In a world where cyber threats seem to be escalating exponentially and high-profile data breaches happen every day, it may be surprising to know that one of the most effective methods of attack isn’t a super sophisticated virus or incredibly elaborate hack but rather a simple email.
Phishing attacks remain one of the biggest threats to organizations of all sizes across just about every industry because there is no patch or update that can solve the problem; the issue stems from people and their behaviors.
That’s why some companies have taken to a novel approach to make sure their employees don’t fall for a phishing attack. Instead of waiting for one to hit, they preemptively phish their workforce to see how people respond.
Roberto Valdez, risk advisory services manager at CPA and advisory firm Kaufman Rossin, helps companies carry out these simulated attacks through a service the firm offers called PhishNet.
Valdez, who specializes in cybersecurity auditing and advisory services, sizes up companies in a way that is not dissimilar from how a hacker might. Through the PhishNet program, he and other experts examine an organization’s risk profile, determining how big of a target it might be and how vulnerable to an attack its systems and employees are.
Once the organization has been sized up, Kaufman Rossin’s experts can send a simulated phish attack. An email lands in the inbox of the company’s employees that may appear legitimate at a glance—it might be presented as an important announcement or a change in policy.
Employees open the email, which may include a link to an external site or an attachment. If they interact with any of those aspects of the email, they have fallen victim to the phishing attempt. However, instead of it resulting in a virus downloaded to their device or a phony login page design to steal their password, those who mistakenly trust the email are immediately sent through a brief training program.
Those programs are quick—taking just three to five minutes—and informative, requiring the user to learn about the risks of phishing attacks so they know exactly what they did wrong and how they can avoid it in the future.
Valdez told International Business Times the process is “interruptive and interactive.” It’s designed to not keep people from their work for too long while encouraging them to understand the security threats that they face every day.
“It’s a pretty simple, straightforward concept, but it has major impact,” Valdez said. Organizations that undergo the phishing campaign see significant improvement in their employee’s awareness of attacks and therefore a much lower click rate in future campaigns.
According to Valdez, 60 percent of companies see an immediate decrease in clicks on phishing emails by the time the run a second campaign. Those results tend to improve as employees are put through the test and kept alert to the potential risk of phishing attacks.
To bolster the awareness of the workforce, Valdez advises organizations to set up a “lunch and learn” or a company-wide security training session to help reinforce the lessons taught by the faux phishing campaign.
He said these sessions can be used to raise awareness of the types of threats that exist online, highlighting dark web marketplaces and forums where malicious actors trade stolen credentials and sell malware as a service to others hoping to attack and harvest valuable information from organizations.
While the seminars after the fact can help hammer home the risks that some employees may be unaware of, the phishing campaign itself produces results and occasionally shocks the system for employees who thought they weren’t vulnerable to such a threat.
Phishing attacks are often dismissed by those who identify as even slightly tech savvy, as the attacks are associated with spam. That may be the case for some attacks that cast an incredibly wide net, but organizations have to be worried about more targeted efforts in which an attacker puts in the time to understand what may get a user to click.
Valdez’s PhishNet service can scale up to simulate these types of attacks, adding elements like spoofing domain names to appear more legitimate—a tactic that is often used in targeted campaigns—or posing as an associate or vendor that a company has a contract with.
These more sophisticated attacks care capable of tricking more advanced users who are aware of the telltale signs of an obvious phish attempt but may not immediately sniff out the elements of a targeted attack. When the email blends in with their workflow, all it takes is one mindless click to lead to compromise.
“We recently sent out a phish to an IT security services company,” Valdez said. “They told us, ‘we think we’re pretty advanced, we have a lot of engineers, we have a lot of security-minded people.’ We sent a fairly advanced phish and they ended up having a click rate that was high and raised some eyebrows for management.”
There is a reason that 91 percent of cyberattacks start with a phish : because they work. All an attacker needs is for one person to open a legitimate-looking attachment or enter their password on a mock login screen to gain considerably more access to an organization’s network. “It’s surprising how intelligent, sophisticated, advanced users also fall for phish as well,” Valdez said. The impact of the training goes well beyond just making sure employees don’t open a suspicious email while at work. It also makes them more alert to threats that extend beyond the reach of the organization’s IT department.
“We really encourage our clients to think of their employees extending well beyond their network. Providing security awareness training is important because…your people are everywhere,” Valdez said. “They’re accessing things from their home, from their phone. Their footprint extends well beyond your network.”
Employees can be targeted on accounts unrelated with work, including social media and personal email accounts. Those may seem like problems for the individual, but those breaches can lead to company data being compromised.
Employees can put their work at risk in a number of ways when an unrelated account is breached. Some reuse passwords on personal and work accounts, have linked their accounts linked. If a personal email is hacked and work contacts are connected to it, a hacker can carry out a phishing campaign by posing as what would otherwise be a trusted contact.
“Your people go beyond your network,” Valdez said. Giving them the awareness to keep an eye out for attacks while on the clock can also help prevent attacks that happen away from work.
Roberto Valdez, CPA, is a risk advisory services manager in Kaufman Rossin’s Boca Raton, Florida, office and provides IT security consulting services to businesses in a variety of industries. Roberto can be reached at firstname.lastname@example.org.