PhishMe; then and now

Q: When did it start?

A: We started building early prototypes of PhishMe in 2007, had beta customers in the first part of 2008 and paying customers later that year.

Q: What is it?

A: PhishMe is a subscription to use the PhishMe infrastructure to facilitate the most effective and memorable spear phishing awareness training around.

Organizations pay for a one year license based on the number of people to be trained, to send as many spear phishing training campaigns as they see fit.  It replicates Click-Only, Data Entry, and Attachment based spear phishing attacks.  We provide stories and themes to get people started, but subscribers are welcome to craft their own.  Subscribers manage recipient groups, pick their phishing themes, and customize the education message that is presented to anybody that falls for the phish. It also helps them keep track of who reported the spear phishing email and reward staff for reporting suspicious emails. Detailed reports show how effective the training is. Subscribers can then select multiple campaigns to build trend reports.   Using PhishMe allows organizations to see real measurable results in awareness improving, using the trend reporting that is provided.

Spear phishing awareness training isn’t a one-and-done event. There are different types of spear phishing attacks and humans need reminders that it doesn’t matter what position they hold in the organization, everyone is a valuable target for a spear phisher.

Q: Who buys PhishMe subscriptions?

A: Organizations that have been Phished multiple times.

It’s extremely frustrating for organizations that own every type of end-point-security product and appliance and have rigorous proactive patching and anti-virus to still get compromised via a spear phishing email.  Their vendors tell them if you buy magic heuristic -cloud-malware appliance X, it will solve their phishing problem.  How does one write a signature for an email that sends a user to a website that simply asks the victim for their username and password?  The truth that the security product vendors don’t want to admit: they can’t. When an organization has an 8 person IR team onsite billing $300hr, looking over at that rack of failed security products is demoralizing. Faced with these circumstances, sending spear phishing emails to the workforce as a means to deliver awareness education about spear phishing stops sounding like a crazy idea.

Q: Who else buys PhishMe?

A: Organizations replacing their own homegrown solution.

Organizations who know they need to do this and have made attempts to build their own solution, but have learned through experience conducting these exercises in a safe controlled manner isn’t as simple as it sounds. What if the recipient is on IE6? Will your page render? What if they open it from a BlackBerry or iPhone? Will their scripts still be able to record the results? What if the end user forwards the training exercise on to digg, slasldot, redditt? You don’t want to be headline news like the Air Force was with their uncontrolled attempt: Many PhishMe customers transition from their own solution to PhishMe because it’s easier, safer, and has better reporting.

Q: Anybody else?

A: Consulting organizations buy professional services licenses to conduct training exercises on behalf of their clients.

Q: Any changes over time?

A: In 2009 and 2010 we saw a shift in our inbound sales.

The word “Phishing” often conjures thoughts about consumer related phishing scams aimed at getting financial information or information that could facilitate identity theft.  In the past two years, the differentiation between spear phishing targeting specific actors in an organization vs. consumer phishing is more well-known.  We began getting inbounds by customers who were aware they needed to proactively address spear phishing, if not from their own experience, from reading about it in trade publications or talking with industry colleagues who were combating the problem.  Still, to this day, the majority of inbound sales leads come from companies who have been compromised via spear phishing. Stories like the RSA breach just help make it more acceptable to disclose “yes, we were compromised by hilarious pictures of cats”.

Organizations don’t need to sit around and wonder if they have a spear phishing problem.  They can find out how bad the problem is and do something about it.

Aaron Higbee

Education vs. Technology

Trusteer recently released a study containing the results of a spear phishing test against 100 LinkedIn users. Their findings had a 68% failure rate. While a 68% failure rate seems high, it is not an unusual number for a group that has received no prior education or training in how to spot phishing – or at least training that is meant to be effective. We know this based on having sent well over a million spear phishing emails to employees of corporations across multiple industry verticals. Trusteer, a company that specializes in the creation of information security software products, stated in this article that the only real solution is a technological one. We wholeheartedly disagree. These are numbers that we have seen time and again; Numbers that we consistently reduce through education via periodic training exercises that immerse the recipient in the experience.

There are many characteristics of this test done by Trusteer that would cause anyone with a basic understanding of testing methodologies and statistics to stand up and take notice. Firstly, the test was conducted with no real prior education to the users; this would make a good baseline, but only if you then provided training to the same users and ran the test again later to measure the difference the training made. Trusteer did not do this. In fact, Trusteer by their own admission hand-picked the recipients from a pool of friends and family. Their claims of vetting this list to ensure that it contained people who “it estimated to be fairly educated about security” must be taken at best with a grain of salt. Secondly, this test was conducted on a very small pool of people – we don’t believe the sample set is large enough or diverse enough to make a sweeping statement. While we can agree with their claims of Social Engineering making it “easy to drive corporate users to fake websites that could potentially download malware onto their computer”, it is the way they draw the conclusion, their methodology, and the claims that only a technological solution is the answer, that we take issue with.

Social engineering is a human issue that evolves around technical controls.  Convincing someone to click a link or download a piece of malware is just a twist on the same methods used by grifters and con men for hundreds of years. As long as someone is unaware, there will always be someone to take advantage of them.

It is time we face the simple truth –  there is no magic box that will solve spear phishing. We can’t continue to let the end-user believe that if something made it into their inbox, then it must be ok. We need to proactively teach people to be suspicious.

Mac McCrory