Turning your weakest asset, the email recipient, into your greatest strength in blocking spear phishing


Cyber Security breaches proliferate and create more victims in 2014

  1. Some 91% of high profile breaches begin with a “spear phishing” email, according to research from security software firm Trend Micro.1
  2. Phishing attacks continue to increase in every significant way, and remain an ominous threat to organizations and consumers around the world, as reported the Anti Phishing Working Group (APWG) recently.2
  3. All advanced security methods prior to email receipt still allow a Toxic Trickle of emails to pass through to the email recipient.3
  4. According to the IBM Security Services Cyber Security Intelligence index report from July 2013, the human factor [email recipients] accounts for approximately 80 percent of security breaches.4
  5. Top security vendors have the ability to catch “up to 99%” of malicious email, but it only takes one Spear Phishing Email to penetrate the organization and cause complete havoc.5
  6. The last defense to cyber attacks is the email recipient. The critical role of email recipients in cyber security is recognized under the Federal Information Security Management Act (FISMA). In implementing FISMA, the National Institute of Standards and Technology (NIST) requires that personnel be trained to spot spear phishing and that they report spear phishing to security personnel.6
  7. Until recently, training and awareness were the only ways to make the email recipient vigilant. Statistics published by Internet Security Awareness Training (ISAT) firms indicate that formal training can substantially reduce an organization’s vulnerability to cybercrime variably by 15-80 percent.7,8
  8. Interactive training, live exercises and sustained awareness help, but they have shown to be largely ineffective. A recent quiz by McAfee (June 2014 Threats Report) showed that 80 percent of enterprise users fail to detect at least one of seven phishing emails.9  A research study commissioned by Dell showed this year that 73 percent of 1440 organizations experienced a security breach in the last twelve months.10
  9. Why? The email recipient is faced with 100 plus emails per day, each one of which has the potential to be a spear phishing email. Added to that, the recipient may be spear phished by his own organization for training and assessment. Therefore every single one of the 100+ emails the recipient receives is a threat and each email has to be scrutinized, hopefully with the recipient remembering at least some of the training on how to spot spear phishing emails.
  10. Not only does this pressure waste huge amounts of the employee’s time, but the volume of emails they have to scrutinized will most likely cause the recipient to miss the threat altogether and allow cybercriminals to penetrate the organization.
  11. Cyber breaches will continue to proliferate and create more victims because the email recipient, the final defense against spear phishing, will continue to be compromised by the lack of the proper tools to protect themselves and their organizations.11

What do Security Providers have to do to STOP cyber security breaches in their client organizations?

  1. Utilize their selected methods, IP reputation, Email authentication, Web reputation, Filtering, Exploit prevention, etc., to strip out the majority of bad emails.12
  2. Use their company’s and their client’s trusted sender lists to identify those emails known to be safe (i.e., legitimate internal, partners, collaborators and suppliers emails).13  Trusted sender lists are easily created and maintained.
  3. Use Caution Icons to mark the 1-5% of emails that don’t adequately authenticate or are not identified on the trusted sender list.
  4. Caution Icons are displayed directly in the inbox [replacing the Email Icon].
  5. Caution Icons warn the email recipient that these emails are suspect and need to be scrutinized.
  6. Hide email attachments and links until the suspect email is judged valid.
  7. Provide instant spear phishing identification instructions, check boxes, and relevant details of the cautioned email via hover over of the Caution Icon for real-time training and awareness on what to do with the cautioned email (i.e. send to IT for inspection).
  8. This eliminates the arduous task of having the email recipient scrutinize each of their 100+ emails, worrying that any of their emails could be a Spear Phish by cyber criminals or a mock Spear Phish by their own organizations.
  9. These tools free the email recipient to work without fear on 95% of their emails.
  10. For the 1-5% of emails that are cautioned, there is only one or two that the recipient might be interested in. They now have the ability to quickly and effortlessly protect, detect and respond to spear phishing email attacks before falling prey to them.
  11. It is a clear indication the email is a Spear Phish when normally safe emails from its own organization, trusted partners, or suppliers suddenly appears marked with a Caution Icon.
  12. Alerts of spear phishing emails immediately go to the global threat networks and inter-company to stop this attack before it begins.
  13. You have now secured your client’s final defense with many adequately equipped human sensors, examining a small group of suspect emails, armed with the instructions on how to evaluate, stop and report Spear Phishing.


