How to Protect Against Phishing Attacks
Adam Gleeson, Cyber Security Vendor Alliance Manager, discusses the threat businesses face from phishing and offers advice on how engagement & training can help protect against this threat.
- What is phishing and why should we take it seriously?
- How do we enable our people to spot and avoid phishing threats?
- How do businesses gain confidence in their users’ ability to spot phishing?
- Our recommendations and guidance
What’s phishing all about and why do we need to take it seriously?
Phishing attacks are the single biggest cyber threat that all businesses face today and the problem is getting worse. Phishing is a type of social engineering attack, where an attacker sends a fraudulent email to a victim with the aim of triggering a response, such as revealing sensitive information, trigging a malicious payload such as ransomware, or even voluntarily transferring funds to the attacker’s account.
Phishing attacks almost always act as a precursor to a more significant cyber-attack or incident. Research from the start of 2022 indicated that at least 75% of cyber incidents will start with a malicious link in an email being clicked, and that the number of network breaches is increasing by 50% year on year. It depends on where you look for statistics, I have seen figures as high as 96% of cyber attacks start with Phishing; regardless, it’s a big problem.
The flames of the phishing problem are being fanned by many businesses not having the IT know-how in-house to ensure they are adequately protected, mostly because of not really understanding the scale of the problem they face. The other sessions we are running will cover the other elements, but for now let us focus on our users.
Why is phishing so dangerous?
The flames of the phishing problem are being fanned by many businesses not having the IT know-how in-house to ensure they are adequately protected, mostly because of not really understanding the scale of the problem they face.
It is estimated that 60% of SMB’s that suffer a significant cyber-attack face considerable difficulty in operating for 6 months beyond the attack and many are unable to survive in the log term as a direct result. This can bleed through into larger organisations and some undoubtedly will have suffered severely following a cyber-attack, but the statistics aren’t as clear.
The users within an organisation can be the weakest link or one of the strongest first-lines of defence, given that the complexity and levels of apparent credibility of phishing email campaigns is ever-increasing, users who might be able to spot the “I am African prince…” type scam emails – may be duped by the ones that look (at least on the surface) to have been sent from Microsoft or other familiar suppliers.
In summary, the phishing threat is undeniably getting worse, there is no guaranteed shortcut to mitigating it and the potential risk/threat businesses face is both severe and needs to be understood.
How do we enable users to spot and avoid phishing threats?
One of the best countermeasures to the growing threat of social engineering attacks is regular and effective user education. Alongside this, implementing realistic simulated email threats to test the efficacy of the training.
Online ‘security’ training is not new – but the traditional approach of sit-and-be-talked-at doesn’t work for everyone. Instead, a more flexible approach to training that caters for the fact people learn in different ways. Consider implementing these methods into your training sessions:
Bite-sized training – Instead of making everyone sit through hours of training in one go, consider breaking it down into smaller sessions – we recommend 10-15 minute sessions. This can make it more engaging and increase how much your people are actually taking in.
Gamify the training – Knowledge checks along the way rather than a massive quiz at the end can keep things fresh. Awarding points and offering certificates and prizes can be a great way to keep your people motivated and engaged.
How do businesses gain confidence in their users ability to spot phishing today?
In most cases, quite ineffectively. Many organisations now run simulated phishing campaigns internally on an infrequent basis, that is, they send ‘fake’ phishing emails to their users and monitor who clicks the links.
Whilst doing something is better than doing nothing, this approach doesn’t really provide the business with much confidence and the remediation action is typically for the user to go and watch that 60-minute video again. But this often isn’t very effective. I have seen multiple instances where repeat offenders have watched the training 3 times and still click the links in the emails!
Then there is the fact that users will also talk to each other; when it is known there is a specific phishing email going around word spreads and people go “shields up” and stop clicking the link. But they only recognise the email as phishing because someone told them it was rather than identifying it as phishing themselves – once the campaign has finished, everyone relaxes again and that campaign hasn’t achieved much besides perhaps providing a false sense of security to the business.
So, by taking this approach, the business isn’t gaining confidence in their users’ ability to defend against phishing, users often are not actually learning how to spot phishing attempts, and – going back to how convincing and legitimate some phishing emails now seem – users are not getting into the mindset that potentially anything could be a phishing attack and, that constant vigilance and awareness of what they click is required.
So, what’s the answer?
Whilst there are many ‘phishing simulation’ bolt-ons available for anti-malware or other products – often for a low price that gives businesses the sense they are doing something about phishing, in reality, these often fall foul of the issues described above – lack of variety in the emails means people learn by others’ mistakes and avoid ‘that’ email, users are typically not being educated beyond being told ‘shame on you – you clicked the phishing email’ and in many cases vigilance is not being maintained.
That is not to say this approach isn’t acceptable if managed properly – but it’s not a case of just sending a phishing email out and seeing who clicks. Instead, there are now solutions available that are dedicated to combatting the phishing threat whilst also offering other training content that all businesses legally need to provide (manual handling, fire awareness, etc).
Combining training and phishing tests
These new solutions couple the records of who has done what training, with the results of the phishing campaigns providing real insight into the readiness of the businesses users to combat phishing. In doing so, they provide the business genuine and granular visibility of – and by association – confidence in how good their users are against the phishing threat.
With this combination, businesses can gain confidence in their users and understand the strength of their defence against phishing.
Consider how you provide training
The second key thing that these new solutions do differently is how they provide the training content to users.
They provide a vast array of different ‘sample’ phishing emails which can be run as part of each individual campaign – thus negating the ‘don’t click the email about such and such’ between users.
They have great flexibility in scheduling them so they can be set up and just left to run. Adopting this approach reinforces the need for users to be vigilant – a simulated phishing email (or indeed a real one) could come at anytime, and you can’t rely on colleagues to tell you about it beforehand.
Create positivity around cyber security awareness
When a user does click on a phishing email, the web page that is displayed can be customised to make it friendlier – e.g. “We caught you out!” instead of “You clicked a phishing email” – in doing so, destigmatising it and making it about learning not making a mistake.
On the same web page I just mentioned, the red flags the user should have spotted in the email are displayed – this, for me, is brilliant, so often people click on a phishing email but don’t actually understand what they did wrong in that instance. By highlighting the areas that should have rung alarm bells, the user is going to be more aware next time.
Creating a positive culture around cyber security awareness is key to keeping your people engaged, knowledgeable and on the alert for potential attacks.
Detect. Protect. Support.
Understand your security risks and how to fix them.
Take the first step to improving your cyber security posture, looking at ten key areas you and your organisation should focus on, backed by NCSC guidance.