We’ve all gotten them – those emails that claim to be from an ISP, or a bank, or, for that matter, company management, asking us to click a link and enter our credentials, or to open an attachment to see important information. And if we follow the instructions, the payoff is unexpected and nasty: a compromised account, or malware, or both.
It’s called phishing (pronounced fishing), a technique that fakes trusted sources to persuade us to provide personal information or passwords, or to somehow infect our computers with malware that gives criminals an in to the company network. That email to entice a click may claim to come from PayPal, or a bank, warning you that your accounts will be blocked unless you confirm your identity by clicking a link and entering credentials. It may claim to be from iTunes or Amazon, warning you of alleged fraudulent transactions, or it could even appear to be from corporate IT or HR, advising you to open an attachment to read about new policies.
Whatever its alleged source, a phishing attack uses our tendency to accept instructions from authoritative sources to social engineer us into handing over the crown jewels. And make no mistake, most of today's phishes are carefully crafted to look as much like the real thing as possible. Some phishers go so far as to copy the look of a real login site onto a fake domain, so their victims remain fooled as long as possible, and may even pass the credentials through to the real service after they're stolen, to let them evade detection longer.
Phishing isn't new, but it's gotten a lot more sophisticated over the years. Phishers now use genuine logos and other material scraped from the web in their convincing-looking emails to persuade victims that they're genuine. It's a big enough problem that even the US Securities and Exchange Commission (SEC) has devoted a web page to its detection, prevention, and to mitigation should someone get fooled. In fact, the 2015 Verizon Data Breach Investigations Report found that over two-thirds of espionage cases included phishing attacks.
It's hard to develop a technological solution to what is, basically, a human issue, but companies are trying. Anti-malware vendors can detect some patterns that suggest a phish, and at least warn the user that clicking a link in a particular email may not be a good idea. Microsoft and others have published good Q&As listing things to watch for. Law enforcement agencies are also getting into the act – check out the RCMP phishing page, for example.
It's still not enough, though. The Verizon report said that 23 percent of recipients open phishing messages, and 11 percent click on attachments. It takes only 82 seconds on average for hackers to get their first victim in a phishing campaign. That's less than a minute and a half.
What to do? Verizon's lead author, Bob Rudis, says, "training your employees is a critical element of combating this threat." But how?
Enter companies like PhishMe. PhishMe started with a simple concept: people need to learn to recognize phishing messages without putting themselves or their companies at risk. It developed a software-as-a-service (SaaS) simulator that does what one might describe as benign phishing. It periodically immerses employees in simulated phishing scenarios. Those who fall for the simulated scams instantly receive bite-sized training to help them catch the bad messages next time – what the company refers to as a ‘Teachable Moment’.
The company provides six types of scenarios based upon what it says are the latest strategies and techniques used by threat actors, offering pre-built themes in each major type:
- Click-only: An email that urges the recipient to click on an embedded link.
- Data Entry: An email with a link to a customized landing page that entices users to enter sensitive information.
- Attachment-based: An email with seemingly legitimate attachments in a variety of file formats.
- Double Barrel: Simulates conversational phishing techniques by sending two emails or an SMS and email – one benign and one containing a malicious element – to train users on this tactic used by APT groups.
- Benchmarking: An additional report that provides an anonymous comparison of your results with other PhishMe customers or industry peers that ran the same scenario.
- Highly Personalized: Simulates advanced social engineering tactics by using specific public, known details about email recipients gathered from internal and public sources.
A dashboard lets administrators and management track which individuals or departments are most susceptible to phishing, so they can receive extra attention, and also monitors the effectiveness of the training. PhishMe says that its training has reduced susceptibility to attacks by up to 80 percent.
A second piece, an Outlook plug-in called PhishMe Reporter, lets employees report suspected phishing messages right from the program's toolbar, and a new third component, PhishMe Triage, automates the analysis of those suspicious messages to ease the manual burden on security staff.
An investment in phishing awareness training pays off. Anyone can be targeted, as illustrated by this story from the editors of a security publication who were attacked through a phony press release (spoiler: they recognized the scam, thanks to their training, and no damage was done). And more recently, phishing emails got Russian attackers into the US White House.
Getting nervous yet? You should be. Even if you can't afford external training, phishing awareness should be top-of-mind for managers deciding what to spend their precious security dollars on. Security is only as good as its weakest link. Don't make that link be unaware employees.