In the 2019 Verizon Data Breach Investigations Report, there is a pair of statistics that caught my eye. Phishing was the fifth most reported type of security incident, trailing behind Denial of Service (DoS), Lost or Misplaced Assets, Command and Control (C2) Malware, and Misdelivery. However, when we look at successful tactics used in known data breaches, Phishing tops the list. It raises the question: How does phishing claim so many victims?
As a type of social engineering, phishing in all its various forms (Spear Phishing, Whaling, Vishing, SMiShing, Business Email Compromise (BEC), Vendor Email Compromise (VEC), Search Engine Phishing, Social Media Phishing, Lateral Phishing, Brand Jacking and Impersonation) are psychologically manipulative. They exploit the weakest link in the security of an organization – people – by taking advantage of common human traits, such as fear, compassion, and loyalty. Phishing is insidious, as it can overcome any physical, software, network or detection barrier that is put in place to protect an organization. When looking to combat phishing, it is best to approach it as an issue of psychological warfare.
What is it about phishing that makes it such a reliable means of attack?
- There are many types of phishing scams: Phishing includes not only those messages that come via email, but also through phone, text, and web sites. It is not unusual for people to be targeted via multiple means, especially if they hold access to desired information.
- Phishing is growing more sophisticated: Over the last two years, we have seen a surge in far more sophisticated, multi-step phishing scams. Gone are the days of being leery of foreign Princes wanting to share their wealth. People are now being scammed by professional con artists, often from overseas locations, who take full advantage of technology to create a profile of a victim in order to better ensure the attack’s success.
- Phishing plays on people’s fears: Phishing scams have a component of urgency. Whether it is money your CFO must wire ASAP to save a big deal, or a friend or colleague in need of immediate funds, these tactics are built to play on fear. Some newer scams are even adding a sense of FOMO (fear of missing out) to encourage a victim to act quickly without much thought.
- Successful phishing attacks find people at their moments of weakness: In the fast-paced world of many organizations, there are a number of things which can cause a moment of weakness in a victim. Multitasking, working when not feeling well, tight deadlines, or wanting to curry favor with a higher up can lead people to act irrationally. This is one of the reasons that scammers will target people who have announced an impending departure from an organization, knowing they may be more lax as their time winds down. Unfortunately, a moment of weakness can cost an organization a great deal of money and goodwill.
- Fear or lack knowledge of technology: If you are not highly technical, all the ins and outs of securing a workplace can be overwhelming. Many people believe that their company’s IT department has it all under control. They rely on the perceived safety of the systems to catch phishing threats before they might land in their work zones. They may also fail to perceive the impact that their actions can have on breaking down a secure infrastructure when they fail to follow process and protocol.
- People like to be nice/liked: This is a weakness on which an attacker can bank. For example, we are taught it is polite to hold the door for someone coming in behind us. However, if the door you are holding is to a secure area, all the alarms and triggers are for naught. If someone emails or calls you and asks for help or information, you want to provide that information to make their job easier. Organizations need to ensure that they do not undermine their own security with a customer service approach that disregards or overrides security boundaries that limit what or how information is shared.
- Employees may lack knowledge of or existence of proper processes and protocols: People do not know they are doing wrong if they have not been told it is wrong. Lack of proper knowledge or security processes and protocols is a weakness of the organization, not the individual. You cannot hold people accountable to something that is not documented, taught, and consistently enforced.
How can an organization best combat these human issues that lead to successful phishing attacks?
- Make no assumptions about employees’ skills: It is safest to assume that a person does not know the full cybersecurity landscape, no matter how long they have been at your company or in their current role. Technology moves quickly, so you cannot assume that people have all the knowledge they need to be safe. Continuous training and reinforcement is crucial.
- Exposure to various phishing simulations via testing and scenarios: I have lost count of the number of executives who brag about their staff and their security awareness, only to be contradicted by the results of a phishing simulation exercise. Security awareness is not a steady state that can be assumed to hold over time. You can never let down your guard and you can never stop training or testing.
- Do not rely on technology to save you: Just as your employees should not think your company’s IT has it all on lockdown, nor should you. The latest and greatest SIEM, anti-virus, IDS/IDP system, application firewall, or any other of the myriad of security options you may have in place to protect your assets is not going to stop an inside employee if they do something they should not.
- Document your processes and procedures and train your employees on them regularly: Your nice 200 page Information Security Plan is no help if your employees have never seen it. Make sure that you outline for your staff your expectations about what they should and should not do when it comes to cybersecurity. Also be sure to give your staff access to the Plan so that it can be referenced easily if they have questions or need guidance.
- Create a safe culture to admit mistakes with proper reporting: As we noted in a recent blog post, Five Strategies for Cultivating a Cybersecurity Culture, “Encourage employees to report innocent mistakes. An inadvertent click in a suspicious email should be reported without fear of censure. Treat unintentional, occasional errors as learning opportunities, but give no second chances for intentional violations. When there are no second chances for intentional violations or dishonesty, workers are less likely to take shortcuts and more likely to report errors right away. Ensure your company has a simple reporting mechanism that is quickly and easily accessible by all employees, and that performance policies explicitly support integrity in relation to cyber security.”
Once you have a strong Security Awareness Program in place which includes phishing simulation, you will be left with one group on which to put the most focus – your worst offenders. Also known as “serial clickers,” these are your employees who fall for a phish almost every time. As one colleague put it recently, these employees “have never seen a link they did not like.” They fall for your least sophisticated phishing simulations, ones that should be perceived as blatantly obvious. They are frustrating in every organization and every organization has at least one. What can be done about this group? Serial clickers must be dealt with individually as a performance-based issue.
- Managers and leadership should call out specific issues with insecure behaviors on Annual Performance Reviews, including expectations and consequences for continued poor cybersecurity behavior.
- Be sure to align other “red flag” behaviors, such as lack of attention to detail, refusal to follow established processes, etc., with insecure cyber activities and include remediation plans for these on the employee’s Annual Review.
- Your least secure employees are a serious issue, so prescribe an escalation path for ongoing insecure practices. Removing access to systems which hold secure or confidential data should be the penultimate step. If the escalation path reaches this point, preparations should be made for removal of the employee.
- Establish monthly individual check-ins with these employees to review progress.
- Call attention to positive cybersecurity behaviors.
Simply stated, Phishing keeps being used in all its various iterations because it works. As a form of social engineering, it is one of the most effective means of gaining access to organizations’ data and financial assets. Combating the psychological manipulation of Phishing attacks requires a shared cybersecurity mindset across the organization.