Skip to main content
Phishing

Not All Phishing Programs Are Created Equal

By November 19, 2018No Comments

In today’s corporate world, security awareness training should be a common puzzle piece in general user onboarding and on-going staff education. With that training, regular testing should also be part of that puzzle. There are many variations in the types of programs offered at companies, so that means not all phishing programs are created equal. 

Phishing should be a staple component in any security awareness program, since phishing attacks account for some of the most notable breaches reported, think about Target, the DNC, Anthem, you get the point. According to one report, 76% of organizations say they experienced phishing attacks in 2017. So, if you already have phishing training in your security program, how are you testing your employees to see if that training is actually working? 

Testing Takes Time and Resources

If you have an in-house phishing program, we hope you have a dedicated resource running it. It can, and should, be a full-time job to get accurate data from your tests which should then be applied to your training. There are lots of solutions out in the market to run your own phishing program, I will leave that search up to the reader. It should be noted that just because it can be cheap and maybe even easy to set up an in-house phishing platform, running it effectively is a whole different story.  

Just sending phishing emails out to users and counting click rates is a small percentage of the data you could be gathering which would give you a much clearer idea of your actual vulnerability. Also, sending the same phish to all your users may give you a false sense of security. The same lure that affects accounting may not affect HR or the warehouse. All of these aspects have to be considered to gain an accurate picture of the specific attack surface for your company. 

Sophistication and Themes

At SECOM, we run a number of our clients’ phishing programs and provide data to help them better adapt their security training to current threats. The concept of varying sophistication levels comes from the book Phishing Dark Waters, which talks about the difference between the classic 419 scams, the ever-increasing BEC scams, and very specific spear-phishing attacks. The sophistication levels are completely different, but also the target audience should be different. That is a very important point of emphasis. 

It is unlikely the warehouse employees will fall for a message from the CEO asking them to wire money to a new client, but accounting might. Likewise, the marketing department may not fall for a DocuSign email but legal might.  

Much like you need to tailor your training to the audience as mentioned in a previous SECOM blog, the testing should be as well. When attackers target your organization, they may start out with a wide net and go after everyone, but most likely they will target specific departments, or even specific users, with custom attacks geared toward convincing that user or group of users to take a very natural and even common action. 

This is where varying your sophistication level of your phishing emails really comes into play. You can get a baseline of your entire userbase with a very simple theme and execution to see how many fall for the lure, then you can increase the difficulty on users who are more security-aware until all your users are acting according to your (hopefully) published and clear policies on what to do when they encounter fraudulent emails (hint: reporting). It should also be clear to the users that, even if they fall for a phishing email, reporting it is required, expected, and will not result in negative ramifications for the user. If they feel safe reporting incidents to security staff your reporting numbers will increase which will result in faster remediation and awareness of ongoing attacks.  

So, understand that not all phishing programs are created equal but know that with the right amount of effort and attention any phishing program can deliver a return on investment very quickly and secure your company and its data. 

If you’d like more information on how to secure your organization with Social-Engineer’s patented Phishing-as-a-Service (PHaaS) program, Call 800-956-6065 or email: [email protected]. 

Sources:
https://www.amazon.com/Phishing-Dark-Waters-Offensive-Defensive/dp/1118958470/ref=sr_1_1?s=books&ie=UTF8&qid=1427900061&sr=1-1&keywords=phishing+dark+waters
http://www.www.social-engineer.com/when-training-does-not-equal-security/
https://www.wombatsecurity.com/state-of-the-phish 

Image: https://totalsecurityadvisor.blr.com/cybersecurity/beware-hurricane-harvey-phishing-scams/

Security Assessment Case Study
Learn more about the importance of a Social Engineering Risk Assessment.
Download Now
Security Assessment Case Study
Learn more about the importance of a Social Engineering Risk Assessment.
Download Now
What Makes Us Different
At Social-Engineer, we pride ourselves on what we do and how we do it. We are a security services provider, focusing on four primary attack vectors. This case study will go through how we can protect your company and what makes us different.
Download Now
What Makes Us Different
At Social-Engineer, we pride ourselves on what we do and how we do it. We are a security services provider, focusing on four primary attack vectors. This case study will go through how we can protect your company and what makes us different.
Download Now
Woman vs Machine
Technology is providing new, more innovative ways to enhance our world. Scientists are constantly developing smarter, faster and more intelligent machines, systems and robots. There is no doubt that each of these has evolved beyond their clockwork origins.
Download Now
Woman vs Machine
Technology is providing new, more innovative ways to enhance our world. Scientists are constantly developing smarter, faster and more intelligent machines, systems and robots. There is no doubt that each of these has evolved beyond their clockwork origins.
Download Now
Vishing and Phishing Must Be Ongoing to Be Effective
Most companies have a security awareness program in one form or another. If they don’t, it should be on the short list of programs to start as soon as possible. In our experience, many of these programs take the form of computer-based training.
Download Now
Vishing and Phishing Must Be Ongoing to Be Effective
Most companies have a security awareness program in one form or another. If they don’t, it should be on the short list of programs to start as soon as possible. In our experience, many of these programs take the form of computer-based training.
Download Now
A Case Study in Vishing
Vishing (voice-based phishing) has been a problem for quite a long time. There are many vendors in the marketplace that offer vishing services. However they tend to use robo-callers or call centers for large volume engagements. If they are using trained humans to make calls, it is likely in very low numbers.
Download Now
A Case Study in Vishing
Vishing (voice-based phishing) has been a problem for quite a long time. There are many vendors in the marketplace that offer vishing services. However they tend to use robo-callers or call centers for large volume engagements. If they are using trained humans to make calls, it is likely in very low numbers.
Download Now
Benefits of a Social-Engineering Risk Assessment Engagement
Your company is important. Indeed, the data you hold for your clients or employees is very valuable and attackers seek to capitalize on that data any way they can. This is where a Social Engineering Risk Assessment (SERA) engagement can help uncover possible vulnerability to attackers.
Download Now
Benefits of a Social-Engineering Risk Assessment Engagement
Your company is important. Indeed, the data you hold for your clients or employees is very valuable and attackers seek to capitalize on that data any way they can. This is where a Social Engineering Risk Assessment (SERA) engagement can help uncover possible vulnerability to attackers.
Download Now
The Business Value of the Social-Engineer Phishing Service
Cybercriminals are targeting the human element of organizations. Additionally, they are developing techniques to use an organization’s employees as the first point of entry. According to the 2021 Verizon DBIR report, of the 3,841 security breaches reported using social engineering, phishing was the key vector for over 80% of them.
Download Now
The Business Value of the Social-Engineer Phishing Service
Cybercriminals are targeting the human element of organizations. Additionally, they are developing techniques to use an organization’s employees as the first point of entry. According to the 2021 Verizon DBIR report, of the 3,841 security breaches reported using social engineering, phishing was the key vector for over 80% of them.
Download Now