Educating employees about how to spot phishing attacks can strike a much-needed blow for network defenders
Security by design has long been something of a holy grail for cybersecurity professionals. It’s a simple concept: ensure products are designed to be as secure as possible in order to minimize the chances of compromise further down the line. The concept has been expanded further in recent years to signify an effort to embed security into every part of an organization – from its DevOps pipelines to its employees’ day-to-day working practices. By creating a security-first culture like this, organizations will be both more resilient to cyberthreats and better equipped to minimize their impact if they do suffer a breach.
Technology controls are, of course, an important tool to help create this kind of deeply embedded security culture. But so too is phishing awareness training – which plays a hugely important role in mitigating one of the biggest threats to corporate security today and must be a staple in general cybersecurity awareness training programs.
Why is phishing so effective?
According to the ESET Threat Report T1 2022, email threats saw a 37-percent increase in the first four months of 2022 compared to the last four months of 2021. The number of blocked phishing URLs shot up at almost the same rate, with many scammers exploiting the general interest in the Russia-Ukraine war.
Phishing scams continue to be among the most successful ways for attackers to install malware, steal credentials and trick users into making corporate money transfers. Why? Because of a combination of spoofing tactics which help scammers impersonate legitimate senders, and social engineering techniques designed to hurry the recipient into acting without first thinking through the consequences of that action.
These tactics include:
- Spoofed sender IDs/domains/phone numbers, sometimes using typosquatting or internationalized domain names (IDNs)
- Hijacked sender accounts, which are often very difficult to spot as phishing attempts
- Online research (via social media) to make targeted spearphishing attempts more convincing
- Use of official logos, headers, footers
- Creating a sense of urgency or excitement that rushes the user into making a decision
- Shortened links that hide the sender’s true destination
- The creation of legitimate-looking log-in portals and websites
According to the latest Verizon DBIR report, four vectors accounted for the majority of security incidents last year: credentials, phishing, vulnerability exploitation and botnets. Of these, the first two revolve around human error. A quarter (25%) of total breaches examined in the report were the result of social engineering attacks. When combined with human errors and misuse of privilege, the human element accounted for 82% of all breaches. That should make turning this weak link into a strong security chain a priority for any CISO.
What could phishing lead to?
Phishing attacks have if anything become an even bigger threat over the past two years. Distracted home workers with potentially unpatched and under-protected devices have been ruthlessly targeted by threat actors. In April 2020, Google claimed to be blocking as many as 18 million malicious and phishing emails every single day globally.
As many of these workers head back to the office, there’s also a risk they will be exposed to more SMS (smishing) and voice call-based (vishing) attacks. Users on the move may be more likely to click on links and open attachments they shouldn’t. These could lead to:
What training tactics work?
A recent global study revealed that security training and awareness for employees is the top spending priority for organizations over the coming year. But once this has been decided, what tactics will provide the best return on investment? Consider training course and tooling that provide:
- Comprehensive coverage across all phishing channels (email, phone, social media, etc.)
- Entertaining lessons that use positive reinforcement rather than fear-based messages
- Real-world simulation exercises that can be tweaked by IT staff to reflect evolving phishing campaigns
- Continuous training sessions throughout the year in short bite-sized lessons of no more than 15 minutes
- Coverage for all employees including temps, contractors and senior executives. Anyone with network access and a corporate account is a potential phishing target
- Analytics to deliver detailed feedback on individuals which can then be shared and used to improve sessions going forward
- Personalized lessons tailored to specific roles. For example, finance team members may need extra guidance in how to deal with BEC attacks
- Gamification, workshops and quizzes. These can help to motivate users to compete against their peers, rather than feel they’re being “taught” by IT experts. Some of the most popular tools use gamification techniques to make training “stickier,” more user-friendly and engaging
- DIY phishing exercises. According to the UK’s National Cyber Security Centre (NCSC), some companies get users to build their own phishing emails, providing them with “a much richer view of the techniques used”
Don’t forget reporting
Finding the training program that works for your organization is a vital step towards turning employees into a strong first line of defense against phishing attacks. But attention should also be focused on creating an open culture where reporting of potential phishing attempts is encouraged. Organizations should create a simple-to-use, clear process for reporting and reassure staff that any alerts will be investigated. Users must feel supported in this, which could require buy-in from across the organization—not just IT but also HR and senior managers.
Ultimately, phishing awareness training should be just one part of a multi-layered strategy to tackle social engineering threats. Even the best-trained staff may occasionally be tricked by sophisticated scams. That’s why security controls are also essential: think multi-factor authentication, regularly tested incident response plans and anti-spoofing technologies like DMARC.