Phishing is still a big problem, but users can help shrink it

If employees have an easy way to spot and report suspicious emails, security teams will get a steady stream of front-line threat intelligence.

Recently, Verizon released its 2018 Data Breach Investigations Report. The news (shocker) wasn’t good, all across the board. Threats delivered by phishing emails are growing, including at government agencies that guard sensitive information like tax records or highly classified national security files.

The report revealed that when malware is found, one-quarter of the instances are ransomware. Moreover, 68 percent of breaches take months or longer to discover. And 4 percent of employees will click on “any given phishing campaign,” Verizon found. That may not sound like much, but consider that in marketing campaigns, a 2 percent response is stellar. Criminals can double that performance metric just by hitting send.

Crowdsource your intelligence

When it’s that easy to succeed, attackers will keep coming. What can agencies do about it? One answer is taking advantage of the employees that phishing attackers target every day. Imagine transforming users into human sensors that report suspicious emails as nuggets of valuable intelligence.

This kind of crowdsourced security has gained traction in recent years, though most practitioners share data across organizations, not within them. A good example is the Department of Defense’s Cyber Security/Information Assurance Program. Under it, contractors share threat information among themselves and with DOD. Among other things, they’ve uncovered numerous advanced persistent threats.

Crowdsourcing works internally, too. With the right training, employees can learn to spot and report all types of phishing. It’s information the IT team can use to find threats faster.

Here are some tips for running a user-powered program.

Turn victims into defenders

Most government agencies require security awareness training, but it often covers phishing in five or 10 minutes. That’s hardly enough time to educate users on phishing in all its disguises. A good way to start is making users aware of “how they feel” whenever they read an email. Any strong emotion is a red flag.

Urgency is often used in phishing schemes. It pulses from emails imploring the recipient to act right away -- maybe to wire funds to a “vendor” by 3 p.m. A sense of fun or curiosity is another emotion attackers exploit. According to a report from Cofense, two of the most effective phishing subject lines are “Free Coffee” and “Package Delivery.” When users are aware of their reactions, they’re more security-aware.

Phishing awareness efforts come in many flavors, from the posters that pop up during Security Awareness Month to regular and rigorous training exercises. The latter often comes as phishing simulations, where agencies educate employees to the dangers of phishing, then send out mock phishes to keep staff on their toes. The best programs start with basic scams and work up to sneakier attacks, such as a message appearing to come from HR and parroting agency-speak.

Build an internal intel network

If employees have an easy way to report suspicious emails, the security operations center will get a steady stream of front-line threat intelligence. True, most reported emails will prove benign, but it only takes one successful phishing attempt to bring an agency to its knees.  Also remember that email gateways don’t catch every threat. When a malicious email slithers through and lands in user inboxes, IT managers will be glad for trained employees who greet it with skeptical eyes.

Another advantage of email reporting: Engaged employees are vigilant employees. Studies show that as reporting increases, susceptibility drops.  If users have a way to act, they’re more likely to be alert. What good is newfound knowledge if it can't be put to use? When the reporting mechanism is a button on email toolbars -- one click and done -- it’s not hard to recruit agents for a homegrown intel network.

Don’t abuse the “abuse box”

Reporting phishing is great, unless the IT staff gets overwhelmed. Before launching training and reporting initiatives, check in with the team responsible for analyzing emails to let them know their dedicated “abuse box” is about to get busy. IT will either assign more staff to assess reported emails or look into automation that gets the job done faster.

Still, a reported email does no good until it’s evaluated. Threats will go unnoticed if no one is able to vet them, and employees who report in good faith will quickly lose interest if their alerts are unacknowledged.

In the months to come, there will likely be more reports like Verizon’s. They’ll deliver more sobering news about phishing and data breaches, both within the business world and the public sector. Phishing will still be a problem, but agency defenses don’t have to be. With education and simple tools, users can make the difference.

NEXT STORY: Hackers love Las Vegas

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.