In 2017, an email prankster targeted the White House.
The prankster’s goal was simple: to trick White House staff into responding to fraudulent emails for nothing more than a cheap thrill. With little to gain from the endeavour, the prankster’s efforts were basic.
The trickster wrote a simple email purporting to be from Donald Trump’s son-in-law, Jared Kushner. He sent it off to Tom Bossert (at the time Homeland Security Advisor). And he waited to see if the security advisor would respond.
The importance of phishing awareness training
The nature of the prank alone goes a long way to demonstrating the importance of phishing awareness training.
The phishing email required no advanced technical prowess to deploy. And, as it was a targeted, it was unlikely to be caught by phishing filters.
So long as emails are carefully crafted, there’s a chance they will work.
Using human behaviour as a “weapon”
Knowing how important the content of the email would be, the prankster set about using, in his words, “human behaviour and weakness” as his “weapon” of choice.
The email – being supposedly sent from the President’s son-in-law – already carried an air of authority. It took the form of an invitation to a private party – so also flattered its target. A well-placed joke established rapport.
It dinged three powerful areas of the human psyche. As such, it prompted the at-the-time Deputy Assistant to the President for Homeland Security and Counterterrorism (to use the full title) to respond – handing out his personal email address to a total stranger.
Phishing scams affect businesses every day
While the prank ended there, it doesn’t take much imagination to work out where the story could have gone. A more malicious actor might have used the thread to deploy any manner of malware and/or elicit some of the most sensitive information in the world.
Similarly simple phishing scams affect businesses every day. The UK’s most recent cyber security breaches survey reported “fraudulent emails or being directed to fraudulent websites” (ie phishing) as the most common cyber threat facing UK businesses today. Phishing attacks can relieve the world’s biggest tech companies of tens of millions. In the personal realm, they can destroy their victims’ lives.
Perhaps because of how simple they are to manufacture, phishing attacks are on the rise. Phishing training is undoubtedly important… and it urgently needs to move beyond the compliance-based phishing training and cyber security packages currently on offer.
At CybSafe, we’ve developed and are delivering the world’s first truly intelligent cyber security awareness platform in collaboration with psychologists, to improve
- what people know about security
- how people behave when confronted by threats (and why they react in the way that they do)
- and the security culture in businesses and organisations
Just like every other aspect of cyber security, phishing training is both important and increasing in salience.
Organisations that recognise as much are well-placed to overcome phishing threats and minimise cyber risk.