Phishing, Security Awareness Training
Published:
Browse All Articles > Phishing, Security Awareness Training
Phishing is at the top of most security top 10 efforts you should be pursuing in 2016 and beyond. If you don't have phishing incorporated into your Security Awareness Program yet, now is the time. Phishers, and the scams they use, are only going to get better.
First some definitions:
Social Engineering (SE) - Getting others to act or do an action they ordinarily might not do.
Smishing - Using SMS/Texting to conduct phishing.
DOX’ing – Documenting (doc’s) and profiling a target, to gain insight into how to SE them.
The old advice on Phishing needs to be updated. Spelling and grammatical errors are not a dead give away anymore. Phish are only getting better as criminals get more organized and offer more services (such as spell/grammar checks). Phishing is also getting easier with more and more frameworks being created. The frameworks are usually created with altruistic goals in mind, but as my other article points out, there are dualities associated with most security tools.
I will not delve into the many tools or frameworks, instead I will outline ways to improve your current Security Awareness Training (SAT). Most SAT is extremely boring, remedial and downright pedestrian. Most professional Phishing services have a "phishing splash page" to indicate to the users that they were phished. These splash pages are a good place to put information about your internal SAT resources as well as encourage users to report strange emails or phone calls.
To quote Verizon's 2016 Data Breach Investigations Report:
And being on the front-lines in security all these years I can tell you those numbers might be low. There is hope. Things do improve, especially when the teaching and reporting methods improve. Here are some quick Do's and Don'ts:
DO (expanded further down)
Training users to verify and to ask for some identifying information will vary from organization to organization. There should be procedures and training on what information is OK to talk about or divulge. Users should also know if they are allowed to transfer calls or give out organizational information.
Phishy Examples
Does Tim Smith still work for Jane Wilson? - Is that new diabetes drug ready for the FDA yet? - Can you transfer me to Francis in accounting... no I don't know his last name, can you connect me to anyone in accounting? - What antivirus is on your PC... I just got a new one and it's using Kaspersky which I hate already - Your company hasn't paid us in 5 months, I need to send you the invoice, what is your email address?
Those examples are all real questions posed to real users at various organizations and they are all designed to elicit information or further the knowledge the would be attacker has.
Breaking from convention:
Currently many organizations attempt to get a base-line of phishing failures with their own "sanctioned/internal" phishing campaign. They get their metrics like, "who clicked", "who entered data", "who executed payloads" etc... Some of these metrics are good and meaningful, others are sometimes harder to determine. Do not rely on your metrics to tell you how good or bad your company is doing. Tactics change all the time, and while your user base may have done well against last week's attacks, this week might be a different story. It only takes a few people to get phished to cause quite a few headaches, always assume you will not stop all phishing.
The main way our training breaks from most conventional training is we do not advocate telling users when an internal phish has occurred. We treat our internal phishing the same as the external phish the user receives, probably daily, We do the baseline, and then we retrain the users (all users, not only those that fail). A commonly used "splash page" is meant to give the users pause, and make them see very quickly that if that were a real phish, something bad could have happened. We find this makes the users complacent; some even began to click on links just to see if it was the internal phish! The phishing was done monthly, and the users turned it into a "game" of who could guess the internal vs a real phish.
Treat each phish like the real thing!
Further, we've found that users who are told that they have reported, or they have clicked on the internal phish get to feeling like they are being picked on, tricked, or simply "crying wolf". They feel this way because they have not been properly praised or properly "punished". We encourage our users to "spread the word" after IT confirms the email as a phish or unwanted interaction. Even our internal phishing is treated this way. We phish the user's, someone reports it, we confirm to the reporter that the email is a phish (we don't say it's OUR OWN phish), and that they should spread the word to others in their area that "subject xyz, from sender@example.com" is a phish. We instruct the users to either delete or filter the email.
Users can also get complacent when internal phish are all they see. They don't realize that is a "nice problem to have". Only getting company sanctioned phish means that they are being protected from all the other phish that they could potentially have. This is why we break from convention, and treat all phish like the real thing. You can still baseline from time to time, but the more proactive you and your users are, the better your numbers are going to be, and the sooner the user's work as a team of eyes and ears to sound the alarm.
