Understanding Phishing Emails
April 02, 2018
Let’s face it. Email is always a threat.
So, naturally, you do everything to keep your users (and your network) safe. Your preventative measures are constantly being tested and improved, but still, your users are faced with malicious emails in their inboxes every single day.
And it gets worse. According to recent reports, one in every five spear phishing emails sent results in an opened link or attachment. With zero-day exploits being discovered at roughly the rate of one per month, that spells calamity for corporate networks of all sizes.
The Main Culprits
First off, as with any training program, it’s important for you and your users to know what you’re up against. No training program is complete without a little context, but more importantly, it’s essential to provide examples of real campaigns for your users to learn from.
As a starting point, here are the three most common threats your users will face.
Malware – Attachments and links to compromised websites are by far the most common email attack vectors. These methods are cheap, quick, effective, and can be easily scaled to meet the needs of individual campaigns.
Most malware will target and seek to exploit vulnerabilities in widespread software packages such as Adobe Flash, and use these vulnerabilities to gain a foothold in your network. From there, they communicate with command and control (C2) servers outside your network and proceed to gradually expand their control until they have what they need.
Business Email Compromise – Instead of relying on automated software or pre-existing exploits, business email compromise (BEC) is a purely social engineering based technique that seeks to con users into sending large sums of money to a threat actor’s bank account. In most cases, the threat actor sends an email to financial staff that appears to be from a senior person within the target’s organization.
This may seem a far-fetched approach, but there have been many successful attacks of this type. Instead of going straight for the end goal, threat actors typically develop a rapport with a target before asking for anything tangible. And while you might expect these attacks to focus on larger organizations, recent experience has unearthed a spate of BEC attacks on smaller, more agile companies with flexible payment systems.
Ransomware – Typically spread through mass phishing campaigns, ransomware is also sometimes transmitted through spear phishing attacks. In basic terms, ransomware is malware that identifies and encrypts high-value files and folders before demanding payment of a ‘ransom’ for the safe return of your data.
In many cases, ransomware packages will delay activation until they have successfully spread throughout a network and identified the highest value targets, thereby maximizing the likelihood that the ransom will be paid.
Clearly, any of the above scenarios will make for a really bad day. And since there are practical limitations on how much you can avoid through technical controls, there’s only one way forward.
Bridging the Human Firewall Gap
Phishing campaigns succeed for one simple reason: Most people simply don’t expect malicious emails in their inboxes. If you can tip the scales by preparing your users to expect and identify phishing emails, many potential breaches can be prevented entirely.
This is what we call the ‘human firewall’. Where technological controls can’t provide total security, people must fill the gap.
And the thing is, most of the time phishing emails are pretty easy to spot. Sure, some are incredibly sophisticated, but many are little more than spam that somehow evades your spam filter. Because of this, training your users to identify and report phishing emails may actually be easier than you think… so long as you adhere to a few simple rules.
1) Classrooms are boring
Here are two traits that most security awareness programs share:
a. They’re conducted poorly
b. They’re incredibly boring
But it doesn’t have to be this way. In fact, if you want your program to achieve something, it mustn’t be this way.
If you want your users to pay attention to (and remember) your training, you’ll need to deliver it in a way that holds attention. That means using multiple mediums and engaging users directly.
2) No measurement = no result
More than any other type of security awareness training, email security behaviors can be measured. All it takes is to develop your own spoof phishing campaigns, send them to your users, and track the results.
And taking this approach doesn’t just help you track success. Users who routinely fail to identify your phishing emails can be targeted for additional training. Training that isn’t delivering results can be revamped.
This is one of the few opportunities you’ll ever have to conduct a training program that constantly improves in a measurable way. Don’t waste it.
3) Reinforcement trumps repetition
It might sound counterintuitive, but doubling the frequency of training sessions won’t provide double the results.
Human minds just don’t work that way. Instead, you’ll find the best method is to positively reinforce the behaviors you want to maximize. Ideally, reinforcement should occur immediately following the behavior you’re trying to encourage.
Exactly how you choose to reward users who routinely identify and report your phishing emails is up to you. It is important, though, that you at least recognize their success.
Of course, you cannot simply ignore users who routinely fail your testing process. Our suggestion is to immediately (preferably automatically) provide them with additional training, perhaps in video or audio form, to help them succeed in the future.
Infrastructure is Everything
Of course, not every organization has the resources to develop an automated training and testing mechanism for email security. If you’d like to implement an email security awareness training program that really works, we’d love to help you get there.
TracePhishing helps you proactively combat email-based cyber and social engineering attacks by integrating training, testing, reinforcement, and reporting in a single package. With a full multimedia training program built-in, TracePhishing is an email security awareness solution that delivers real, measurable results for our customers.