A clever way to increase employee awareness about phishing

* User awareness training should be a part of every corporate security program

A Gartner survey shows that phishing attacks soared in 2007, ultimately costing victims of the attacks at least $3.2 billion. As we start 2009, corporate spear phishing - the practice of targeting specific workers in order to gain access to systems or information - is on the rise. This places corporate security at risk. PhishMe is a unique and simple SaaS solution that provides phishing awareness training to employees. You can reduce the likelihood that a worker in your organization will compromise security via a phishing attack.

In April 2008, thousands of high ranking corporate executives received an e-mail message informing them that they were being subpoenaed by the United States District Court in San Diego. The official-looking notice, which was personalized with the executive’s name, company and phone number, informed the recipient that he was required to appear before a grand jury in a civil case. An attachment supposedly contained a copy of the full subpoena. Anyone who clicked on the attachment – and who among us wouldn’t? – unwittingly downloaded and installed a keystroke logger and other malware that allows remote control of the PC.

This is a classic case of spear phishing, or in this case, whaling – the practice of attacking the “really big fish” such as corporate executives. And it worked, too. According to a security researcher who volunteers at the Internet Storm Center, there were at least 2,000 victims of this phishing attack. (Read more in this New York Times article.)

Could your executives fall prey to such a scheme? What about the average workers in your company? Yes, of course. Almost everyone is vulnerable to a well orchestrated phishing attack like this one simply because we humans are naturally programmed to respond to things that are perceived as important to us.

Corporate users are just as susceptible to phishing attacks as consumers, and the stakes may be higher. A corporate phishing scam could cause direct financial loss, customer data breaches, or the theft of intellectual property such as trade secrets or corporate strategy. Therefore, user awareness training should be a part of every corporate security program.Lorrie Faith Cranor is the director of the Carnegie Mellon University CyLab Usable Privacy and Security Laboratory. In the article How to Foil “Phishing” Scams published in the December 2008 issue of Scientific American, Cranor says phishing plays on human vulnerabilities and is not strictly a technological problem. “Although we have shown that we can teach people to protect themselves from phishers, even those educated users must remain vigilant and may require periodic retraining to keep up with phishers' evolving tactics,” wrote Cranor.

A clever way to teach workers about phishing and condition them to question suspicious e-mails is the service called PhishMe from the Intrepidus Group. PhishMe is an easy to use SaaS mock phishing exercise that a company runs against its own employees. Instead of resulting in a harmful consequence, PhishMe sends instant feedback and training to the worker who falls for the trick and clicks on the link in the bogus message.

PhishMe allows for very targeted simulated attacks that are relevant to the employees’ daily jobs. For example, you could send a fake phish to everyone in the marketing department, telling them they need to validate their SharePoint login accounts. This authoritative-looking message could appear to come from “IT Security” or some such internal group. Those employees who take the bait could be instantly reminded that the real IT Security group never solicits account information or passwords via e-mail.

PhishMe exercises can be run every couple of months so that the same employees are tested periodically on their awareness to vulnerability. Post-testing metrics give the company an opportunity to view trends over time. One PhishMe customer found that 80% of the workers responded to a fake attack the first time. They all received instant feedback, counseling them on company policy and what they should do in the future with similar types of e-mail messages. Over time and with repeated exercises, the company learned that only 4% of the workers would respond to the suspected attack. This represents a strong improvement in security awareness.

Because it’s a Web-based service, there’s nothing to install in order to run a PhishMe test with end users. PhishMe doesn’t even require a lot of technical knowledge to run a test; it uses templates and lots of pull-down menus to help the administrator craft a scenario. For example, template content is geared toward asking users to complete a password survey, to prepare for an e-mail migration, or to update software to control a virus outbreak. The message content can be modified to suit your company, or you can create your own scenario. Crafting the embedded URL and a Web landing page is just as easy. It’s fairly simple to create a very convincing scenario that realistically tests employees’ phishing savvy.

There are numerous use cases for a tool like PhishMe:

* Reduce corporate risk by providing timely and repeated security awareness training.

* Teach new hires about company security policies.

* Prove compliance with corporate and regulatory controls.

* Identify specific people or groups who need additional training.

Check it out for yourself – you can get a product demonstration upon request. With a simple 15-minute demo, I caught on immediately how this tool could improve security. There’s also a good independent review by Tom Olzak, director of information security for an Ohio healthcare provider.

Copyright © 2009 IDG Communications, Inc.

The 10 most powerful companies in enterprise networking 2022