Phishing attacks may be the most common form of cyber-attack but that doesn’t mean that you’re helpless in the face of the threat. With Cyber Awareness Month now is a great time to test your employees. One of the best and effective ways to reduce the risk posed to your organisation is to run cyber security phishing tests to help your employees learn what they should keep an eye out for.
Phishing tests come in various forms of sophistication. Companies like start ups who are just beginning their cyber security awareness journey will likely opt for a basic test that just measures how cyber aware employees are. Companies that have a mature cyber security posture meanwhile can choose to carry out more advanced testing that factors in the human element to cyber security and other security measures like Multi Factor Authentication (MFA).
The most basic of phishing tests are used by organisations to send realistic but fake phishing emails to employees to test how well they react. The ideal outcome of such a test is that all recipients either report the suspect email to their IT or security teams or delete them.
Used with other types of cyber security awareness training, the tests can help employees identify phishing attempts before they are able to do any damage to the organization. However, the main purpose of these type of engagements is essentially statistics gathering for the board and they offer little to no real value when it comes to security as opposed to the more modern types of testing which will test all security controls from the perspective of advanced phishing campaigns.
Typically, businesses hire security companies to deliver phishing engagements but as Integrity360’s Principal Architect Zach Fleming says, “In terms of the traditional testing that just track clicks, credentials entered etc., there’s not a huge amount of value. However, in the more modern approach to this type of testing which factors in MFA and incorporates malware/payload delivery there is plenty as they are more accurate to real world scenarios. Companies (ideally) now need to have more of a focus on testing how robust their security controls are to gain more accurate insights. Modern phishers use tools designed to bypass MFA, newer testing simulates this much more realism and allows a company to test their overall email security controls and endpoint controls.”
There are a few methods you can use to spot them but bear in mind that phishing attacks come in a wide variety of forms with some being far more sophisticated than others.
Sometimes a phishing email will claim to be from an organisation and use logos to appear more professional. Is the design quality what you would expect from the sender? Check the email headers or flag into your internal IT department. Phishing emails can easily spoof email addresses to make them seem legitimate.
If an email is not addressed to you by name, then it could be a sign that the sender doesn’t know you and is simply hoping to get lucky. If it is addressed to you directly but looks suspicious, then you may be the target of a Spear Phishing campaign.
You should instantly be suspicious of any emails making demands or threats. Never give out your details. Anti-spoofing mitigations such as The Domain-based Message Authentication, Reporting and Conformance (DMARC) email standard can be used to protect against spoofing.
Be aware of emails that may come from someone high up in your organisation requesting the transfer or payment of funds to a specific bank account. If being responsible for handling money isn’t your job, then report it immediately.
Other things to consider include:
Check the email address
If you receive an unsolicited email claiming to be from a company the easiest way to check whether it’s legit is to simply search for the company online, however, be aware that threat actors can and do create fake sites and spoofed addresses to get around this. If searching the name of the sender leads you to a shoddy looking website or comes up with nothing, then you can assume the email has been sent by a scammer.
Don’t click that link
Often the objective of phishing scams is to trick you into clicking on a malicious link or download a harmful file. Often these links contain malware that then go on to infect your device. Ransomware often spreads this way. Always bear in mind that if something appears too good to be true then it probably is.
The message creates a sense of urgency
A favourite strategy often used against businesses is for the hacker to pose as the human resources or finance department in order to create a sense of urgency around the messages they’re sending. Hackers have learned to prey on people’s concerns, often using the words ‘important’ or ‘urgent’ in the messages they send. If you receive such emails, then it’s natural to want to know what the message contains.
Another aspect that companies need to be aware of when it comes to phishing and other cyber threats is the threat posed by disgruntled employees or those from within who wish to bring harm to an organization.
“It is becoming increasingly more popular that some criminal groups are resorting to bribing employees. There are plenty of online forums both on the Dark Web and Clearnet that advertise and offer payments to company employees for access credentials or passwords. Such a tactic is very very low risk and high reward for a disgruntled employee as there is typically no punishment for essentially being "bad" at security awareness and such a thing would be quite difficult to prove. Having one of the more modern types of phishing engagements in my opinion is an absolute must now as it is the most common way threat groups obtain initial access. Eliminating the insider threat entirely is impossible, but companies can reduce it by keeping their employees happy, but that’s an entirely different topic,” says Zach.
Companies should widen their defences and not just rely on phishing exercises to keep them secure. Instead, they should run exercises that test all aspects of their security and take a stance that assumes they’ve already been breached. If a user were to fall for a sophisticated phishing attack and downloaded a harmful file, that file can then go undetected without triggering any alerts so how do you know you have been breached?
By taking the assumed breach position a company can plan for when the worst should occur minimizing any damage caused.
A multi layered defence includes:
Ideally all companies should be doing all the above. The only ones that are less likely to do so are small businesses of no real value to attackers, i.e., don't have a lot of capital to pay a ransom or don't really process any valuable sensitive info.
Companies should make it as easy as possible for employees to report suspicious emails is key and a culture where they feel like they can confidently make such reports is vital. The worst thing a company can do when it comes to cyber security is to instill a culture of fear as that will allow threats to slip through the net and increase the likelihood of a compromise.
If you need to arrange a phishing exercise or need consultation on your cyber security, get in touch with our experts today!