Threat Analyst, Multinational Financial Services Company

The financial industry is constantly targeted by phishing attacks, so our company uses Cofense PhishMe to educate employees. We send monthly simulations because, in our experience, more frequent training helps to raise overall awareness. If you get in the habit of recognizing phishing emails, though you might not see a serious security threat very often, you’ll feel comfortable reporting one if it lands in your inbox.

In general, we think that folks who are most at risk should be targeted more often, for example a finance organization that corresponds with outside vendors, versus a group of analysts who never interact externally due to regulations.

We’ve found that targeted training is a better predictor than general simulations. These phishing scenarios might be more difficult, but making them tough isn’t the point—the point is to send simulations based on real attacks we’ve seen. It’s important that users understand this isn’t a game of “Gotcha!” We’re trying to help people, not fool them.

We’ve been able to show the connection between phishing simulations and real threats that users report.

Our Cofense support analyst has helped us create reports that show the overlap between simulations and verified threats. We want to know how someone performs on a simulation versus a real phish. The idea is to identify groups that get attacked a lot and the ones reporting the most real phish. We want to see how that interplay works.

We’ve used the data to educate people who fall susceptible to certain attacks. We’ve found that most of those users aren’t susceptible in later simulations. They’re paying more attention and reporting at much higher rates. For example, we’ve been able to run targeted custom campaigns using domains and executive spoofing, based on real attacks we’ve seen in our environment.

We’ve found that running targeted campaigns resulted in more than 25 percent higher reporting rates, compared to the average user over the next three months.

It’s really exciting to track data and show how it relates to performance, plus how it can shape the next round of simulations. We let repeat clickers practice as much as they need. If an employee clicks on a simulation, rather than just relying on a pop-up page to teach them, we send another phish. If the user clicks again, that’s the learning moment. That person will ask, “What signs did I miss?” They’ll be more aware.

To identify real threats, we use the managed version of Cofense Triage. Cofense analysts look at everything that’s reported, pull out any IOCs, and send them back to our SOC. It eliminates a layer of analysis and enables the SOC to scope the campaign immediately. Who else in the organization got the phishing email? Then the SOC can pull those emails from inboxes, so users can’t click on them, and block the sender’s IP address, at least temporarily.

One recent phishing email said, “I’m in a meeting and can’t be contacted. Can you help me out?”… Luckily, some recipients reported it.

That email, a real phish, involved a typo squatted domain, which looked like our domain with one letter changed. The email purportedly came from a senior executive, using a signature block that looked very close to ours. A bunch of users throughout the organization received the phishing campaign and, while some started responding to it, others began reporting. We were able to stop the campaign before any real damaged was done.

That was a huge win for us. It was a very sophisticated campaign, so it shows that our training is working. Of course, you’ll never get to zero clicks, so there’s always work to be done.