Phishing


How many of your users, do you think, truly understand phishing? Do you run exercises? Do you track metrics around phishing and training around phishing awareness?

If you answered as "unsure" or "no" to any of the above questions then you are definitely at risk!

First, do your users understand what phishing is? If the answer is "no", then you should start at the ground level and create a comprehensive phishing awareness program as well as add detailed phishing awareness training to your annual computer security awareness training.

Normally, we would have a link for you to click to finish reading this article...but then again that is phishing isn't it?Phishing can come in a variety of forms. The actual act of phishing doesn't change, but the different types of phishing directly relate to who the target phish are. For example, you can phish DNS (called pharming), but for the purposes of this article, we are only going to discuss the different types of human phishing. This is simply because there is a much greater risk that a human will get phished rather than anything else.

The concept behind phishing is to somehow gain sensitive information. Generally phishing is associated with taking a legitimate message (email, pdf, document, etc...) that leads to an opportunity for the target to provide that sensitive information. There are controls that can prevent senders of phishing campaigns from sending a phishing email as well as there are controls that can prevent a suspicious outbound connection to a potential phishing location. But does your organization have those controls? Even if you do have those controls, the first line of defense is user awareness.

Human based phishing is generally categorized in the below categories.

  • General phishing - "General" phishing can be equated to a shotgun blast. You don't really have to aim very well and you will still likely hit your target with the pellets. In this case, a company is specifically targeted and mass amount of emails are sent out to as many people as possible within the company in hopes that someone will provide information. Generally, far more than just one person provides information.
  • Spear phishing - Spear phishing is the same as general phishing however, in this case, the targets have been narrowed down to a specific set of people. Generally, a spear phishing campaign also indicates a strong recon of the target company in order to determine exactly who to spear phish.
  • Whaling - Whaling is a subset of spear phishing in that the phishing targets are generally high level people within the target company. Persons such as the "C suite", VPs, EVPs, etc... that have the ability to influence the company in some way or the other. Examples would be a CEO getting compromised and then send an email to the CFO to send out a cashiers check for a large sum of money. Generally CEOs aren't questioned on their actions which makes this a very dangerous situation to the company.
  • Phone phishing - Phone phishing is the same thing as electronic phishing (including the type of targets) however all activity is performed over the phone.

So what makes a phishing email successful? First the subject needs to be enticing. The person has to want to read the email and click the link. So, what makes an email enticing? Well that goes into the research into the company to help determine that. If target is an automobile company then they likely would be interested in automobile related subjects (maybe recall notices). Second, it needs to be personal in some way..usage of the first name for example, content that appears there is already a relationship such as "pictures from the New Year's company party...Bob looks like he had a little too much fun". What company doesn't have a Bob or a John? Third, the phishing campaign needs to be random and sporadic. For example, if 100 phishing emails were sent at the same time and everyone asked "did you just get this email" then someone is likely to press the "I just got phished" button and alert security. A successful phishing campaign will have those 100 emails spread out over time and during time periods that make sense. Another successful tactic is to have an obvious phishing campaign simultaneously with a well planned phishing campaign and is used to help camoflauge the well planned one. After all, who would do two phishing campaigns at the same time and to the same place?

Any amount of phishing is going to require advance work by the phishers. This will mean that they are going to try and figure out what makes the company tick, what affects the company and employees, what the employees will likely want to open, what the employees will likely immediately view as phishing, etc... Once they have done this then they will build a phishing strategy or what they think is the best option to successfully phish a target.

So you are probably wondering what success looks like in combating phishing as well as what a successful phish looks like. For the phishing exercises we have done we find that there is an average of 10% phish rate across all targets. Thus we view generalized phishing as being around 10%. Spear phishing has about a 5% phish rate based on who is being targetted. A low level employee being spear phished is less likely to be compromised than a high level target. An intern can be phished easily as well as any person who is in a role that revolves around customer satisfaction. A brand new employee is less likely to be phished because they would have recently gone through the company computer security awareness training. Whaling success rate varies based on the age of the target. Older targets are more likely to be phished as opposed to younger targets who are more computer savvy. However, phone phishing has a much higher success rate than all other forms of phishing...we view phone phishing rates at around 30%. This includes having the target provide numerous amounts of sensitive or personal information or even going so far as to run commands on their own workstation. Phone phishing is a little more difficult as the phisher must then relay specific tone of voice as well as be confident in answers when questioned by the target. However, we also find that once the target is convinced that the phisher can be trusted then more information is released.

What can you do to improve your company? First do a complete evaluation of your computer security awareness training to ensure phishing is adequately covered. Hire a 3rd party, such as Arrakis, to perform 3rd party phishing against your company to determine a baseline. Create reportable metrics that clearly show the number of persons trained, user reports related to phishing, and how many actual hostile phishing attempts made against your company.

Contact Arrakis for more information.