden for detecting and averting cyber threats. This stance becomes dubious when even tech giants like Cisco, Microsoft, and Okta have failed to protect their own staff from SMS phishing. If these security powerhouses, with their expert teams, can’t help their employees identify malicious URLs disguised as genuine ones, who can? I wrote an article about this here.

The security industry needs to pivot. We need to develop and invest in foundational solutions that squarely address this core vulnerability, rather than being ensnared by the smoke and mirrors of so-called ‘sophistication.’

This is a better way forward

In stark contrast to these failing mechanisms, a Zero Trust approach to phishing, specifically Zero Trust URL & Web access, would revolutionize cybersecurity efficacy. By operating on the principle that no URL is safe until verified, Zero Trust eliminates the presumption of safety that makes current systems so vulnerable. Instead of attempting the Sisyphean task of flagging dangerous URLs that haven’t even been deployed yet, Zero Trust authenticates each URL at the point of interaction. This makes it exceedingly difficult for threat actors to infiltrate computer systems and mobile devices, as their efforts are stonewalled at the most critical juncture: the point of entry. In essence, a Zero Trust model would shift the battle from a playground favoring the attacker to a fortress that empowers the defender.