Over the last year or so, we have undergone a program of training around cyber security. Probably the most prominent component has been around Email phishing. A fair number of us are IT Engineers, and have been doing this stuff for years, like too many years. So, when it was announced that we were doing this training program, there was a collective groan. Like come on! Really? You can’t be serious?
So, we’ve been safely phished for about a year now – some of the Emails are pretty obvious, others are cunning like a weasel, and definitely require a second glance. And this is from a training program with zero risk. Real world phishing isn’t as kind, and the consequences can be massive. As of writing, one of our customers has become a victim of a cyber-attack, attacked from what I believe was a phishing campaign. They have no IT department and rely on third parties to take care of this, so they are in essence, a non-technical organisation.
So how do you go about training your organisation, including the non-technical amongst us? Let be honest, most staff members don’t really care about the organisation they work for. And they probably give even less of a shit about IT, just as long as their stuff works. They may be great at their job, specialists in their field of work, and may take a keen interest in company affairs – but ask them to do some awareness training on a subject they have zero interest in, or don’t understand, it’s going to be hard to get buy-in.
Know your audience
Spend enough time in the IT ecosystem and you’ll hear many examples of IT staff castigating their user base for their lack of technical skills. This sort of approach is going to set you off on the wrong foot for a start. It’s important to start looking at your staff for the people that they are, specialists in their fields. They would likely run rings around you in their area of expertise, but they just aren’t that adept at technology. This is where you can fill in those gaps and teach them something new.
Drop the deception
Nobody likes to be made to look stupid. A proper anti-phishing program should never be about deception, it’s about providing staff the opportunity to learn and grow. In many cases it will take small steps. Phishing is the same for many people, it can be extremely technical to a non-technical person. Humiliating your staff before they have even had the chance to learn from their mistakes is not the answer.
It’s not an overnight fix
Phishing training is a tough subject for many people to become proficient at. To get a non-technical audience to understand how to detect phishing can require a fundamental change in their understanding and thinking. Throughout training, your audience is learning new skills and techniques that they may have never used before, and as with any skill it takes time to learn it, become capable, and have it ingrained into everyday use. You need to devise a program that takes users on a journey from where they are now, right through to becoming a phishing expert. It will take training, practice and patience as there are no quick fixes, but the pay-off at the end will be worth it.
If you want some more information on what vBridge have been doing around this, get in touch, we do offer a service.
CEO Fraud/Business Email Compromise
CEO fraud/BEC occurs when a cyber criminal sends an Email to a lower-level employee, typically someone who works in finance/accounting, while pretending to be the company’s CEO or another executive, manager, etc. Often the goal of these Emails is to get their victim to transfer funds to a fake account.
A clone phishing attack takes advantage of legitimate messages that the victim may have already received and create a malicious versions of them. The attack creates a virtual replica of a legitimate message and sends the message from an Email address that looks legitimate. Any links or attachments in the original Email are swapped out for malicious ones.
Domain spoofing occurs when a cyber criminal spoofs an organisation or company’s domain to make their make their Emails look like they’re coming from the official domain or make a fake website to look like the real thing by adopting the real site’s design and using a similar URL.
An evil twin attack is a form of phishing that capitalizes on Wi-Fi, essentially a rogue wireless access point that masquerades as a legitimate Wi-Fi access point so the attacker can gather personal or corporate information without the end-user’s knowledge. This type of attack has also been referred to as the Starbucks scam because it often takes place in coffee shops or cafes.
The approach cyber criminals use in these attacks is to send an Email with only a legitimate-looking link in the Email body. There’s often no other content except for the link itself, which may be clickable or a non-active link that requires the recipient to copy-and-paste the URL into their web browser. This includes sending messages from Email addresses that look legitimate, such as from the recipient’s manager or CEO for example.
SMS phishing, or smishing, is a form of phishing that capitalises on the world’s addiction to text messaging and instant communications. Smishing is a way for cyber criminals to lure users into downloading malicious payloads by sending text messages that appear to come from legitimate sources and contain malicious URLs for them to click on.
A spear phishing attack is a targeted form of phishing. Unlike general phishing Emails, which use spam-like tactics to blast thousands of people in massive Email campaigns, spear phishing Emails target specific individuals within an organisation. They use social engineering tactics to help tailor and personalize the Emails to their intended victims. They may use Email subject lines that would be topics of interest to the Email recipients to trick them into opening the message and clicking on links or attachments. The goal is often to steal data or to install malware onto the recipient’s computer to gain access to their network and accounts.
Vishing (Voice Phishing)
A vishing attack occurs when cyber criminals call your phone to try to get you to provide personal or financial information. They often use automated calls that re-route individuals who fall for their tactics and end up speaking with the criminals themselves. These attackers frequently use a variety of social engineering tactics to trick you into providing information. This might include pretending to be someone else, the IRD, your bank etc. They’ll claim that you owe money, or that your credit card has suspicious activity and needs to be shut down … but they just need to “verify” your personal information before they can close the card and reissue a new one.
Whaling, a form of spear phishing, is a lot like the inverse version of CEO fraud. Instead of targeting lower-level individuals within an organisation, the cyber criminal instead targets high-level executives such as CEOs, CFOs, and COOs. The goal is to trick the executive into revealing sensitive information and corporate data. These targets are carefully selected because of their access and authority within an organisation. These attacks often use Email and website spoofing.