Positive Reinforcement
It is tantamount to the success of your security awareness training that the users are rewarded for proper behavior. The proper behavior in this case is not that they don't click the link, or open the attachment. The proper behavior is reporting the email, even if they clicked the link or opened the email! You need to know that more than you need to know who did not click or open the attachment. And when they do report the email, or strange phone call, the users need to be given praise and accolades directly. It is not wise to call everyone's attention to one individual, but CC'ing a manager or supervisor after the 3rd or 4th report may be a good idea.
It's not that easy...
You're going to get false positives, and reports that are just run of the mill spam. Your response still has be encouraging and positive. And you will have to reply quickly to any and all reports. Staying positive can be difficult amid a bunch of false positives or "legitimate" emails that are being sent your way now. The users are trying to do their jobs by sending you what they think are suspicious emails. You have to do your job and go through them, and that won't be easy to do everyday.
Dissension
These items seem obvious to some. To others they don't think it can be correct because that's not how Vendor-X is doing it. Doing your security awareness training in a different way than what most people are used to can be a tough sell. We have great success internally and our clients agree that they have more success than they did before. Just because a huge name in the industry was doing it one way, does not mean they are totally wrong, there are other methods that can be effective and even improved upon in every industry.
Phishing PreText Examples:
• Authoritative, Threatening email
• Survey, Polling links
• Altruism, Donation, Call to Action emails
• Money Transfer, Tax/401k emails
• Hacked/Defaced account/website
• Financial, Banking, Invoicing,
• Package, Delivery, Ordering
• Arrest, Kidnapping, Criminal Record, Reporting
• Invitation, Pre-Release, "You've been selected..."
• Approval link, Review/Opinion
Those items listed above are all very common ploys used in real phishing emails; most are effective presently. Don't think they can't happen to you. Wait until you get a call from a user, and they say "I just talked to you guys and reset my password, it's not working again" and you have to say back to them "We didn't do a reset for you, who did you call?" - "Well you guys called me, and I told you the old password so you can reset the expired one to the same thing..." . Or when you do an internal phish, and you send a "new vpn client" out, and a Mac user replies to the email asking if you can send them a different file, the one he got doesn't work on OS-X when they click on it.
Phishing Advice for your workforce:
Phishing: the act of getting users to take an action they should or would not ordinarily do.
Phishing ploys often take these forms:
You can add the above to Outlook (not 365) and after changing the "TO" address. And possibly other double-quoted items above, then you have a good working "Phish Reporting" button!
Stay tuned, I'll publish some training for the users and link to it in this section.
Social Engineering (SE) - Getting others to act or do an action they ordinarily might not do.
- Most of us are helpful and trusting
- Tax time!, Disaster scams, Reputation or reporting scams (many expanded examples below)
Smishing - Using SMS/Texting to conduct phishing.
DOX’ing – Documenting (doc’s) and profiling a target, to gain insight into how to SE them.
- Using LinkedIn, Monster.com, FaceBook, Twitter, other Social Media, Phone Books, Public Records
The old advice on Phishing needs to be updated. Spelling and grammatical errors are not a dead give away anymore. Phish are only getting better as criminals get more organized and offer more services (such as spell/grammar checks). Phishing is also getting easier with more and more frameworks being created. The frameworks are usually created with altruistic goals in mind, but as my other article points out, there are dualities associated with most security tools.
I will not delve into the many tools or frameworks, instead I will outline ways to improve your current Security Awareness Training (SAT). Most SAT is extremely boring, remedial and downright pedestrian. Most professional Phishing services have a "phishing splash page" to indicate to the users that they were phished. These splash pages are a good place to put information about your internal SAT resources as well as encourage users to report strange emails or phone calls.
