Skip Links

A clever way to increase employee awareness about phishing

User awareness training should be a part of every corporate security program

IT Best Practices Alert By Linda Musthaler, Network World
February 02, 2009 12:12 AM ET
Linda Musthaler
Sign up for this newsletter now!

The CIO-level business angle on the latest tech

In April 2008, thousands of high ranking corporate executives received an e-mail message informing them that they were being subpoenaed by the United States District Court in San Diego. The official-looking notice, which was personalized with the executive’s name, company and phone number, informed the recipient that he was required to appear before a grand jury in a civil case. An attachment supposedly contained a copy of the full subpoena. Anyone who clicked on the attachment – and who among us wouldn’t? – unwittingly downloaded and installed a keystroke logger and other malware that allows remote control of the PC.

This is a classic case of spear phishing, or in this case, whaling – the practice of attacking the “really big fish” such as corporate executives. And it worked, too. According to a security researcher who volunteers at the Internet Storm Center, there were at least 2,000 victims of this phishing attack. (Read more in this New York Times article.)

Could your executives fall prey to such a scheme? What about the average workers in your company? Yes, of course. Almost everyone is vulnerable to a well orchestrated phishing attack like this one simply because we humans are naturally programmed to respond to things that are perceived as important to us.

Corporate users are just as susceptible to phishing attacks as consumers, and the stakes may be higher. A corporate phishing scam could cause direct financial loss, customer data breaches, or the theft of intellectual property such as trade secrets or corporate strategy. Therefore, user awareness training should be a part of every corporate security program.

Lorrie Faith Cranor is the director of the Carnegie Mellon University CyLab Usable Privacy and Security Laboratory. In the article How to Foil “Phishing” Scams published in the December 2008 issue of Scientific American, Cranor says phishing plays on human vulnerabilities and is not strictly a technological problem. “Although we have shown that we can teach people to protect themselves from phishers, even those educated users must remain vigilant and may require periodic retraining to keep up with phishers' evolving tactics,” wrote Cranor.

A clever way to teach workers about phishing and condition them to question suspicious e-mails is the service called PhishMe from the Intrepidus Group. PhishMe is an easy to use SaaS mock phishing exercise that a company runs against its own employees. Instead of resulting in a harmful consequence, PhishMe sends instant feedback and training to the worker who falls for the trick and clicks on the link in the bogus message.

PhishMe allows for very targeted simulated attacks that are relevant to the employees’ daily jobs. For example, you could send a fake phish to everyone in the marketing department, telling them they need to validate their SharePoint login accounts. This authoritative-looking message could appear to come from “IT Security” or some such internal group. Those employees who take the bait could be instantly reminded that the real IT Security group never solicits account information or passwords via e-mail.

Linda Musthaler is a principal analyst with Essential Solutions Corporation.

Our Commenting Policies
Latest News
rssRss Feed
View more Latest News