Why Phishing?
Hackers have been phishing for information since the late 90’s, and the number of attacks has increased, for good reason: phishing attacks work! Since the dawn of time, humans have been the cause and effect of all things good and bad. They are, in terms of security, the weakest link in the security chain. Hackers know this and that is why around 90% of cyber-attacks begin with a phishing attack.
There are many reasons for this. It’s likely that the biggest reason is that phishing represents the most hacking opportunities. For example, if a hacker uses a phishing attack to send out a ransomware attack, they know they can reach multiple potential victims by sending the same email. The odds of someone taking the bait are high, and there are more “chances” someone will click on a link or submit sensitive data.
Why not Hack?
In contrast, if a hacker chooses to hack a network or server, their odds of success are limited by the numbers of “opportunities” they can leverage, meaning devices, hardware, software etc. They are also limited by the skill set required to “hack” a particular technology. Simply put, it makes more sense to use a phishing email than to try and hack an infrastructure. This is why we see so many phishing attacks, in growing numbers!
More attacks to Come
That’s the bad news, but even worse - it’s not slowing down anytime soon. With certain parts of the world at war, many talented IT practitioners are now out of work, making the dark net and the questionable career paths it offers all the more attractive.
Artificial Intelligence has also solved a particular challenge that many hackers face, the challenge to write a convincing email in proper English with correct grammar and punctuation. AI can even help compose a convincing email that will ensure it reaches its mark.
What are the Options?
So what do we do now? How do we keep up with the increase in phishing attacks? Is this a problem that can be solved by technology, policy, training or other? To put it bluntly, NO. Phishing attacks cannot be stopped completely. We have yet to encounter a technology that is capable of catching them all! Maybe something will be developed in the future, but that is not our reality today. That’s the bad news. The good news is that YOU can reduce the probability of an attack by conducting training specifically developed to help identify phishing attacks, AND you can conduct “managed” phishing simulations on your staff to identify the serial culprits that continuously open emails with little regard, concern, or training for phishing attacks.
Think like a Hacker
So, what type of phishing simulation should you use? What is the most effective technique you can employ to ensure that your users are being tested in a way that will benefit them and protect your company at the same time? These are great questions.
The answer is to use the same technique a skilled hacker does. A determined hacker will spend days and weeks conducting “research” on your company. They will learn what suppliers or vendors you work with, what software or hardware applications your company may be using. They may learn about your customers’ names and in many cases, the individuals that work at those companies. They may know what charities your company donates to, or even what events your HR division is planning. They will learn what your company’s org chart looks like, and who answers to who.
Why do they do this? So that they can craft that one silver bullet email that is as convincing as it possibly can be. It will be an email that looks like it belongs in your inbox, and it will beg to be opened. It will be beautifully written with good grammar and punctuation, it will contain the right images, representing a known customer, vendor, or supplier. The message will be as convincing as you could imagine. It will get the hook planted. All it takes is one person to commit an action that could trigger a cyber attack that is not easy to recover from.
How NOT to Phish
Now you know how a hacker prepares for a successful attack, and what you need to do to prevent it, but where do you find such as service? I’ll first start by telling you it is NOT a phishing application that you purchase a subscription to. We like to refer to them as applications in the sky. The ones that so many put faith in to try and create, manage, and monitor their own phishing campaign against their own organization. These applications in the sky cannot replicate the effort that a hacker would put into a phishing attack. Not even close.
Hackers don’t use these applications to phish. They are ineffective, costly and are like scoring your own report card or like a student writing his own exam questions. But wait! Your campaigns are effective you say… you have low click rates, low opens and zero data submissions. I am here to report that those low click rates can mean that the phishing email looked so obvious that it was noticeable from across the street. No one would fall for an email like that these days. Possibly the low click rates only mean that the quality of the phishing emails produced by the application is poor and no one is touching it. It could also mean that you’ve decided to conduct an overt campaign and everyone knows what’s coming. Kind of like a thief that rings the doorbell before breaking in… you are on high alert and the metrics you garner will not be accurate or a true test of the user’s awareness.
A Shameless Plug
If you read my posts, then you will know I usually finish with a shameless plug. This is one of those posts. For over 24 years we have been providing security services to customers across the globe, customers of all sizes and industries. One of those services is our “managed” phishing simulation service called SecuPhish. It is a significant part of our business and is a staple of front line, effective security offerings we provide.
Each and every one of the campaigns we conduct are unique. Each email, each landing page that supports the email is custom coded from the ground up after our master phisher learns all he needs to know about your company and exactly what approach he will use to garner the best results.
The email and landing page will look as authentic as the original company, vendor, supplier, partner or charity it appears to be coming from. The campaign is developed and managed by one of our certified “good guy” hackers and is also monitored throughout all the campaigns. Custom reports are generated and sent to the point of contact, exactly how you want them and when you want them. There is no need for the customer to manage any application, there are virtually no resources required, only an initial meeting prior to the launch of the first campaign where we will be discussing strategies we suggest.
Sounds Expensive…
Sounds expensive you say… Well, let’s just say that in most cases we are less expensive than the “phishing application in the sky” vendor south of our border is. We don’t name bash, we let our superior service and results speak for itself. If you’re using an “application in the sky” and your campaigns are getting picked off, that is literally wasting money, resources, and time. Let us show you how it should be done.
If your curious about our managed phishing and want a quote for your company, drop me a line at [email protected].