Phishing is acknowledged as the foremost threat in cyber security and so, quite rightly, organisations want to protect themselves against it. The danger lies in its ability to use emails to go directly to the ordinary user, bypassing cyber security protections and personnel.
Most products marketed today to stop phishing will typically involve training users, and in most people’s minds it is based around the idea of sending fake phishing emails to your users. The solutions offer training information and you get to know who clicks the fake emails. Over time the “click rate” reduces showing an apparent ability to spot phishing. It seems an elegant solution and indeed is very big business with the industry leader Cofense, being mandated for compliance reasons into most UK financial institutions. The UK’s National Cyber Security Centre (NCSC) has done research which shows people after two years of cyber training are at the same level of awareness as when they first started. Hardly good value for money if you are running a business and trying to mitigate cyber threats via your staff being aware.
So what are the factors that matter?
An impossible task
First things first. No training package can teach users to spot every phish. Spotting phishing emails is hard. Spotting spear phishing emails is even harder. Even the NCSC experts struggle. However, many standard templates used in the training packages is based on spotting standard signs like checking for poor spelling and grammar. (Bad guys can spell and everyone else can make spelling mistakes) First things first. No training package can teach users to spot every phish. Spotting phishing emails is hard. Spotting spear phishing emails is even harder. Even the NCSC experts struggle. However, many standard templates used in the training packages is based on spotting standard signs like checking for poor spelling and grammar. (Bad guys can spell and everyone else can make spelling mistakes) This can give a false sense comfort to the user as they face easy to spot phishing emails. Sometimes Bad guys decide to mis-spell deliberately as a form of filter.
In this example of a real phishing email that we detected (left) the phishers are trying to imitate the brand Amazon with the aim of getting users to click the yellow call to action button. This will take the user to a fake page where their password credentials will be captured. Some of you will notice that they have spelt customers and instructions incorrectly. Most would assume that they are uneducated and prone to mistakes.
However, just as likely that it is a filter to separate those readers who speed read and those who don’t. If you don’t notice this mistake you are more likely click the link and follow the next set of instructions that comes after. The filters other aim is to appear so obvious that the users who do notice the mistake decide it is so obvious that it’s not worth reporting. This allows the phishing page to remain up and active for longer before being noticed by the authorities.
Another big issue is users cannot remain vigilant all the time, even if there were clear signs to look out for. Being aware of the threat from phishers whilst at your desk (where users are probably most aware of the risk) is hard enough. But phishing can happen anywhere and anytime, and people respond to emails on their phones and tablets, and outside core hours. Mobile phones restrict because of space issues the amount of information that is shown. This allows the phishers to get more clicks per thousand sent. Clicks happen.
Responding to emails and clicking on links is an integral part of work. Attempting to stop the habit of clicking is not only extremely difficult, but is it what you want? Asking users to stop and consider every email in depth isn’t going to leave enough hours in the day to do work. At Egress we emphasise the importance of developing detection of phishing so that in real time the threat can be flagged to the user before they click into a phishing email and cause serious damage.
The lure of metrics
Phishing simulations aren’t just about training. They are also popular because they produce a metric (e.g. ‘Last week 70% of people fell for our phish, this week only 40% fell for it’). It appears really encouraging, since it appears to show that something is being achieved, but unless you’re careful you might just end up wasting time and effort.
Metrics are extremely difficult to come by in the security space, and having a clear, quantitative metric that can show progress, in an area you care about, can be really seductive. But is it really giving you an idea of your company’s defences against the real threats? The risk of living or dying by this single metric is: what happens when you make the test emails more sophisticated, for example to test spear phishing? This will do terrible things to your click rate. You can get any result you want by adjusting the emails you send out, which is hardly an objective measure of your defences. And if you are on the receiving end of a metric that shows a vast improvement, you should be asking some very probing questions about how the simulation was designed, because it is likely that the emails are just too obvious.
The consequences of blaming users
In trying to combat targeted phishing many organisations try to improve efficiency by blaming and shaming their staff. Many organisations believed that if users were blamed or punished for clicking phishing emails, they would somehow be able to spot them next time around (and if they clicked again, the answer was more punishment). Quite simply, this does not work, and it can also cause a great deal of distress and even distrust between users and security teams. Many large banks try a “three strikes and you are out” approach. Using HR processes and the discipline procedures against users who are employed to be cyber security experts makes no sense. Phishing simulations should never be used as a tool to catch people out.
Think about why you want to do training? Stopping a user to explain how they should have spotted your fake phish just after a click intuitively seems like a good idea, but if you lock someone’s IT until they complete a lengthy course, you are causing a massive disruption to their working day. If you shame them to their colleagues, you are destroying their morale and they become less productive. Whatever you do, remember that no training technique will get your users to recognise every phish. It’s also essential that you don’t spend your entire budget on training when you need to invest in multiple layers of defence to build a solid defence against phishing.
With many businesses moving to the cloud for the business productivity advantages, including cloud-based email like Office 365 and G-Suite, the threat environment has also changed. The phishers have numerous ways now to trick or deceive your users. Most of the attacks are credential phishing where the phishing emails are designed to trick users into giving up their Office 365 passwords without realising. Trying to train users for some of the attacks we see like double from attacks, calendar attacks, and white space attacks would be impossible. The threat is hidden from the user, and obfuscation used to fool the machine scanning. Only the very latest Cloud Email Security Supplements (CESS) that were designed and secure the cloud-based email environment can detect these new threats. Our solution, Egress Defend was shaped and guided by GCHQ. If you are looking for a better way to detect the threat from phishing but keep your user’s awareness high, please contact us.