Phishing is still a big problem, but users can help shrink it
- By John "Lex" Robinson
- May 22, 2018
Recently, Verizon released its 2018 Data Breach Investigations Report. The news (shocker) wasn’t good, all across the board. Threats delivered by phishing emails are growing, including at government agencies that guard sensitive information like tax records or highly classified national security files.
The report revealed that when malware is found, one-quarter of the instances are ransomware. Moreover, 68 percent of breaches take months or longer to discover. And 4 percent of employees will click on “any given phishing campaign,” Verizon found. That may not sound like much, but consider that in marketing campaigns, a 2 percent response is stellar. Criminals can double that performance metric just by hitting send.
Crowdsource your intelligence
When it’s that easy to succeed, attackers will keep coming. What can agencies do about it? One answer is taking advantage of the employees that phishing attackers target every day. Imagine transforming users into human sensors that report suspicious emails as nuggets of valuable intelligence.
This kind of crowdsourced security has gained traction in recent years, though most practitioners share data across organizations, not within them. A good example is the Department of Defense’s Cyber Security/Information Assurance Program. Under it, contractors share threat information among themselves and with DOD. Among other things, they’ve uncovered numerous advanced persistent threats.
Crowdsourcing works internally, too. With the right training, employees can learn to spot and report all types of phishing. It’s information the IT team can use to find threats faster.
Here are some tips for running a user-powered program.
Turn victims into defenders
Most government agencies require security awareness training, but it often covers phishing in five or 10 minutes. That’s hardly enough time to educate users on phishing in all its disguises. A good way to start is making users aware of “how they feel” whenever they read an email. Any strong emotion is a red flag.
Urgency is often used in phishing schemes. It pulses from emails imploring the recipient to act right away -- maybe to wire funds to a “vendor” by 3 p.m. A sense of fun or curiosity is another emotion attackers exploit. According to a report from Cofense, two of the most effective phishing subject lines are “Free Coffee” and “Package Delivery.” When users are aware of their reactions, they’re more security-aware.
Phishing awareness efforts come in many flavors, from the posters that pop up during Security Awareness Month to regular and rigorous training exercises. The latter often comes as phishing simulations, where agencies educate employees to the dangers of phishing, then send out mock phishes to keep staff on their toes. The best programs start with basic scams and work up to sneakier attacks, such as a message appearing to come from HR and parroting agency-speak.
Build an internal intel network
If employees have an easy way to report suspicious emails, the security operations center will get a steady stream of front-line threat intelligence. True, most reported emails will prove benign, but it only takes one successful phishing attempt to bring an agency to its knees. Also remember that email gateways don’t catch every threat. When a malicious email slithers through and lands in user inboxes, IT managers will be glad for trained employees who greet it with skeptical eyes.
Another advantage of email reporting: Engaged employees are vigilant employees. Studies show that as reporting increases, susceptibility drops. If users have a way to act, they’re more likely to be alert. What good is newfound knowledge if it can't be put to use? When the reporting mechanism is a button on email toolbars -- one click and done -- it’s not hard to recruit agents for a homegrown intel network.
Don’t abuse the “abuse box”
Reporting phishing is great, unless the IT staff gets overwhelmed. Before launching training and reporting initiatives, check in with the team responsible for analyzing emails to let them know their dedicated “abuse box” is about to get busy. IT will either assign more staff to assess reported emails or look into automation that gets the job done faster.
Still, a reported email does no good until it’s evaluated. Threats will go unnoticed if no one is able to vet them, and employees who report in good faith will quickly lose interest if their alerts are unacknowledged.
In the months to come, there will likely be more reports like Verizon’s. They’ll deliver more sobering news about phishing and data breaches, both within the business world and the public sector. Phishing will still be a problem, but agency defenses don’t have to be. With education and simple tools, users can make the difference.
John "Lex" Robinson is an anti-phishing/cyber security strategist at Cofense Inc.