Teach someone to spot a phish and you’ll secure them for a lifetime, advises Email Laundry’s Bagnall
14 March 2016 | 0
Not so long ago, anyone with basic primary-school English could easily spot phishing emails. They were so poorly written and littered with spelling mistakes that they practically screamed “this is a scam” in flashing neon.
Those mass-mailed barely literate emails have not gone away — and incredibly, 3% of people still click on them — but attackers now take a far more sophisticated and targeted approach. Some emails claim to be from Irish utilities and banks, to trick people into surrendering their passwords and log-ins.
Others send messages to smaller numbers of people in specific organisations, often with personalised greetings. Some attackers research the target, in order to write more convincing messages that appear to come from a colleague in accounts or HR.
The most successful phishing mails include little text because experience shows that people are more likely to trust messages if the content is short. The wording usually conveys a sense of urgency, which is designed to manipulate the recipient and compel them to act quickly — whether that is transferring money to an unauthorised account, giving up their credit card details, or clicking on a link that installs ransomware on the victim company’s network.
Fooling people is not the only reason that phishing is successful. Criminals behind these scams often use hacked Gmail accounts because the genuine address allows the emails they send to bypass spam filters and honeynets. The popularity of email marketing services like MailChimp or SendGrid means that email filters are obliged to accept messages that are legitimately sent from other accounts.
“The most successful phishing mails include little text because experience shows that people are more likely to trust messages if the content is short. The wording usually conveys a sense of urgency, which is designed to manipulate the recipient and compel them to act quickly”
Clearly, technical solutions alone cannot solve this problem. So what can be done to avoid the risk and cost of falling victim?
Training your people to spot a fake email is a highly effective way of strengthening your security. Here is how: every employee receives a phishing email; if they fall for it, the link takes them to a page where they must complete security training, and the test is then repeated at regular intervals, using different types of fake emails, to check that everyone is on guard against scams.
Phishing user training is needed because research from Trend Micro has found that 91% of targeted attacks start with a ‘spear phishing’ email. Infected email was the source of ransomware that infected Klinikum Arnsberg hospital in Germany — one of several incidents that emerged in February. Last year’s notorious Ashley Madison data breach also started with a phishing email.
Phishing user training works because it is focused, repeatable and measurable. Business owners and managers get reports to show how susceptible their organisation is to phishing, and can then see which of the staff has undertaken the training. By gauging how many people fall for the phishing, they can track the training’s effectiveness over time.
Instead of the once-yearly box-ticking exercise that passes for security training in many organisations, phishing user training is regular and ongoing, which helps to embed a culture of security awareness and reduce the risk of scam emails that evade your technical defences.
Phishing is so sophisticated that it is no longer fair to say whoever falls for it is a fool — in reality, most messages could trick most of us if we’re caught off guard or we don’t know what to look out for.
In security, we have continually heard the refrain “people are the weakest link”, but that no longer means we have to just shrug and accept it. Visit www.phishingusertraining.com and take the first steps to making your people a vigilant last line of defence.
Ken Bagnall is managing director of The Email Laundry