To quote Verizon's 2016 Data Breach Investigations Report:
In this year’s dataset, 30% of phishing messages were opened by the target across all campaigns. “But wait, there’s more!” (in our best infomercial voice) About 12% went on to click the malicious attachment or link and thus enabled the attack to succeed. That indicates a significant rise from last year’s report in the number of folks who opened the email (23% in the 2014 dataset) and a minimal increase in the number who clicked on the attachment (11% in the 2014 dataset). The median time for the first user of a phishing campaign to open the malicious email is 1 minute, 40 seconds. The median time to the first click on the attachment was 3 minutes, 45 seconds...
And being on the front-lines in security all these years I can tell you those numbers might be low. There is hope. Things do improve, especially when the teaching and reporting methods improve. Here are some quick Do's and Don'ts:
DO (expanded further down)
- Empower your users to say no, and feel OK about saying no to requests they find to be suspect.
- Train users on verifying people's identities over the phone or via email.
- Make sure users have a place to report suspect emails, phone calls, texts or persons.
- Help users understand that scammers and phishers are trying to exploit anyone they can, anyway they can.
- Reinforce good behavior, such as reporting phish/vishing emails/calls.
- Encourage users to talk to others in their area about suspect emails/calls/texts.
- Test everyone, from the CEO to the Janitors.
- Scold or single users out who click the test phish.
- Tell users to delete the emails as soon as they receive them.
- Let the C-Suite or others get a pass on any of your Security Awareness Training
- Let your users become "detectives"
Training users to verify and to ask for some identifying information will vary from organization to organization. There should be procedures and training on what information is OK to talk about or divulge. Users should also know if they are allowed to transfer calls or give out organizational information.
Phishy Examples
Does Tim Smith still work for Jane Wilson? - Is that new diabetes drug ready for the FDA yet? - Can you transfer me to Francis in accounting... no I don't know his last name, can you connect me to anyone in accounting? - What antivirus is on your PC... I just got a new one and it's using Kaspersky which I hate already - Your company hasn't paid us in 5 months, I need to send you the invoice, what is your email address?
Those examples are all real questions posed to real users at various organizations and they are all designed to elicit information or further the knowledge the would be attacker has.
Breaking from convention:
Currently many organizations attempt to get a base-line of phishing failures with their own "sanctioned/internal" phishing campaign. They get their metrics like, "who clicked", "who entered data", "who executed payloads" etc... Some of these metrics are good and meaningful, others are sometimes harder to determine. Do not rely on your metrics to tell you how good or bad your company is doing. Tactics change all the time, and while your user base may have done well against last week's attacks, this week might be a different story. It only takes a few people to get phished to cause quite a few headaches, always assume you will not stop all phishing.
The main way our training breaks from most conventional training is we do not advocate telling users when an internal phish has occurred. We treat our internal phishing the same as the external phish the user receives, probably daily, We do the baseline, and then we retrain the users (all users, not only those that fail). A commonly used "splash page" is meant to give the users pause, and make them see very quickly that if that were a real phish, something bad could have happened. We find this makes the users complacent; some even began to click on links just to see if it was the internal phish! The phishing was done monthly, and the users turned it into a "game" of who could guess the internal vs a real phish.
Treat each phish like the real thing!
Further, we've found that users who are told that they have reported, or they have clicked on the internal phish get to feeling like they are being picked on, tricked, or simply "crying wolf". They feel this way because they have not been properly praised or properly "punished". We encourage our users to "spread the word" after IT confirms the email as a phish or unwanted interaction. Even our internal phishing is treated this way. We phish the user's, someone reports it, we confirm to the reporter that the email is a phish (we don't say it's OUR OWN phish), and that they should spread the word to others in their area that "subject xyz, from sender@example.com" is a phish. We instruct the users to either delete or filter the email.
Users can also get complacent when internal phish are all they see. They don't realize that is a "nice problem to have". Only getting company sanctioned phish means that they are being protected from all the other phish that they could potentially have. This is why we break from convention, and treat all phish like the real thing. You can still baseline from time to time, but the more proactive you and your users are, the better your numbers are going to be, and the sooner the user's work as a team of eyes and ears to sound the alarm.
