How do I hack thee? \u00a0 Let me count the ways. Among others, I hack thee to the depth and breadth and height of a spear-phishing attack (apologies to Elizabeth Barrett Browning).\nBy now, you may be aware that many of the most devastating hacks that have occurred in recent history\u2014the Democratic National Committee (DNC), Yahoo, the W-2 scam\u2014have been launched from a base of information or access garnered by sending a poisoned email with tailored details to a specific individual, who then becomes the vector for the rest of the attack.\nFireEye, a cyber defense company, says it this way on its site, \u201cA\u00a0spear-phishing attack\u00a0is a popular and effective precursor to advanced cyber attacks.\u201d The InfoSec Institute puts it like this: \u201cAs much as 80% of all malware attacks come from phishing attempts using different variations of social engineering techniques \u2026\u201d \u00a0\nA company that I\u2019m affiliated with, Inky, recently pivoted its focus from email management (\u201cAll your accounts in one place on all your devices\u201d) to spear-phishing protection (\u201ccryptographically verified identity\u201d). It wasn\u2019t such a far reach. In between, the company turned its email suite into a secure messaging platform using standard public key infrastructure (PKI). Unlike other protection systems, which gather knowledge about the nature of previous spear-phishing attacks to flag suspicious email, Inky eliminates spear-phishing attacks completely by employing end-to-end cryptography to ensure that the person on the other end of that email address is really who they say they are. PKI is most commonly used to keep secrets as they are passed digitally from one place to another. \u00a0 Identity verification is a new twist. \u00a0 The product is called Inky Phish Fence.\nTo be effective, a spear-phish must be well crafted, have an artist\u2019s touch for similitude, and likely camouflage. \u00a0Spear-phishing emails are getting more sophisticated all the time. \u00a0 One that Inky would have prevented, had it been deployed, was the DocuSign vector attack. DocuSign\u2014which, among other services, vouches for electronic signatures\u2014sends email notifications to parties to a contract, letting them know what steps they need to take next (e.g., review and sign). In this case, a hacker set up a domain that looked like DocuSign but was actually sent from a \u201ctypo domain\u201d\u2014docusgn.com (missing the \u201ci\u201d). \u00a0 Previously, the hacker had penetrated servers at DocuSign itself to obtain names and email addresses of actual DocuSign users, who then made perfect targets for a DocuSign spoofing attack.\nThe typo-domain attack is similar to a whole family of attacks called Internationalized Domain Name (IDN) Homograph Attacks, in which, for example, a Latin \u201ci\u201d is replaced by a Cyrillic \u201ci,\u201d or a Latin \u201cB\u201d is supplanted by a Cherokee letter that looks identical. Thus, even an expert scrutinizing the address bar of a domain visually could not detect this type of spoof. \u00a0 But underneath that masquerading Cyrillic \u201ci\u201d is an entirely different string of bits, leading who knows where. Inky may be the only solution that detects IDN Homograph Attacks.\nRecently, the podcast Reply All, which runs on a site called Gimlet, highlighted how easy it is to spear-phish people, and even demonstrated that the bigger they are, the harder they fall. The episode \u2014\u00a0called \u201c#97 What Kind of Idiot Gets Phished?\u201d\u2014answers its own question by inducing a white-hat hacker to spear-phish the company president (after he mocks one of his underlings for having fallen for a similar pitch). It\u2019s pretty good listening.\nThe principle lesson that comes out of the show is: anyone can fall for a well-crafted spear-phishing attack. But right behind that is an understanding of people\u2019s attitudes: everyone thought a priori that they couldn\u2019t be spear-phished. Eerily, the higher up the corporate hierarchy, the easier it seemed to be to spear-phish the target. The big clam was more easily popped open than the little ones working at the bottom. One explanation is that CEOs see themselves as smarter than others and are therefore less cautious. Another is that CEOs just don\u2019t have that much practice using work tools like email because employees do these tasks on their behalf most of the time. Whatever it is, the corporate reputation, not to mention the company\u2019s competitive position, can be severely damaged if the CEO\u2019s email is compromised, and he becomes the vector of attack.\nUnfortunately, the current widely implemented standard, DomainKeys Identifed Mail (DKIM), can only verify the server, not the individual, from which an email arrived. DKIM specifies one key per server. That\u2019s fine if the server is, say, gm.com (General Motors\u2019s site), but what if a spoofer sent from grn.com? The \u201cr + n looks like m\u201d spoof works particularly well in some san serif fonts, like Arial. So, if you get an email from what looks like General Motors, you tend to trust the server and let your guard down. Inky uses the more definitive standard, Secure\/Multipurpose Internet Mail Extensions (S\/MIME), which issues one key per end user. But S\/MIME has yet to proliferate because it is immensely complicated and requires something to happen on the end-user\u2019s device (or devices).\nDespite these hurdles, the Inky team is working on making deployment nearly painless. In a world that makes any kind of sense, big mail providers like Google, Microsoft and Yahoo would support this effort. It could stop spear-phishing cold.