No matter how secure your network, applications, and endpoints, the human element can be exploited. One of the most common social engineering techniques employed in cyber attacks is email phishing. Phishing is easy to execute thanks to the variety of user-friendly tools bad actors buy and trade on the Darkweb. Where traditional security awareness training falls short, organizations are experiencing reduced exposure to these attacks through simulated phishing programs that send mock attacks to users.
A variety of free and low cost tools can be used to send mock phishing emails to users. They work by sending batches of phishing emails to employees, with the ability to track which employees interact with the email. Some tools include an educational component that directs users to a page explaining they just clicked on a phishing email. This real-time training has been shown to double the retention rate of security concepts compared with classroom-based security awareness training.
Why Phishing Has Become the Tactic of Choice
Phishing dates back to the early days of computing. The first automated phishing attempts were reportedly made in the mid-1990s, when a group of “rebellious teenagers” created a program called AOHell in order to steal AOL customers’ passwords and later credit cards. The first attacks on financial institutions followed in 2001, and three years later phishing became a bona fide specialization.
Since then, phishing attacks have increased in sophistication. Today, these attacks impact all organizations no matter their size, preparedness, or cybersecurity posture. Phishing is effective because it doesn’t rely on technology vulnerabilities but rather on the lack of security awareness of targeted employees.
Operating a phishing campaign is relatively easy because attackers can buy phishing kits on the black market for as little as $2-$10. These kits are easily customizable and don’t require deep technical skills to use. The underground economy works very much like a legitimate one, with sellers even offering guarantees and customer service.
Email is the main delivery vehicle for phishing attacks, along with malware campaigns such as ransomware attacks. Bad actors are using increasingly complex psychology techniques to send credible emails, getting even the most trained and sophisticated users to click on links and attachments.
Symantec found that a certain type of phishing campaigns targeting employees grew 55% in 2015. The click-through rate for malicious messages is as high as 20 percent. By comparison, the click-through rates for direct email marketing average 2-4 percent. Attackers use a variety of techniques to get users to click on emails.
One growing trend is “soft targeting” — targeting users who have specific roles within an organization and tailoring the email content to those roles. For example, human resource managers would receive emails with malicious files masquerading as resumes while accounting employees would receive “invoices” and “statements.”
In a more targeted type of attack known as spear phishing, bad actors use social media and social engineering to learn about their potential targets in order to send personalized and convincing emails. The click-rate for spear phishing is even higher: 50 percent (with an open rate of 70 percent). Frequently, the goal is to harvest user credentials or gain access to other areas of the organization or network.
Another variation, called a whaling attack, is being used to perpetrate what’s known as CEO fraud or business email compromise (BEC). Most commonly, the purpose of these highly targeted attacks is to extract money via wire transfers, but they have also been used to gain access to sensitive data, such as payroll information, as well as for ransomware attacks.
According to the FBI, the number of identified BEC victims has increased by 1,300 percent between January 2015 and June 2016. Wire transfers have been sent to 79 countries (largely in Asia) and the total number of losses is estimated to exceed $3 billion.
Training Employees as First Line of Defense
The larger the company, the greater the risk of a successful phishing attack because it only takes one user to click on a malicious attachment or link. Traditional security awareness training programs often fall short because classroom concepts are not well retained by employees in their day-to-day job.
The Anthem breach, which affected about 80 million individuals, is an example. Attackers set up several fake websites using a typographical variation of a legitimate domain, and sent phishing emails luring employees to enter their login credentials on sites that spoofed real services. A similar tactic was used to attack Premera Blue Cross.
In the case of Target, phishing emails were sent to a vendor, stealing an employee’s login credentials. Using the stolen user name and password, attackers accessed Target’s network through a vendor portal and then infiltrated the point-of-sale systems. The financial losses to the company from the breach totaled $162 million.
Technology can provide limited defense against phishing. Organizations, however, can train their employees to serve as the first line of defense by detecting advanced phishing techniques. Security experts are finding that it is more effective to show employees what a phishing email looks like, rather than tell them in a training session. The best way to show employees is by sending them what looks like a phishing email.
The Department of Homeland Security is a success story. The Chief Information Security Officer (CISO) himself sends out phishing attempts to test senior-level staff. Those who fall for it are required to go through online security training. In the future, he wants to make the employee’s susceptibility to phishing part of their performance evaluation.
Training, too, has its pitfalls — if not properly executed, it can backfire, as some cases have shown.
The U.S. Army’s attempts to test employees, on the other hand, ended in major failure. An official sent a phishing email to a small group of staff, warning them that their retirement accounts were breached and asking them to follow a link to reset their passwords. Employees forwarded the warning to thousands of colleagues and staff in other departments, including the FBI and Labor Department.
Top Phishing Test Tools and Simulators
Simulated phishing attacks can be an effective training tool. Many of these phishing tools include a user awareness/training module. Free resources include simple tools with limited features (typically less suitable for larger organizations), open-source platforms, as well as community (free) versions or demos of commercial versions. Here’s an overview of the top phishing simulation tools:
SecurityIQ PhishSim: Developed by InfoSec Institute, this Software-as-a-Service platform is available for free (with some limited features). It includes phishing campaign scheduling options and reports as well as an interactive education module.
LUCY: A social engineering platform that simulates phishing attacks with various scenarios and templates. It can be installed as a virtual appliance or with a script. The community version is free and paid versions are available with additional features.
MSI Simple Phish: Free tool from MicroSolved Inc. for security teams to run their own phishing tests. The software can be installed on a Windows server or workstation. The solution can host webpages and captures form fills (with partial passwords).
King Phisher: Free tool from SecureState for simulating social-engineering campaigns using Linux. It includes options for embedding images in emails, cloning and hosting webpages, and credentials harvesting to show which users filled in forms.
Gophish: An open-source, easy-to-install phishing framework that includes detailed reports but there’s no user education component.
Duo Insight: Free tool by Duo Security that can deploy a phishing campaign in minutes to assess which users are susceptible to phishing attacks. The tool is 100% cloud-based and does not require installing any software.
Metaslpoit: A penetration testing tool from Rapid7 that has a phishing awareness management component, including user training and simulation. A free community edition for small businesses has limited features; the Pro version offers a fully functional 14-day trial.