Hack a punch: Why intelligent phishing simulation is vital in the fight against scammers
Your friend Andy’s always been interested in kickboxing.
So he joins a beginner’s class where he rehearses all the moves and works on his fitness. Bit by bit, he perfects his form and technique in the mirror. He spends all his spare money on top-of-the-range gear.
Supremely confident in his abilities, Andy signs up for his first match.
The day arrives. The room is packed. He steps into the ring. The bell sounds.
He keeps his guard up like he practiced in the mirror.
But he’s got a problem: His opponent isn’t a mirror. His opponent is Derek the Destroyer. And Derek’s been doing this for years. He easily lands a killer punch without breaking a sweat. Then another. Then another.
Andy is stunned. He should have seen it coming. He knew what to look out for. He thought he knew how to defend himself.
Andy’s missing something and it’s caused him to get pummeled.
And . . . it’s 100 percent not his fault. He should have had better training.
Because Andy never had the opportunity to practice defending himself in a realistic (but safe) scenario.
In combat sports, this practice is called sparring. It’s essentially a simulated fight, and it’s all about preparing fighters for real-world situations. It’s important because it helps fighters learn how to anticipate and respond to their opponents’ next move and act against it.
But, of course, in your organization there are no mouthguards and sweaty gym mats. And yet, cybersecurity is all about putting up your best fight against the bad guys.
You need to give your people a fighting chance at fending off attacks.
Because phishing attacks remain one of the most common and damaging cyber threats facing organizations today.
With the rise of remote working and the increased use of technology, the threat of phishing attacks is greater than ever.
And in this arena, cybercriminals are highly skilled heavyweights. They’ve been in the game for years. And they don’t pull their punches.
So if you’re not equipping your people effectively, there’s only going to be one winner. And it’s not going to be you.
But you know that, right? That’s why you’ve invested in various security solutions, implemented policies and procedures. And maybe you’ve even got phishing simulations. They catch people off guard and then assign more training if people fail them. That’s bound to teach them. Right?
The truth is, phishing sims often fail to achieve their intended purpose. And that makes your defenses fall way short.
But that’s where intelligent phishing training comes in. It’s like spending time running supportive, friendly sparring matches for each person in your organization. And it greatly reduces the chances of your organization taking a pummeling from a cyber attack.
Why all the fuss about phishing?
Phishing attacks are the most common cause of data breaches, with 80% of reported incidents involving phishing or social engineering.
Moreover, the cost of a successful phishing attack can be significant, with an average cost of $1.6 million per incident. So it’s essential to train people to recognize and avoid phishing attacks.
What makes them such formidable foes though
1. They use human behavior as a weapon
Phishing attacks prey on human behavior. They’ll often pose as a communication from an authority figure. They might foster a sense of urgency. They may offer a reward to the recipient.
These elements play on the human psyche. Deference, anxiety, fear, and/or excitement will push people into knee-jerk responses like handing over sensitive data. That’s all it takes for the scam to work.
2. They take the . . . phish
The laziest way to shake down an organization if you’re a cybercriminal? Use times of crisis to your advantage.
Remember how calm and rational you felt during the early days of Covid-19? Yep. Exactly.
The UK’s HMRC detected a 73% increase in email phishing attacks in the first six months of the pandemic.
And plenty of us received a phishing attempt posing as a Covid-19 vaccination invitation.
3. They’re targeted
It’s a doddle for threat actors to use social engineering and personal information to make their scams seem legitimate. With targeted attacks, it’s even more dangerous because these scams are less likely to be caught by filters.
Business email compromise (BEC) scams are one type of targeted spear phishing attack criminals use. These scams involve impersonating people in an organization.
In 2019, Toyota lost $37 million in a BEC scam, and these scams have been on the rise since the pandemic began. In the second quarter of 2020, BEC wire transfer losses went up 48%.
4. Phishing filters are imperfect
Most organizations today use phishing filters to combat phishing attacks.
But studies show phishing filters are far from perfect.
Sure, they can detect and block dated and known phishing attacks. But when it comes to targeted spear-phishing attempts on senior executives, that filter’s about as effective as a screen door on a submarine. In fact, research suggests that these filters miss up to 25% of phishing emails.
We know more sophisticated and personalized phishing tactics are on the way. So, relying solely on software isn’t going to cut it.
So what can security teams do to better protect their organizations from phishing attacks?
Filters don’t save organizations—people do
Fortunately, security teams have something else to defend against phishing attacks: People.
Of course, once upon a time, people were framed as nothing but one huge cybersecurity liability.
But without question, alert and aware people detect and stop malicious phishing attacks from doing any damage on a daily basis.
The reason? People have a broader range of criteria they can use when assessing emails. And, as people aren’t bound by arbitrary rules, they can err on the side of caution.
People can prevent cyber attacks—when you empower them. Yes, even sophisticated forms of phishing.
