Propaganda and false information is an age-old weapon used by governments and politicians in times of crisis and war. With the advancements and proliferation of email, social media and mobile phones, we are witnessing information manipulation at a global increasingly concerning and deeply frightening. Rumors, conspiracies, hoaxes and false information are routinely spread on electronic media to heighten fear, anxiety and hatred, create mistrust, sow discord, fracture societies and cause reputational and financial damage. Whether its elections, climate change, Covid-19, or #MeToo, false information spreads like wildfire and is almost impossible to contain once released.
The Three Main Types Of Information Disorder
The Council of Europe classifies information disorder into three main categories. The differences are primarily around the intent and the ability to cause harm and spread misleading information:
- Mis-information: False information that is shared unknowingly or without verifying the facts and in absence of any intent to cause harm.
- Dis-information: False information spread knowingly with the intention of causing harm.
- Mal-information: Genuine information is shared to cause harm, often by spreading private information in the public domain.
The Convergence of Phishing and Information Disorder
It’s no secret that all phishing scams are based on the sender pretending to be someone they are not, seeking information they don’t need, sending emails to someone they don’t know. Mix spear phishing in and “seemingly legitimate” requests are custom designed to target a specific individual or group in the organization. Add Business Email Compromise (BEC) to the mix and the phishing emails might even originate from legitimate email accounts or even trusted sources.
Research from the EU’s DisinfoLab has uncovered a major overlap between phishing and disinformation tactics with the latter being increasingly used as part of the overall cyber-attack delivery package. CISA.gov claims that 90% of all cyber-attacks begin with a phishing email.
The phenomena of mal-information is also quite prevalent in the world of ransomware and online extortion. In the case of ransomware scams, we often find attackers threatening to cause reputational damage and financial harm by publishing the victim’s private information on publicly accessible sites.
How Organizations Can Reduce Information Disorder In The Context Of Phishing
Disinformation can never be eliminated. However, actively integrating disinformation in the anti-phishing agenda can help reduce disinformation to a degree. Deploying a multi-layered security strategy is probably your best bet. Important elements of a multi-layered defense may include:
1) Security Awareness Training
Critical in boosting security culture in organizations, researchers believe sufficiently trained people are more capable of spotting a phishing attack than technology alone. This might well be true, especially in the case of disinformation because such campaigns are “technically legal” to evade detection, rendering technical controls less effective.
2) Technical Controls
While it can be argued that technology has limited ability to detect disinformation attacks, crowd-sourced intelligence can probably be a game changer when it comes to quickly containing the spread of disinformation. Studies show that if organizations provide employees the ability to quickly report suspicious activity, it can be an ideal mechanism in detecting phishing and other attacks in real time.
In addition to this, as artificial intelligence matures, it can be leveraged to identify and flag suspicious-looking content at scale, thereby mitigating significant risk of information disorder.
Basic interventions organizations can take include deploying content filters and multi-factor authentication (MFA) using a third-party authenticator app on a second device. Also, leveraging phishing standards like Sender Policy Framework (SPF), Domain Keys Identified Mail (DKIM), domain-based message authentication, reporting and conformance (DMARC) which not only help protect domains against spoofing but also verify the authenticity of an email that claims to be from a particular domain.
3) Policies And Procedures
It’s important to provide written guidelines to employees on how to deal with suspicious content, their personal responsibility and liability around disinformation, and their accountability in superspreading events. Any anti-phishing policy should cover disinformation explicitly, highlighting the tactics and tools used by cybercriminals to fraud organizations and employees. The document should outline how users must always verify authenticity (the source) of suspicious emails, read emails beyond their subject lines, not assume information is correct because it confirms their beliefs or derives from a trusted sender. Any use of odd syntax is worth caution. Report suspect instructions to security teams.
Information Disorder Is Everyone’s Responsibility
Combating disinformation is hard. Like climate change, disinformation too is everyone’s responsibility. This obviously doesn’t mean that we absolve tech companies, social media platforms and disinformation content creators (like politicians and nation-state adversaries) of their sins but instead we focus our efforts on awareness, education, preparedness, and transparency, because whether we like it or not, information disorder is here to stay.
About the Author:
Stu Sjouwerman is founder and CEO of KnowBe4, [NASDAQ: KNBE] developer of security awareness training and simulated phishing platforms, with 41,000 customers and more than 25 million users. He was co-founder of Sunbelt Software, the anti-malware software company acquired in 2010. He is the author of four books, including “Cyberheist: The Biggest Financial Threat Facing American Businesses.” He can be reached at [email protected].
