Learn the best practices for developing a security awareness training program that is engaging. Engaging awareness programs have been shown to change more users’ behavior and are seen as an asset for your organization instead of annoyance.
Have you ever received an e-mail that urges you to act quickly and provide your username and password, or one that asks for your birth date and Social Security number through a legitimate-looking (but fraudulent) website to verify your identity? How about a computer request to update your bank details and personal information with the warning that your account was compromised and might be closed if you do not comply?
The first instinct is to click on the provided link or open the attachment to address the request. In reality, such e-mails should always ring alarm bells for recipients. They might, in fact, be a phishing attack.
Phishing is a technique used by cyber-criminals to lure users into handing over personal information or visiting a website that is a fake. Phishers’ goal is to gain access to sensitive information
on the network. Often these attacks use botnets to disseminate a request for info to a large number of people in the hope to receive even just one answer. After all, all it takes is for one person to reveal sensitive data or install (unknowingly) malware. It’s an ever-evolving problem today worldwide (see phishing infographic) with more and more people falling prey to such a scheme.
One recent example has been the IRS Impersonation Scam; in this case, several Americans reported to have fallen victim of someone claiming to be working for IRS. Many received messages (phone calls or e-mails) and found out later (after being deceived, tricked and having revealed info) they were actually not contacted by the bureau of the Department of the Treasury. The messages ranged from telling the recipient they “owed money” and they “better pay now,” to “put money on a prepaid debit card or wire the money.” Sadly, some of those that received such a bogus message fell for the trick and lost their money, while the cyber-thief got away with a successful scam.
Sometimes, however, these attacks are targeted at a particular individual or group of people within an organization. Spear phishing might be even harder to recognize as the baits are tailored and personalized and seem even more legitimate. Attacks can come from instant messaging, social networks, and other forms of electronic communication.
Too often potential victims are convinced the e-mails are from a reliable source and are ready to give up personal info without further explanation as to why they are being asked to release it. E-mails seem to be sent from a ‘trusted’ source, but they are actually designed to trick the recipient into giving away sensitive information (e.g., credit card, account number, PIN, SSN, etc.) to the scammer.
Depending on the scope of the spear phishing, criminals might go a long way to create legitimate looking e-mails using realistic names, logos, and information. They may also create entire fraudulent websites as bait.
Ways to prevent it
Firewalls and malware scans can aid in the fight against spear phishing. Systems administrators can use tools that can help in recognizing suspicious traffic and screening social media use of employees on the network, to be able to catch any attempt of phishing before and not after a scam incident. However, technical solutions are not enough to counteract spear phishing attacks; they can only in part help recognize e-mails with malicious aims.
As John Toon, a researcher from GTRI, explains, “the success of spear phishing attacks depends on finding the weakest link in a corporate network. That weakest link can be just one person who falls for an authentic-looking email.” Since the target of these attacks is actually the user, it is the user that needs to be the first line of defense. Security awareness training, then, is the best defense against these attacks. The more end users are made aware of the risks, the more they will be able not to act in an impulse when pressed for information and will be able to evaluate better each request.
Training needs to be given also to executives and higher officials in a company as they are often the primary targets of spear phishing attacks. Arming corporate employees with knowledge might not prevent spear phishing but can help diminish its likelihood.
According to Alan Paller, SANS research director, “95% of all attacks on enterprise networks are the result of successful spear phishing.” Equipping users with the knowledge to recognize most attacks can help strengthening the security posture of any company. A well trained team can be taught to recognize the signs of a phishing email, phony website, or other suspicious behaviors online before it is too late.
Employers need to ensure their workforce understand the types of scam attacks they may face, in addition to the risks involved and how to address them appropriately. Becoming aware of phishing techniques can ultimately provide greater sense of awareness when these strategies surface, points out Entrust, a company that provides identity-based security solutions.
How spear-phishing awareness training can be effective
To teach corporate employees how not to fall victim of spear phishing might just be the best defense against these attacks that continue to be a problem. Having training sessions about how to detect these spoof e-mails and knowing how to distinguish them from genuine e-mails by legitimate senders may help staff from falling prey of such scams.
Training needs to address first the basics of spear phishing and phishing’s prevention. As Stephen Northcutt of the SANS Technology Institute explains, to avoid spear phishing users should
- Never provide personal or financial information in a response to an e-mail request.
- Do not act on suspicious emails.
- Do not open attached files or click on links without first knowing the sender and their URL address. Curiosity not only killed the cat, but opened the house!
- Report any recognized phishing attempts.
