Phishing assessment services: Tailored vs off-the-shelf
Chris Preece, Head of Penetration Testing
Not a week goes by that we don’t see a headline in the press that mentions something along the lines of “sophisticated phishing attack” or “new phishing attack approach”. The thing is: as long as we continue to embed technological innovation into our processes and increasingly rely on them, threat actors are improving their own approaches and looking for the weaknesses.
A little while ago, we came across this article about a new phishing kit that made life even easier for actors looking to fool internet users into giving up valuable information. It started an internal conversation about how we keep our phishing vulnerability assessments up-to-date with what cybercriminals are doing and is it enough?
To make sure we’re providing our clients with realistic scenarios, we keep track of the latest scams in the media, in crime reports, and on the dark web. We also monitor attacks directed at our own systems and at third parties.
At the moment, we are adjusting our content to align with pandemic related content used by criminals, such as “sign up for your Covid-19 jab here”, “your parcel has unpaid charges” or “you are being investigated for furlough fraud”.
Likewise, because we know that criminals are increasingly targeting cloud credentials that align with a shift to remote working – we use a similar approach with fake Microsoft 365 login pages that extract credentials. These are not new approaches, certainly, but the volume of this has increased and will continue to do so as more and more organisations move to the cloud.
Then, when a client requests help in understanding how aware their staff are about phishing, we can take our knowledge of what threat actors are doing and apply it to that client’s specific situation—sector, size, processes and so on.
Building up phishing awareness
There are plenty of phishing campaign platforms out there that provide what we would call ‘off-the-shelf’ content. That might be a standardised email that is sent out to every employee with an email address. This is great for basic awareness, but it doesn’t account for the more sophisticated emails that come through—i.e. the ones that aren’t full of obvious red flags and have been heavily researched to increase the likelihood of the recipient clicking on a link or file e.g. those emails used for Business Email Compromise or spear phishing.
Here are some examples:
While you may not have a lot of context, it’s clear that the sender of this email has made effort to research, so it looks legitimate e.g. addressed to a specific person about a specific task and mentions a current activity happening within the business.
Why tailored phishing assessments are the best option
Take the number of phishing approaches a cybercriminal could use and combine that with the very many different end users (in terms of both general technical skill and awareness) out there and you have a lot of variables in how your organisation could respond to the threat. There’s just no way that an off-the-shelf or templated phishing awareness solution can provide employees across such a broad spectrum with the tools they need to manage the risk appropriately.
In fact, we got very excited recently when a client asked us to make the campaign as difficult as possible because they know that threat actors aren’t going to hold back if they really want to succeed. And our client learned that:
- A lot of information about their organisation was available online for anyone to find and use, including email addresses and internal processes and events.
- A truly convincing email resulted in 84% of their staff clicking on a link within the email and 74% entering their username and password.
- On a more positive note, of the recipients who entered their details, only one employee did not have a password that met the organisation’s minimum password requirement.
Importantly, the point of a phishing assessment is to identify where further education is required. After clicking and entering information, employees at this organisation were provided with training that would enable them to spot phishing campaigns in future and how best to report to their security team.
What your employees need
Spam filters won’t identify every phishing email that comes through. And, as mentioned above, a big part of that is because cyber criminals are spending more time crafting their approach in order to get better results. This, of course means, as always, that humans are the last line of defence, so they need to be equipped to manage the risk, which includes being able to:
- Identify that something isn’t quite right. That might be an email address that looks incorrect or wondering why a person you weren’t expecting an invoice from sent you one.
- Report phishing emails. Perhaps to an IT team or a cyber security team; regardless, the simple action of reporting a phishing email that has made it through the cracks of the first line defence is vital to managing the problem in the long-term.
Measure the resilience of your people
Do you know how your people would deal with a phishing email? Get reassurance that they will take the right actions and you are helping them to help you and themselves at work and at home. Talk to us about Phishing Vulnerability Assessments and how we can tailor and time them to fit your specific requirements. Contact us via +44 (0)845 600 4403 or firstname.lastname@example.org