This Company Turned a Phishing Attack into a Teachable Moment

You’ve read it on this blog before. It’s not enough to simulate phishing emails and raise employees’ awareness. At the end of the day, you need to be able to stop real attacks. One key: basing simulations on phishing threats you actually see in your organization.

Following is a real example of one CofenseTM customer that took these words to heart. This company is global. It operates in an extremely data-rich industry that stores Social Security numbers, email addresses, credit card information, and more. In other words, they have a lot to protect.

First, the company leveraged information from a real credential phishing attack.

This company trains its employees to recognize and report phishing. The team responsible for the anti-phishing program took advantage of a monthly report from the Cofense Phishing Defense Center (PDC), which analyzes and escalates user-reported emails to alert customers immediately to verified phishing threats.

The monthly report described a phishing email, one seen in a different industry, that asked users to perform an urgent network upgrade. “Action required”—just click a link. Upon clicking, users would be taken to a site where they would enter their network credentials.

The Cofense PDC sees hundreds of thousands of similar emails targeting customers each year. Here’s a sample:

Next, they simulated the attack to educate employees.

Credential phishing is an epidemic. To help their employees spot a credential phishing attack, the company decided to use this real attack to craft a simulation. Here’s what the simulated email looked like:

As you can see, the simulated phishing email used a header very similar to the email seen in the wild.

Armed with other details from the real phish, including the full body of the message, the company sent this simulation to high-value targets—employees with elevated credentials, the “keys to the kingdom.” It’s smart to focus on these employees, just like attackers do.

The results were encouraging. The ratio of employees reporting the simulated phish versus those that fell susceptible was greater than 1:1. It was a good start. With continued simulations, the rate should increase and show better resiliency to credential phishing.

To repeat, it’s good to condition employees to report phishing emails. It’s even better to have them practice against the real deal, so they can help stop it before real damage is done.

To learn more about the growth of credential phishing, view the Cofense State of Phishing Defense 2018 report.

 

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks.

Who’s Got Access? “Value at Risk” Anti-Phishing

Part 3 of 3 

So far, we have looked at the concept of “value at risk” (VAR) and how it applies to anti-phishing. We’ve seen how this model can guide your anti-phishing program by focusing on the value of assets you protect. We’ve also examined ways to translate your organization’s data to dollars, which is useful if you’re responsible for data oversight and governance—in other words, it helps to know where data might live and the (estimated) value of digital assets should a breach occur.  

Data to Dollars: “Value at Risk” Anti-Phishing Strategies

Part 2 of 3

Last week,  we looked at the concept of “value at risk” (VAR) and how it applies to anti-phishing. This week let’s do a deep-dive into the “value” aspect of VAR. We’ll ask: do you know where your crown-jewel data is stored and how much it might be worth? Even if the answer is “Not exactly,” an educated guess can help set anti-phishing priorities.

Managed Service Gives SMB’s More Security without the Headcount

If you do a Google search on “SMB’s and cyber-security,” one best practice is hard to miss. The experts say it’s smart to give employees security training. All employees, not just the cyber-warriors in IT.

Another good idea: outsource your training. Let specialists spare you the cost of creating a security awareness program. Better security without more headcount—it’s why so many SMB’s trust Cofense PhishMeTM Managed Service.

For this financial services company, tougher simulations hardened phishing resiliency

After introducing Cofense PhishMeTM and Cofense ReporterTM, a financial services company had reduced susceptibility to 10% or lower across its 10,000+ employees. At the same time, reporting had climbed to almost 50% for data-entry simulated phishes and just under 25% for click-only.

In other words, employees had learned to identify basic phishing attacks.

Sometimes you need to “turn up the heat.”

The company’s CISO realized it was time to use more complex scenarios to further harden resiliency. The CISO pointed out that attackers don’t ask permission to launch sophisticated attacks, so the company had to be ready for anything.

To make scenarios tougher, the company added its branding to simulated phishes, plus mirrored complex phishing attacks it had seen in the wild. By upping the difficulty, the company figured susceptibility would increase, at least temporarily.

That’s exactly what happened. A phishing email pretending to be about manager evaluations, a scenario common to most organizations, fooled nearly 37% of recipients. But a month later, another office-communication phish, relating to time-off requests, elicited a click rate of just 12%—evidence the company did a good job of educating employees, especially those who had clicked the month before.

Not only that, reporting levels held steady during the same period, remaining higher than rates of user susceptibility. In fact, in a recent simulation the first email was reported before anyone mistakenly clicked. In a real phishing attack, the reported email would have been actionable information incident responders could use.

Smart next steps.

The company anticipates that employees will keep getting better at spotting advanced phishes. As susceptibility rates level out, employees should expect to see even tougher scenarios.

Again, these will likely include emails based on active threats, in particular emails purporting to come from internal sources. According to Cofense’s 2017 Phishing Defense and Resiliency Report, these kinds of “business process” scenarios are among the most effective.

One great source of complex scenarios: Cofense IntelligenceTM, our phishing-specific threat intelligence which helps organizations stay in front of attacks. You can use this service’s insights to keep your scenarios relevant.

Important note: it’s wise to mix in complex scenarios vs. abandoning basic phishing scenarios altogether. Users need to prepare for both, since attacks come in all degrees of complexity. Also, you don’t want users to be afraid to open legitimate emails from HR or other teams. If you’re not sure about the right mix, Cofense’s Professional Service Team can help.

When it comes to battling phishing, you can never say “mission accomplished.” But refining your defenses like this client did is an accomplishment in itself.

Learn more about phishing defense in Cofense’s 2017 Phishing Resiliency and Defense Report.