Q&A: Greg Young, Trend Micro’s cybersecurity VP on email phishing scams

Canadian Security recently spoke with Greg Young, Trend Micro’s VP of cybersecurity, following the company’s release of its annual security roundup report.

Trend Micro found that public sectors like education, healthcare and finance remain the most vulnerable to email phishing tactics.

Young discussed how email threats are changing and why these sectors are easy prey for scammers.

Greg Young, VP of cybersecurity, Trend Micro

Q: How have email threats evolved in the last couple of years?

A: Today, it’s not a single rock over the fence. It’s multiple steps. Email is almost always part of the attack, so that hasn’t changed. What has changed is that email is being used more and more as an entry vector for ransomware.  Instead of trying to just attack your computer, it’s “Hey, let’s go for the people.” Phishing is a great first step. It’s very inexpensive as is going for more senior people with email. And you know, people can’t be “patched.” We’ll always be vulnerable.

Q: Sectors hit hardest by email threats are education, health care, and finance. What makes these sectors so vulnerable?

A: They have in common that all are much more likely to pay or have critical needs for technology to continue, and they have very different kinds of IT staff.

For example, in health care and education they’re typically very stressed for IT resources. They won’t have the big defences whereas finance may have the big defences, but they’re so sensitive to competition and bad reputations that they’re much more likely to pay quickly.

Q: What business practices do you recommend to protect against modern email threats?

A: One is recognizing that your email is still that really common vector. Continuous education without over-educating people, but constant reminders and giving good examples of showing where this happens. For example, there’s a new trend right now away from email using messaging via mobile to send links for courier deliveries which aren’t happening. So, false courier delivery notices saying, “Hey, you’ve missed this important package from DHL. Sorry, click on this link to schedule a new delivery.” Again, it’s a message. It’s a variation on it, but the result is the same. So be aware of these and also protect your staff, whether they’re at work or at home.

So many organizations give great security for their business machines, but those are typically linked with the stuff used at home. Why aren’t we protecting employees for their home resources and their families as well? Many families will share IT resources, will share laptops, will share machines, share routers and of course wireless.

Reach out and offer that to them. It’s a great service to protect your employees, but it also protects your business.

Q: Trend Micro reported that increasing geopolitical turmoil would add another layer of concerns to cyber threats. Could you elaborate on that?

A: State sponsored attacks are the hardest ones to defend against. When a country is using its resources, which are the very best out there to do a cyber attack, the regular companies don’t have too many defences against that. So when that layer is added on, it makes the job harder for everyone.

Next is that any time there are world events that are stressful as we saw during the pandemic and continue to see today with the events in Ukraine — any of these news items can also get our attention like that courier delivery. There have been false links for people wanting to donate, wanting to help out Ukrainian refugees in Poland, but it’s actually a link to malware.

Q: Back to the question about health care, education and finance, the IT groups that are working to support these organizations, what can they do specifically to strengthen their defences?

A: Really start to make an assessment about whether the email security you have is modern enough.

Historically, a lot of the email security solutions were kind of “Let’s just pay the least we can. Let’s just get a basic one,” but accuracy matters now. Do an evaluation for not only spam catch rates but phishing rates as well.

If your business is exceptionally critical, there are new technologies now that can take you one step above that due diligence level of technology to the really good security.

We call this email compromise, where folks go after executives and try to get them to compromise themselves. Whether it’s the head or chief of finance, those are the big whales that phishing attempts will go after. We even have new technology around artificial intelligence to compare the writing styles for executives with the writing attempts that will go after their staff to try to fool them.

We’ve had a really good catch right beyond what a regular phishing defence will go to with that extra resource.

This interview has been edited for length and clarity.