So how do you get them there? Specifically, how do you empower people to spot and flag the phishing attacks phishing filters miss?
It’s not just about security awareness. It’s about security behaviors and security culture.
It’s about an intelligent approach to phishing training.
So how can you fix phishing simulations?
How can you create a culture that makes simulated phishing effective?
Goal setting and planning
Not planning and goal setting. This is important. You can’t start planning until you know what you want to achieve. Pick your destination, then map out the route.
Be ambitious. Set the bar high. Really high. It’s better to do your best and fall a little short than to set the bar low and comfortably get there. So, take some time to think about what you want out of your campaign and make a list of your goals.
Set key metrics
Remember those pesky click rates? Well, you’ll need to measure those . . . and then some. Tracking click rates—in combination with other metrics—will help you prove the success of your campaign.
Decide how you support repeat clickers
Repeat clickers are people who perform several high-risk actions—like downloading attachments or entering data—within a set time period. For example, you could decide anyone that performs four or more high-risk actions within six months will be classified as a repeat clicker. That’s repeat clickers. Not repeat offenders. There’s a difference.
So you’ve set your goals and thought about how you’ll classify and manage repeat clickers. But make no mistake, you can’t do this alone. You just can’t. You’ll need help. Lots of it.
And then there’s the ways to supercharge any cybersecurity training’s effectiveness:
It’s all about tailoring training to individual learning styles and preferences. That makes it more engaging, relevant, and memorable. And it’s more likely they’ll remember what they’ve learned and put it to use.
Don’t be afraid to use game-like elements in training. You’ll make it more engaging and competitive—dare we say maybe even . . . fun?. You’ll boost motivation and participation, as well as reinforce learning.
Cyber threats and technologies are constantly evolving. To stand a chance, people need ongoing training and education. Keep them up with the latest trends and best practices. Only then can they respond effectively.
How do I implement an intelligent approach to phishing simulation?
Just like a fighter, an intelligent approach to phishing simulations will keep you quick on your feet, sharp-eyed, and able to dodge incoming attacks.
But let’s face it, you’re not fighting some lightweight contender here. You need a robust plan of attack to go up against the heavyweights in the cyber world.
That’s where our free ebook comes in. It’s like having a championship trainer in your corner. A New Approach to Simulated Phishing is your ticket to intelligent simulated phishing training that’ll take your phishing resilience to the next level.
Remember, it doesn’t matter how many punches the bad guys throw if you’re always one step ahead.
The word “phishing” is a combination of the word “fishing” and an “earlier word for an illicit act: phreaking.”
Phishing is an attack in which a spammer sends out emails or text messages that appear to come from one of your contacts or a trusted source such as a bank in order to elicit your personal information.
These emails may also contain attachments or links that may install malware onto your computer. The perpetrator is then able to access your data, logins, and other sensitive information.
Some of the most common types of phishing include:
- Email Phishing – phishing attack when a cyber criminal sends fake emails that pretend to come from genuine domains
- Spear Phishing – targeted phishing emails that use social engineering and malware to target a specific organization or person
- Whaling – involves targeting high-ranking executives or managers
- Business Email Compromise (BEC) – where a person uses information from a business email and personalizes it to appear as if it’s from a legitimate sender
- CEO Fraud – type of spear phishing when someone poses as the CEO and asks for money or account information
- Vishing – phone call phishing
- Smishing – text message phishing
- Angler phishing – social media attack where scammers pretend to work as customer service and contact unhappy customers
There are a few things that you can look for when assessing whether or not an email is phishing:
- The sender’s address (typos, fake domains, email header)
- The link in the email (redirects, typos)
- The subject line (plays on emotions, urgency or incentives)
- The content of the message
- Stay away from suspicious links or emails and never click on them without verifying the sender’s identity.
- Always be suspicious of any email, text messages or phone calls that ask for your personal information.
- If a link or email seems suspicious, call the sender and verify if it is really them before proceeding with any action.
- Be aware of what personal information you share on social media and make sure it is not accessible to everyone.
- Double check the URL in the browser’s address bar before entering sensitive information.
1. Do NOT enter any of your details into any forms that may be present on the potentially malicious web page you’ve inadvertently opened.
2. Similarly, do NOT click any of the links on the web page.
3. Immediately close the page down.
4. Run a full virus scan on the device which you used to click the link.
5. Report the email as spam to your provider.
6. If you suspect your device may have been infected with malware, consult an IT professional as a priority.
Phishing attempts can be reported to the authorities in many different ways depending on the country where fraud occurred.
In the USA you can contact the Federal Trade Commission (FTC) at 1-877-438-4338 or by visiting ftc.gov/complaint.
In the UK visit www.actionfraud.police.uk or call 0300 123 2040 and for Europe you can check https://www.europol.europa.eu/report-a-crime/report-cybercrime-online
The investigating organization will take appropriate action, such as filing a lawsuit or working with other law enforcement agencies to prosecute lawbreakers and help people who have been victimized.