Noel Hannan, Infosec Consultancy Manager, Capita IT Professional Services, gives his advice on how organisations and professionals alike can avoid becoming victims of phishing. TEST Focus Groups.
Anyone who relies on email for professional communication will have had experience of phishing. We may think that, with our knowledge of testing and tech, we are far too savvy to be fooled by a phishing email, but these types of messages still get through.
Why? Because of the way we use information to do business. Even the most up‑to‑date technical operations won’t stop well‑crafted phishing emails because they are indistinguishable from normal emails. While software can successfully block spam, organisations still allow users to open attachments and send hyperlinks in emails, because Sharepoint, Dropbox and similar programmes are commonly used methods of sharing information. All the variables that allow phishing to continue to take place are inherent in how we use email. But even if we cannot technically stop phishing, we can educate people to look out for it by providing security awareness training for individual users within organisations.
Staging phishing exercises
Capita can stage a phishing exercise in which we work with an organisation to craft emails that specifically target sections of the business where there may be a weakness or that could be considered valuable targets. For example, if a phishing attack compromised the MD or CEO’s email, or that of a system administrator, the consequences could be catastrophic.
Any phishing attack is all about trust models. What sort of messages do we inherently trust and how could they be used to fool us? All of us receive enormous amounts of messaging on a daily basis. When you stop to consider your daily professional email traffic, Skype, voicemails, personal emails and LinkedIn updates – plus of course social media updates from Facebook, Twitter, WhatsApp, Facebook Messenger, etc.
– you may receive 300 ‑ 400 messages in some form every day. You may feel confident that you know what’s important; however, as the amount of information you receive increases, it becomes harder to undertake this process. The time you are able to spend looking at each message and deciding whether to open it, action it or ignore it, reduces to maybe only a few seconds.
And at traditionally busy times of the year (the first Monday back at work after Christmas and New Year, for example), when you’re keen to clear your inbox, you may not be able to give effective consideration to all your emails.
Where can phishing occur?
Now think about doing the same thing on your phone, in a crowded train or waiting at the bus stop on the way to work. Phishing is even easier on phones because we’re used to seeing non‑graphics‑based emails on a phone – there are fewer protective measures on a phone, too. If you use your phone or tablet to manage multiple email accounts into a single inbox, how easy is it to analyse each message? People fall for phishing attacks because not only do phones and tablets not operate effective filtering, but our brains can’t always filter the level of information presented to us.
Smishing – phishing by SMS – is perhaps even more dangerous. A text may arrive purporting to tell you that your parcel is on its way and asking when you’ll be home to collect it, but what if that message was in fact from a potential burglar weighing up when you’ll be out?
LinkedIn is a massive resource for phishers and hackers as it can give attackers knowledge of what lies beyond a company firewall. For example, a hacker might want to identify a company’s back office personnel system. By analysing LinkedIn profiles for that company’s employees, the hacker could easily discover whether personnel have SAP or Oracle experience, and could then identify the system used.
Arguably, phishing isn’t going to disappear until we end our dependence on email as a primary mode of communication. This could be a generational thing – younger generations rely on instant messaging, which may take the place of professional emails in the future. But we need to deal with phishing here and now, and that means educating people.
How to avoid becoming a victim
Capita has found that one of the most effective methods of security awareness training is to conduct a phishing exercise which then produces a metric demonstrating its effectiveness. We staged an exercise in a public sector agency in which we sent users a fake discount shopping email, which arrived on the first Monday back at work after Christmas. Several staffers clicked through the link we sent, giving us vital information about how to further educate users about vigilance regarding phishing.
This personal vigilance comes from security awareness, which in turn comes from security education. A phishing exercise can highlight areas of weakness and a security awareness programme can run in tandem with this. For example, an organisation could run a security awareness course, then tell staff that phishing exercises will be taking place throughout the year and that their department/sector will be scored according to response. An alternative approach could divert any users who actioned a deliberately planted phishing email to a mandatory security awareness test, although of course this could have a negative impact in a busy operational environment. Whichever approach an organisation takes, Capita will offer support through security awareness training to prevent further susceptibility.
Our key message is that we don’t want people to be frightened of doing their jobs effectively. Remember, only a tiny proportion of emails are malicious. Your inbox is not a minefield – even though in reality organisations are under consistent attack, the vast majority of emails you receive every day are legitimate.