Phishing is a thing most of us are painfully familiar with day to day. It’s fairly well understood to be the easiest and most common path to a breach. So why is it so easy? It’s simple, people don’t pay attention to what they’re doing most of work day. Is that to say that very complex phishing attempts would fool almost anyone? Of course they would, but, I’ve been doing phishing testing at my company for the last few years and in practice it’s far less complex than most people realize.

 

I’ve worked with a few phishing testing and awareness training vendors, I have books on game theory and social engineering. But, I could make a simple email with the wrong company domain, with a giant tag across the top of the email saying “This is from external contact, please be cautious of clicking links or opening attachment, WARNING!!” and fill the body out with a misspelled request to validate your password at crapsite.co.com.xxx.guru/fake-password-stealer.html and I’ll still get 10%+ of the users handing over their passwords within an hour. Insert mental image of me facepalming myself at my desk here.

 

They all get awareness training, we run testing campaigns with education, we have security awareness week with fun prizes. But, once they’re out of that bubble, it’s a click party. Even following up with reports from our email security provider for phishing that does get through you can ask the users and they’ll say, “but that’s a vendor of mine”. When you pull up the email, it’s nothing close to anyone they deal with, doesn’t matter, clicking anyway.

 

Considering you might really only need one person to click and give away credentials / load your malware / etc, how do you really solve this? If I knew how to get this number down to zero without smashing email servers with a hammer I wouldn’t be writing a blog post, I’d be swimming in my Scrooge McDuck money bin.

 

How about aiming a little lower? While it pains me to write that, understand it’s never going to be perfect and just aim for better than yesterday, and eventually, not worse than yesterday. There are some technical controls, but as long as users can get emails from outside, you’re likely going to deal with this problem, forget it coming from a real vendor that has been compromised, that’s another ball of wax entirely.

 

Ideas that have been helpful for me:

 

• Banners for external mail
• More training
• Sharing stories of actual cases
• Simply the reporting process
• Positive reinforcement
• Consequences

 

A little more detail on the above ideas:

• Banners for external mail – I touched on this earlier but basically have any email that isn’t sourced internally from your domain to be tagged with some sort of obvious external tag. Will some people ignore it? Sure they will, but some won’t, and if you solve a little bit at a time it does add up.
• More training – Training needs to be interesting and engaging, if all the users have to do is click next 5x and they’re done for the year. If that’s the case you might pass compliance but you’re no more secure than you were before the training.
• Sharing stories of actual cases – This one didn’t even occur to me until I was running a tabletop exercise recently and someone from outside IT had the suggestion. They felt through the tabletop they were learning so much and had no idea how real the threats were. Make the stories somewhat generic if you need to so people don’t get mocked, and don’t be afraid to share good stories of users catching crafty emails. Everyone loves a pat on the back, we did this recently and sent out a company-wide email newsletter with details and got a lot of positive feedback.
• Simplifying the reporting process – If a user has a questionable email, how hard is it for them to ask for some help? If they have to call up and admit they made a mistake they are less likely to do it. If they email it to the help desk and never hear back, expect them to never do it again. Many phishing providers (they are also free ones out there) make buttons for most email clients that allow users a one button click to send an email in to be inspected. Bonus points if they click it during a real phishing test and it doesn’t bother creating the ticket and congratulates the user for a good catch.
• Positive reinforcement – There is a bit of this sprinkled into the earlier suggestions. But, if people know they can come to you, even if they’ve clicked and think they’ve done something wrong, it’s going to go a lot further in building a relationship and having them learn the right thing than just yelling at them for mistakes. Some people use different types of rewards, know your own company and market and figure out what works, but even just thanking people for reporting issues can work wonders.
• Consequences – More in the stick than the carrot category, hash consequences for your actions. Not really my favorite way to approach it, but if I have someone who has done training repeatedly, been talked to, explained how it all works and still clicks on everything that is put in front of them, then sometimes you have to work your way up the org chart a bit. I once saw another business unit’s HR staff fell for a phish and sent all their employee’s W2s out via email. The user was fired. I found out and immediately went to “was she trained?” or even “why was the email able to be spoofed and passed through?” line of thought. Extreme consequence, but you can bet that every other person in that department was hawk eyed afterwards. Not my preferred method but that one was far out of my hands.

 

I think with any testing you should start simple and grow towards way more complicated with time. Anyone can design a perfect phish that will work on exactly who you target. But, is there a point of it being too difficult? That’s hard to say, but we recently switched phishing providers and they wanted to do a baseline test. As part of this test they got our internal domain spoofed, which we block normally anyway, and a whitelist which bypassed the external banners. Not surprisingly they got a higher than normal click rate. But, they tweaked the controls enough to present something to the users that normally wasn’t even possible. They were trained to look at the real domain, the external banner, etc, they did that correctly and then were informed they were wrong. Thankfully that was just a small test and we were able to revert the changes and go for a close lookalike domain and put the banner back on. The results were lower, not as low as I’d like, but at least controlling the situation got a more predictable result.

 

I was once told by an old Cisco SE about an internal phishing test that got him, and I can’t blame him. He was at work, shopping on Amazon and purchased something. Seconds after the purchase he got a purchase confirmation email from Amazon. They were monitoring the network for specific traffic and triggering phishing emails to those users based on that. He had clicked on the email before it even registered that his work email wasn’t his registered Amazon account address. But, in a situation like this, just playing the odds, it could happen anyway that you’ll have a user at a giant corp shopping Amazon at the moment. A few years back I sent out a phishing test email with one of the “You hit your email quota, click here to increase your mailbox size and continue getting email” sort of message. It was sent to maybe 6000 users, two of them had actually put in requests to have their real mailbox size increased already and were waiting for the update. You can bet they clicked that link the second that test showed up, I had no idea it would work out that way, but it doesn’t seem all that unlikely.