Positive Reinforcement
It is tantamount to the success of your security awareness training that the users are rewarded for proper behavior. The proper behavior in this case is not that they don't click the link, or open the attachment. The proper behavior is reporting the email, even if they clicked the link or opened the email! You need to know that more than you need to know who did not click or open the attachment. And when they do report the email, or strange phone call, the users need to be given praise and accolades directly. It is not wise to call everyone's attention to one individual, but CC'ing a manager or supervisor after the 3rd or 4th report may be a good idea.
It's not that easy...
You're going to get false positives, and reports that are just run of the mill spam. Your response still has be encouraging and positive. And you will have to reply quickly to any and all reports. Staying positive can be difficult amid a bunch of false positives or "legitimate" emails that are being sent your way now. The users are trying to do their jobs by sending you what they think are suspicious emails. You have to do your job and go through them, and that won't be easy to do everyday.
Dissension
These items seem obvious to some. To others they don't think it can be correct because that's not how Vendor-X is doing it. Doing your security awareness training in a different way than what most people are used to can be a tough sell. We have great success internally and our clients agree that they have more success than they did before. Just because a huge name in the industry was doing it one way, does not mean they are totally wrong, there are other methods that can be effective and even improved upon in every industry.
Phishing PreText Examples:
• Authoritative, Threatening email
• Survey, Polling links
• Altruism, Donation, Call to Action emails
• Money Transfer, Tax/401k emails
• Hacked/Defaced account/website
• Financial, Banking, Invoicing,
• Package, Delivery, Ordering
• Arrest, Kidnapping, Criminal Record, Reporting
• Invitation, Pre-Release, "You've been selected..."
• Approval link, Review/Opinion
Those items listed above are all very common ploys used in real phishing emails; most are effective presently. Don't think they can't happen to you. Wait until you get a call from a user, and they say "I just talked to you guys and reset my password, it's not working again" and you have to say back to them "We didn't do a reset for you, who did you call?" - "Well you guys called me, and I told you the old password so you can reset the expired one to the same thing..." . Or when you do an internal phish, and you send a "new vpn client" out, and a Mac user replies to the email asking if you can send them a different file, the one he got doesn't work on OS-X when they click on it.
Phishing Advice for your workforce:
Phishing: the act of getting users to take an action they should or would not ordinarily do.
Phishing ploys often take these forms:
- Urgent or time sensitive component (your taxes are late, money transfer pending etc...)
- Consequences or threatening element (you will be fined, you will be arrested, etc...)
- Poor grammer or spelling
- Links and or attachments are almost always present
Sub PhishForward()
Set objItem = GetCurrentItem()
Set objMsg = Application.CreateItem(olMailItem)
With objMsg
.Attachments.Add objItem, olEmbeddeditem
.Subject = "Possible PHISH"
.To = “security@company.com"
.Send
End With
' objItem.Delete 'uncomment if you want the email delted once FWD'd
Call MessageBox_vbOKOnly
Set objItem = Nothing
Set objMsg = Nothing
End Sub
Sub MessageBox_vbOKOnly()
'Variable Declaration
Dim OutPut As Integer
'Example of vbOKOnly
OutPut = MsgBox("Thank you for reporting this email to Security!", vbOKOnly, “Suspect Email")
End Sub
Function GetCurrentItem() As Object
On Error Resume Next
Select Case TypeName(Application.ActiveWindow)
Case "Explorer"
Set GetCurrentItem = Application.ActiveExplorer.Selection.Item(1)
Case "Inspector"
Set GetCurrentItem = Application.ActiveInspector.CurrentItem
Case Else
' anything else will result in an error, which is why we have the error handler above
End Select
Set objApp = Nothing
End FunctionYou can add the above to Outlook (not 365) and after changing the "TO" address. And possibly other double-quoted items above, then you have a good working "Phish Reporting" button!
Stay tuned, I'll publish some training for the users and link to it in this section.
OSCP certified, need I say more?
Have a question about something in this article? You can receive help directly from the article author. Sign up for a free trial to get started.
Comments (0)