Implementing the Final Defense Solution to protect your Clients

 Key Points:

  1. Organizations are strongly recommended to adopt the NIST Cybersecurity Framework14 and implement the necessary capabilities to minimize risk, loses and liability.15
  2. Organizations that are victims of spear phishing attacks may soon be liable if they don’t have adequate cyber security infrastructure.16
  3. Spear phishing training and awareness is becoming mandatory for employees and government workers.17
  4. Interactive training and filtering (the best past solution) are not sufficient to stop all spear phishing attacks at the end user level.


Available Complete Solutions for Implementation:

  1. Iconix has developed and validated a solution with all the components needed to secure the final defense18 discussed above and to fully meet the NIST recommendations. The solution has been tested and deployed it with 50,000 ongoing end users over several years.
  2. It fills critical end user security infrastructure gaps and leverages your existing security clouds, appliances and/or software.  It also calls attention to all the security measures you have employed to protect your client in the background.
  3. The solution is powered by patent protected Iconix software. It can work with multiple types of end user email and webmail preferences and can be positioned at different places in the email stream.
  4. Iconix patents cover marking or segregating into folders any authenticated and trusted emails or calling up mini HTML pages by hovering over the icon or markings.
  5. It is the best solution for a “real life” response to today’s cyber attacks and is a solid foundation for the NIST Cybersecurity Framework:
  6. The Iconix solution addresses the NIST Cybersecurity Framework recommendations regarding protection, detection and response by providing unique capabilities for doing real-time awareness, training, continuous monitoring of cyber attacks, and communication, analysis and mitigation of detected cyber security events.
  7. Caution icons for suspect emails can also be exchanged with Trusted Icons for safe emails if desirable.

Step-by-step implementation of products/services is done by:

  1. Evaluating the authentication upstream of the mail server and comparing the sender to the trusted list.
  2. Prominently marketing the small percentage of emails that are not sufficiently authenticated or are not on the trusted list as “Caution! DO NOT click on links or open attachments!”
  3. By calling the recipients attention to the imminent threat.
  4. By providing hover-over instructions as to what to do next with the suspect email.
  5. By highlighting spear phishing emails that are masquerading as someone else, i.e., from the recipient’s own organization or a trusted partner.
  6. By providing action buttons in the hover-over content to forward to IT.
  7. By IT validating the threat and striking the IP from the incoming steam, deleting it from the inbox and/or re-marking the toxic emails as known toxic.
  8. IT forwards the email to its security partner which then forwards it to the global intelligence community, its own users and/or other alert databases and blacklists that it is associated with.
  9. Providing interactive training to speed up the decision process for the targeted recipients so that they spot spear phishing emails immediately because of their caution icons.



  1. Spear-Phishing Email: Most Favored APT Attack Bait. Trend Micro Incorporated Research Paper, 2012.
  2. APWG Phishing Trends Report for Q1 2014. APWG, June 2014
  3. Letting The Wrong Ones In: Email Security’s Big Blind Spot. FireEye Blog. December, 2013
  4. IBM Security Services Cyber Security Intelligence Index. IBM Corp., July 2013
  5. Why Phish Should Not Be Treated as Spam. Norman Sadeh. Carnegie Mellon University. May 2012
  6. Managing Information Security Risk. NIST, Special Publication 800-39, March 2011
  7. The Human Hack: How to Fight an Internet Risk Technology Can’t Fix. Bloomberg. Nov, 2013
  8. Going Spear Phishing: Exploring Embedded Training and Awareness. IEEE Security and Privacy, February 2014.
  9. McAfee Labs Threats Report. August, 2014
  10. Protecting the organization against the unknown A new generation of threats. Dell Inc. February 2014
  11. Protecting the organization against the unknown A new generation of threats. Dell Inc. February 2014
  12. Cyber Security Planning Guide. Federal Communications Commission. Oct 2012
  13. Whitelisting for Cyber Security. Public Interest Advocacy Centre. November 2010.
  14. Framework for Improving Critical Infrastructure Cybersecurity. NIST, February, 2014
  15. Boards of Directors, Corporate Governance and Cyber Risks: Sharpening the Focus. SEC Commissioner Luis A. Aguilar, June 2014
  16. Cybersecurity Trends for 2014. Corporate Compliance Insights. February, 2014.
  17. Mandatory Cyber Security Awareness Training. 13 FAM 330. US Dept of State.
  18. Deploying Deception Sensors in APT Defense. Iconix Inc. August, 2014.