Simulated Phishing Campaigns

Countermeasures articles:


The SecurityIQ Program

The “ph” in phishing is a historical reference to “phreaking”, the very first form of electronic “hacking.” Phreaks (a portmanteau word of phone and frequency) exploited weaknesses in the telephone system to obtain free long distance calling back when the fees were outrageous. These phreaks-turned-hackers actually advanced computer science quite significantly. A surprising number of owners of and highly placed officials in major companies actually started out their careers as phreaks and hackers.

Why do we need Phishing Awareness?

Their explorations, using a system against itself, revealed weaknesses which allowed us to make it more resistant to attack. Now phishers are doing the same thing—using a door we have provided for e-mails—to break into the system. If you represent a company, your people need to be trained to recognize these attacks so as to protect your system.

Even if you’re an ordinary citizen, you would still want to protect your family members, friends, and relatives. You might be responsible for a network of some kind and need to keep would-be thieves out, whether at home or corporate. In every case it is our own responsibility to be prudent and to educate ourselves.

Consider this case

The Northeastern College of Pittsburgh, Pennsylvania noted that prior to 2012, staff members were succumbing to as many as six cybercriminal phishing attacks per month. After installing a security training solution they observed:

  • A reduction to only three successful attacks in a six month period of time, signifying a 90% decrease;
  • A significant drop in virus infections and spyware installation on the campus computers;
  • A significant increase in the number of user reports about phishing emails.

More importantly, staff reported a greater confidence level in being able to recognize phishing attempts, and knowing how to deal with them when they encounter them. They agreed that firewalls and technological solutions are not a one-size-fits-all answer to protect them; they conceded that they shared the responsibility, and they needed to behave as a much more discriminating “Human Firewall“.

You are protecting your business, friends, and family

By exposing our friends, relatives, and co-workers to these subtle but invariably malicious forms of attack we increase our resistance to them. We’re pretty much past the days when anyone will fall for the “Nigerian Prince” scam that wants to send us $3.14 million USD, provided we send him the $640 required for the bank transfer fees first.

Prove you’re smart enough to avoid greed

Sadly, the evidence indicates that people are now falling for the mind-numbingly obvious scam of a U.S. soldier in Afghanistan who needs help getting stolen money back to the United States. E-mail costs nothing to send, so they send out 500,000 (or more) and with a response rate of only 1/10th of one percent sending their $500, they still manage to obtain $250,000 to line their own pockets. Even one person in 1,000 is too many. Don’t be duped.

Phishing Campaign Development and Implementation

1SecurityIQ is one of the most important tools you can use to help you obtain total cybersecurity compliance for your organization, or to help the people you care about not to be vulnerable and victimized. Again and again simulated phishing campaigns have been shown to be a vital part of every network’s security awareness tools.

Experience tells us that people who are not familiar with history are the ones most likely to repeat its mistakes. By enrolling all the members of your group into the cloud-based computer security awareness training, they are acquainted with the methodology of these cybercriminals, and the easy, logical steps necessary to avoid falling into their traps.

Security Awareness

Go to the SecurityIQ site to get started. It’s a simple matter to register and very quickly you will receive a test-phishing e-mail at the account you registered. It’s easy to reveal your personal internet-savvy.

2Once your learners have completed the phishing awareness course, our automated phishing emulator will send periodic pseudo-phishing e-mails and gauge the actions taken.

The phishing attempts will cover a variety of weaknesses including “official-looking” requests for personal information, “exciting free offers”, URL re-directs, and more. All this increases the learner’s awareness of the methodology that these exploiters use; and as we all know, the more often you use a skill, the more thoroughly it becomes ingrained in your behavior.

Measuring Effectiveness

Once the training is complete, your people should have a much higher level of compliance. The regular pseudo-phishing attempts with our PhishSIM tool will isolate weak points to identify where people can make better decisions.

For corporate members, once employees know that there will be a follow-up, that there will be consequences for not meeting the goals, you should be able to reach that fabled 100% compliance rate. People just need to realize that the testing will be ongoing, and that they will be scored on how successfully they avoid the bait. Their awareness will be sky-high and your business will be much safer.

Phishing as a Service

3Using our tools you can create your own fully automated campaigns. You simply declare who the learners are, which templates are used to test their skills, and then you’ll get a report when it is complete showing the results. It really is that easy—just point and click.

