Phishing remains one of the most common and effective forms of cyber-attack. This vector exploded since the start of the COVID-19 pandemic, fuelled by increased reliance on digital communications and numerous emotive events that served as effective lures. In February 2022, Proofpoint research found that more than nine in 10 (91%) UK organizations were successfully compromised by an email phishing attack in 2021, underlining its ongoing potency.
Such compromises can pose major problems for organizations. “When phishing is used to steal login credentials, it opens up a world of possibilities for the cyber-criminals and a world of hurt for the impacted individual or business,” explained David Richardson, VP of product management at Lookout. “With one set of credentials, bad actors can then try to log in to a number of common cloud-based services such as Microsoft365, Google Workspace, AWS, Salesforce, etc. Once they’ve successfully logged in to one of these accounts, they can move laterally within an organization and find highly sensitive and valuable information to either encrypt for ransom or exfiltrate to sell on the dark web.”
While there are a growing number of security tools designed to prevent phishing messages from reaching recipients, this issue remains, at its core, a human one. Therefore, a focus on awareness training is key to tackling this ongoing scourge. Too often, however, organizations only pay lip service to training in this area, such as setting up annual phishing simulations and other tick-box exercises.
This is why one of the focuses for this year’s European Cybersecurity Month is phishing, with a theme of ‘Think Before U Click!’, highlighting the need for users to be equipped with the knowledge to avoid falling into the trap of attackers.
Here are five steps organizations can take to enhance their phishing training, achieving greater employee engagement and effectiveness.
Explain the Why
In addition to highlighting how staff can detect and react to potential phishing emails, it is also vital organizations explain why these measures are necessary. In an interview for the October 2022 IntoSecurity podcast, Jessica Barker emphasized the importance of ensuring awareness messaging is relevant to people’s lives, making them much more likely to adhere to recommendations. “Rather than telling people what to do or what not to do, it’s much more helpful to frame it from coming from that context of why we’re making those recommendations,” she noted.
This principle can also be applied to specific training activities. Javvad Malik, lead security awareness advocate at KnowBe4, commented: “The security team should be upfront and let their colleagues across the organization know why they are conducting simulated phishing and how it benefits everyone as a whole. Getting people to understand the reasoning behind an activity can greatly reduce the resistance.”
"Getting people to understand the reasoning behind an activity can greatly reduce the resistance”
Short but Frequent
Organizations should carefully consider the effectiveness of training delivery and frequency. For example, research has shown that ‘microlearning,’ short sessions of five to 10-minute modules, significantly improves retention compared to single lengthy sessions of up to an hour. These bite-sized sessions are also far easier to fit into employees’ busy workdays.
Therefore, experts believe that short but frequent phishing training sessions are most effective at ensuring messaging sticks and changing behaviors. Malik said: “Organizations don’t need to try and boil the ocean at once by giving long training sessions on do’s and don’ts. Rather, they can focus on a couple of high-risk behaviors and use small, engaging content on a more frequent basis that reinforces the message. Ultimately, the goal is to change behavior, not to make people security experts. So if the desired behavior can be reinforced through the messaging, it can lead to greater results.”
Teach Cynicism
Cynicism is not always the best trait to follow in life, but it is often crucial in cybersecurity. A fundamental attitude that should be imparted to employees is to be suspicious of certain types of emails and not rush to respond to them. This is recognized in this year’s Cybersecurity Month theme of ‘Think Before U Click.’ Lookout’s Richardson said: “Phishing attacks have continued to evolve in techniques and sophistication, but the basic approach of trying to create a sense of urgency or impersonating a figure of trust or authority has remained pretty constant. When contacted in this manner, it’s important to take a step back, evaluate the situation and find alternative ways to validate the request.”
Phishing messages are generally designed to create a sense of urgency or panic, focusing on topics of tension or concern, such as COVID-19, and demanding immediate action. Tal Memran, cybersecurity expert at CYE, explained: “The content of the email is often phrased in a way that pressures the recipient, i.e. if you don’t respond within a certain time limit, your access would be revoked.”
Other suspicious signs highlighted by Memran are when the email includes an attachment with deliberate instructions to open it and the body of the message contains a link, “usually a shortened one for you to click on, and in most cases would ask you for a set of credentials.”
There are a number of actions that can be taken to assess the validity of these types of messages. One is to check the domain from which the email originated, which often attempts to impersonate well-known brands. “Carefully examine the domain for any purposeful typos,” advised Memran.
Other easy techniques include hovering over any links included in the email with the cursor to see if it is a legitimate website. This can also be cross-referenced using a reputable search engine.
Straightforward Reporting Processes
The process of reporting potential phishing messages should be as simplified as possible, involving no more than a click of a button. “If people have to raise a ticket or phone someone, or otherwise take an action which inconveniences them, it won’t be taken,” noted KnowBe4’s Malik.
There should then be acknowledgement given by the security team following a report of a suspicious message, whether it turns out to be a phishing attack or not. This will help encourage vigilance in the future and an understanding that their contributions are helping the organization. Malik added: “The security team should provide feedback whenever a person reports an issue. Even if it’s a false positive, thanking the person encourages greater engagement in the future.”
Record Phishing Attacks
To enhance employees’ awareness and understanding of phishing, security teams should publicize attempts discovered within the organization following employee reports. Memran said: “Make sure to frequently inform your employees about widely known and used phishing campaigns to increase their alert level for suspicious emails.”
This includes sending the email itself to staff as an alert, once made safe, to ensure they are on the lookout for the same type of message. “Phishing schemes often target multiple people in an organization, so letting fellow staff members know what to look out for can make it easier to spot and stop phishing,” commented Paul Bischoff, consumer privacy advocate at Comparitech.
This approach also enables a record of phishing techniques to be maintained, potentially allowing a deeper analysis of trends in this area to continually update and improve awareness training.