Because these attacks target people, they need to be armed with the knowledge to counteract them. The problem with spear phishing is that it targets restricted groups and executives and, therefore, cyber-criminals are able to create sophisticated and highly personalized baits to lure their victims. Busy executives and executive assistants might not have the time at their disposal to really analyze the e-mail received. Therefore, frequent training is needed to help stop the instinct to reply with sensitive data or click on suspicious links.
Joe Ferrara, President and CEO of Wombat Security Technologies, says the cyber-threat of spear phishing is very real and has come increasingly transparent online. He points out the importance of improving individuals’ knowledge to be able to spot an attack so to be able to avoid opening themselves or their employer to it. A “continuous cycle of assessing knowledge” is key to ensure the employees are keeping their information secure.
This goal can be met with frequent re-certifications through annual cyber-security training, but also by creating fake spear phishing e-mails that periodically can be sent out to gauge users’ reactions. That way, also those who normally don’t have much time to concentrate on security can be reminded through real-life examples of what can happen and how important it is to be on guard.
Trainers can use interactive training or mock phishing scenarios, or simply discuss specific episodes. It is also helpful to make available simulated phishing exercises or staging phishing attacks for others to learn and understand. This, of course, in addition to conveying the array of tactics utilized by cyber-criminals in today’s world.
Training is not just effective for the acquisition of knowledge; training can also help make security relevant to end users, employees and executives. User awareness training empowers users and makes them less likely targets by understanding their primary role in the defense of the network. When working for an organization that communicates a strategic plan, employees will no longer feel powerless against scammers. Cyber-security is no longer a distant concept relegated behind the doors of servers’ rooms and the sole responsibility of IT managers, but it becomes a collective effort.
There is another benefit to training targets employees’ habits. Though it is possible to warn members of an organization about spear phishing and encouraging them not to respond or even open email from unknown senders, employees may not be able differentiate quickly and separate potential spear phishing attacks from harmless emails, says Andrew Howard, a research scientist who heads the Georgia Tech Research Institute’s (GTRI) malware unit. Howard said, “It’s very difficult to put technical controls into place to prevent humans from making a mistake. To keep these attacks out, email users have to do the right thing every single time.”
Training might not prevent spear phishing or make people infallible email or website evaluators; yet, it might teach them to be more cautious when releasing sensitive data online to a third party. Behavior modification is the ultimate goal of training; people will become more aware with any e-mails they receive and not just when suspicious ones reach their mail in-boxes.
Today’s spear phishing activities and trend reports reveal attacks are becoming more dangerous because of new security evasion tactics. Spear-phishing appears to be the weapon of choice these days for cyber-crime and cyber-terrorism.
Email security solutions and web-filter techniques—that can help to prevent the messages from being directly delivered to an inbox—are not enough to protect today’s computer end users from a cyber-criminal. Overall, one cannot stress enough how important it is to support security awareness to improve phishing detection and avoidance.
As renowned American hacker Kevin Mitnick, former cybercriminal that turned security consultant explains “social engineering has a 100 per cent success rate […] once people become more security-aware, they are less likely to be conned.”
Repeated security awareness training is necessary to help others learn about the dangers of spear phishing, but training doesn’t only give knowledge to end users. It also helps to involve users in the protection of company’s networks and causes a behavior modification that can help change the way they react to any e-mails, even those that might not look suspicious at first.
Bruzzese, P. (2015, June 17). Email security and spear phishing secrets of an ex-hacker. Retrieved from https://www.mitnicksecurity.com/S=0/site/news_item/email-security-and-spear-phishing-secrets-of-an-ex-hacker
Ferrara, J. (2014, September 3). Phishing Scams at All-Time High, Employee Training Not Keeping Pace. Retrieved from http://www.wallstreetandtech.com/security/phishing-scams-at-all-time-high-employee-training-not-keeping-pace/a/d-id/1306866
Gréaux, S. (2013, Mar 13). Is training key to preventing spear-phishing attacks? Retrieved from http://www.hrzone.com/perform/business/is-training-key-to-preventing-spear-phishing-attacks
Northcutt, S. (2007, May 9). Security Laboratory: Methods of Attack Series – Spear Phishing. Retrieved from http://www.sans.edu/research/security-laboratory/article/spear-phish
Rubens, P. (2012, November 26). How to Prevent Spear Phishing Attacks. Retrieved from http://www.esecurityplanet.com/network-security/how-to-prevent-spear-phishing-attacks.html
Toon, J. (2013, January 8). Spear Phishing: Researchers Work to Counter Email Attacks that Gain Recipients’ Trust. Retrieved from http://www.gtresearchnews.gatech.edu/countering-spear-phishing/