The goal is not to humiliate people for making bad choices. The idea is to train them to make better choices to help protect the assets of the company, and increase the security in their own personal lives. A typical first report might look like this:

4

Over the course of time, as your campaigns proceed, those numbers and colors will change. The reds will be replaced with yellows, and ultimately greens as your people become accustomed to thinking critically about each e-mail that they receive.

5After the initial setup, and the program being in place for a few months, for the most part you should only see the reds for a short time when you hire a new employee. That is your signal to assure that they are enrolled in the campaign, and that they are participating properly. Soon they will be certified, and up to corporate standards.

Setting up a Phishing Campaign

6Once you register, simply log in and you’ll be taken to the Dashboard where you’ll see your first two campaigns. Click on the Add learners label and you’ll see that you can add selected people individually, or you can use a CSV (Comma Separated Values) list with this format:

  • First Name, Last Name, Email
  • “John”, “Doe”, “abcd@test.com”
  • Jane, Doe, defg@test.com

It is perfectly acceptable to use (or avoid the use of) quotation marks to surround each item in the list—whatever works best for you. A CSV list is very useful to your Human Resources (HR) department for adding your entire employee list.

Select a campaign

You could begin with the PhishSIM campaign in order to demonstrate the need for the Awareness Education (AwareEd) campaign. If staff members are already alerted to the need, you could begin with the AwareEd Campaign. Your choice! Whichever you choose it should look essentially like the next image.

7

The learners you have entered will be included in the learner’s column already. If you chose AwareEd, you’ll see that there are five learning modules already configured. If you chose PhishSIM, there are three built-in templates ready-to-go.

In either case, simply click the little green arrow on the right hand side of the image. You will be presented with the options for setting the parameters of the campaign. It will look like the next image.

8Here you can set the Start Date of the campaign (auto-filled with the current date when you first see it), its total duration (up to 365 days), and between zero and nine repeats. The same options are available for any campaign. Just click the start button and your campaign will be underway.

The campaign will begin on the start date you selected. If you chose the Awareness Education campaign, the recipients will receive an e-mail with a polite message identifying you/your company, and a link that will take them to a listing of the five courses. It informs them of how long they have to complete the courses which all run between 10 to 22 minutes in length.9

What They Will See

The pleasantly-voiced lessons begin with a description of the problem, set out the objectives for the lesson, and use a series of animations and audio to outline the type of vulnerability.
Learners are shown various options about how to deal with problems. Using a mouse-driven interface and a multiple-choice scenario, they are given the opportunity to figure out the correct answer. In the event they select an incorrect answer, hints may be provided to guide them to a better choice.10

The correct answer is then expanded upon. This assures that participants understand why it was the correct choice, so they do not rely on simply making a lucky guess.

As the strategies are reviewed, the logic behind each of the choices is made clear. We have to know who is making the request for information; if the request for information makes sense in a particular context; and that we’re giving due consideration to every interaction, and not succumbing to an artificial time pressure causing us to make poor choices.

Tracking your Results

12To see how your training program is proceeding, simply log into your dashboard, select one of your currently running campaigns, and click the small gear icon. The details will be revealed showing each participant’s current status and level of completion.

13Gaining Support

Once you have apprised your learners of how little information is required to cause a security breach, either commercially, or for them personally, they should rally around. Your employees, friends, relatives, and associates have a vested self-interest in being better at handling important information.

It requires amazingly little of their own personal information to take out a loan, or make a credit card application in their name. It can then take months (or years) to clear a blemish on their credit record created by these crooks.

The Takeaway

In the past, phreaks and hackers became anti-heroes because their skills amazed so many of us. Once they were displaced by actual criminals who turned to acts of malice, destruction, robbery, and extortion, we should have withdrawn our admiration.11

Trojans, worms, and virus infestations started off as goofy little jokes between programmers, but have now escalated to such a level that they are causing billions of dollars’ worth of damage every year. There is absolutely nothing left about these things to admire.

We have to make a concerted effort to protect ourselves. The way to do that is through education, so that we know how to make good decisions to protect ourselves and our employers.

Drop by and see us at https://securityiq.infosecinstitute.com/ and try our training for free. Remember, preparation is half the battle.

This really is important. Do it today!

Be Safe

Section Guide

Randi
Sherman

View more articles from Randi

SecurityIQ has published a number of videos on social engineering and phishing. You can sign up for a free account to browse their resources and test how phishing savvy you really are.

Section Guide

Randi
Sherman

View more articles from Randi