If you haven't received a phishing email in the last twelve months, then you are a rare breed indeed. Levels of phishing have been rising in the past five years creating a global problem, that some sources such as Verizon quote as being the delivery mechanism for up to 90% of malware and ransomware.
In Q3 of 2019, Proofpoint highlighted that phishing attacks had quadrupled compared with the previous quarter.
We all know what phishing is; and hopefully we are all trying to educate our users and staff to be better at detecting suspected attacks, so why is this number rising?
The answer is simple...
...because the chance of success is still so high, despite widespread awareness
Where Are We Going Wrong?
At Advanced Cyber Solutions, we provide a managed phishing simulation and training programme, and have seen our fair share of successful and unsuccessful phishing attacks.
Why phishing attacks are still so prevalent comes down to a multitude of reasons. However ultimately, we believe that organisations and IT teams are still only doing the basics to reduce their risk levels.
Here are five of the reasons we think most organisations are woefully prepared for the threat:
1. Reliance on One Vector/Type of Training
Probably the most common scenario we find amongst organisations we speak to for poor readiness against phishing is an over-reliance on one type of training.
Often a video or training module purchased from a training provider with a mini-quiz at the end.
There are endless statistics to show that this type of training is close to useless on its own. Users will skip the videos; leave the room while it plays, if forced; and generally, gain little from it.
This type of training alone only seeks to tick a box for the compliance records.
In a recent encounter and subsequent phishing trial, we found that one unnamed UK based organisation had used such training and was confident that they were protected. We ran a phishing simulation which resulted in a 60% click-rate and a 25% rate in those who gave us their credentials on a login prompt.
2. Once Training is Done, it's Done
Time can be a very finite and stressed resource for any IT team or IT manager, which often results in some areas being more neglected than others.
Quite often tied to point one, we find that once training has been completed, the focus is not renewed until something goes wrong. A common manifestation of this is that a new employee or user is prompted and required to sit through hours of training, but never again for the rest of their employment.
At Advanced Cyber solutions, we offer phishing simulation training services. At a minimum we run two phishing simulation campaigns to keep users sharp and to measure the effective risk level of phishing in that organisations.
3. Training and Simulations are not Tailored
When a potential attacker is preparing a phishing email, there are a number of techniques which they have at their disposal to entice the highest possible number clicks.
Some techniques include:
- Introducing a sense of time-based urgency. Such as, your email account will be locked within 24 hours.
- Using money as a motivator. For example, you are due to have a sum of money returned to you by your local tax authority.
- The use of trustworthy organisations and logos.
- Tailoring the email for a particular job role or function.
The last one in the list is particularly cunning as it plays on the job role of the recipient to induce a level of trust.
A good example of this is sending late invoice payment requests to accounting teams.
Your users and employees are going to be more susceptible to emails which do not naturally stand out. Therefore, sending phishing simulations or training scenarios related to another job function are unlikely to draw true results.
4. Failing to Keep up with Changes
When relying on one type of training; or even very infrequent training, we find that IT teams and their users quickly become out of date on what is the latest threats.
For example, we find that most of our customers and prospects are aware of phishing but maybe have not heard of smishing - its SMS based equivalent.
SMS delivered phishing is rapidly increasing in popularity as there are less security filters and ways to check the source of the message. Not to mention that spoofing a sending telephone number is even easier than email.
5. An Over Reliance on Email Filters
So far, we have written about those who do have some form of training in-place. Bu, there is also a group that out-right deny the possibility of receiving phishing emails because of the perceived adequacy of their email filtering solutions.
We have no doubt that there are some very good email filtering solutions on the market. In fact, we have worked with a number of them over the years. However, a single reliance on such solutions is foolish at best.
Phishing attacks are not successful simply because the recipient had no email filtering in place.
Phishing Simulation as a Service
Here at Advanced Cyber Solutions, we offer our customers a managed phishing simulation service for a little as £1-2 per user per month. Two, four or six times a year, we send a phishing attempt into our customers network and measure the outcome.
Those that are fooled by the attempt are taken through a training scenario to improve their skills. With a overview risk report delivered to management.
Each campaign is tailored to the recipient customer and based on the results a questionnaire which we send before each campaign begins.
If you would like to learn more about our simulated phishing campaigns; or if you would like to run a trial - you can book a call with one of our product specialists by clicking here.