How to Protect Against Phishing Attacks that Follow Natural Disasters

By Aaron Riley and Darrel Rendell

With Hurricane Florence battering parts of the East Coast, here’s a reminder that phishing campaigns sometimes pretend to promote natural-disaster relief efforts in hopes of successfully compromising their target. Cofense IntelligenceTM has analyzed plenty of these campaigns, which are designed to entice the end user into credential theft or endpoint infection.

5 Steps to Targeting Newbies with Phishing Awareness Training

When it comes to phishing awareness training, new hires need special attention. While most may know what phishing is, many won’t have received formal training in recognizing and reporting a phish. This chart shows sample data from a CofenseTM customer whose newbies struggled to spot phishing emails during simulation training.

Before they develop bad inbox habits, it’s important to welcome your brand-new users to your training program, especially if your company has fairly high turnover. Following are 5 tips to make the transition smoother and, ultimately, help your security teams stop phishing attacks.

Step 1: Announce and Set the Stage

The first email you’ll send to new hires won’t be a simulated phish. During their first week of employment, new hires should get an email announcing the program and letting them know they’ll be participating. You can ask HR to include this in the orientation materials new hires receive. Or you can send your own announcement—Cofense PhishMeTM offers a template complete with announcement tracking (when a user reads the email, etc.).

The announcement is one of the most important anti-phishing emails you’ll send, just as essential as the phishing simulations to follow. When they read this email, some newbies will react by thinking, “Um, what’s phishing?” So you’ll need to define it for them before talking about your training program. You don’t have to give an encyclopedic definition, just a couple of sentences about what phishing is, why it’s dangerous, and why users need to be trained to spot it.

You’ll also want to cover:

  • What the program entails—regular simulated phishes appearing in their inboxes, along with educational tips on what they did wrong and how to improve going forward
  • Tips on spotting a phishing email—here’s an example:

Also include:

  • The importance of reporting suspicious emails and how to do it
  • What happens after users report—how security teams close the loop

Step 2: Send the First Phishing Simulation

After 2 or 3 weeks of employment, it’s time for newbies to get their first simulated phish. Select a phishing scenario you use widely in training other employees. Make it an easy scenario, not anything technically difficult, and do the same for the accompanying educational content. You simply want new hires to learn what the phishing clues were and how to report them next time.

Here are 3 scenarios good for simulation newbies:

Pro tip: to simplify tracking in your overall program (for experienced users as well as new hires), use the same theme but vary the complexity. For instance, send new hires an easy “Over the Inbox Limit” phish and other users a more nuanced version of a fake internal message.

Step 3: Send Positive Reinforcement

During a group of new hires’ fourth week on the job, send an email to reinforce the what and why of your training. Begin by thanking new users for their participation, then quickly note some of the benefits: a more aware workforce, a more secure company, and valuable knowledge users can apply throughout their careers.

Be sure to include the educational content used in the first simulation. For users who fell susceptible, it will reinforce what they learned. For users who passed with flying colors, it will give them added knowledge to apply down the road.

Step 4 (Optional): Send a Second Simulation

Here you’re simply giving newbies another chance to practice, if you feel it’s needed. Use one of the simple scenarios shown in Step 2.

Pro tip: report on new hires’ progress separately from that of your other users. Besides learning exactly what you need to know about this at-risk group, you’ll get a more accurate picture of enterprise-wide performance. Because more experienced employees will handle simulations better, your enterprise metrics will look better with newbie numbers extracted.

Step 5: Graduation! Roll New Hires into Your Regular Phishing Awareness Training

Okay, no one ever really graduates from this kind of training. We’ll all be enrolled until email becomes extinct and phishing awareness is no longer needed. Until then, after 2 or maybe 3 initial phishing simulations, your new hires should be ready to receive the same simulations as everybody else.

In no time at all, the newbies won’t be new. But by then it will be time to train another batch of fresh recruits.

Learn more about building and maintaining an anti-phishing program—view our “Left of Breach” e-book.


All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks.

The El Camino Effect in Anti-Phishing Training

Too often in anti-phishing training, or phishing defense in general, companies look for the wrong threats. That’s understandable to a degree, given that attackers constantly shift their tactics. But it’s a still a problem if, to use a bank heist metaphor, you’re looking for robbers who drive a Camaro vs. an El Camino.

Without training based on the latest and most relevant threats, you’ll increase the odds the bad guys get away. Sometimes when that happens, users unfairly get blamed. Not cool. As anti-phishing program administrators, it’s our responsibility to empower folks to succeed.

Understanding the El Camino Effect

To better frame a wholistic (strategic) approach to stopping phishing attacks, we need to understand the basic model outlined below. It shows why technology—normally, the first line of phishing defense—will  continue to be challenged and subverted by criminal actors.

The model shows how companies typically approach cyber-security with technology, along with the workaround attackers use. Imagine for a moment that several banks, the stand-in for users in this model, have been robbed by a gang of thieves driving a red Camaro.

The immediate response by security professionals (the police): be on the lookout for that red Camaro. Intelligence will be updated; firewalls and email gateways will be set to identify and stop further Camaro attacks in progress.

This is a good thing and exactly how technology should be utilized, but a significant gap in coverage remains. We must ask ourselves: what happens when the gang dumps the red Camaro and begins driving the blue El Camino instead?

An even more challenging question: are we really going to blame the banks (our users and victims) for being robbed because our security systems were looking for the Camaro instead of the El Camino? The same question applies to anti-phishing programs. Does it make sense to point fingers at users whose training isn’t as relevant as it needs to be?

Don’t Blame the Victims!

The answer, of course, is no. While I personally believe that improved anti-phishing requires appropriate use of the carrot and stick, it’s critical that any reinforcement achieves the results you want.

In anti-phishing, the focus needs to be on user reporting, not susceptibility. Understand that users are your last line of defense prior to a breach in the phishing kill chain. Rewarding them for reporting rather than falling victim is key to maintaining positive engagement and increased reporting of suspicious emails.

Too often, I see organizations go too far in the other direction, being too aggressively punitive.  Again, it’s fine to use the stick as well as the carrot, but not if it places blame on people who were trained to look for a Camaro and missed the El Camino. Let’s be clear about who’s to blame: first and foremost, the criminal hackers. And the responsibility for stopping them starts with us, the phishing awareness professionals, not our users.

A better solution begins when we understand (and admit to ourselves) that attacks will make it past perimeter defenses. Any assumption that technology alone will stop an attack is, quite frankly, irresponsible.

As the El Camino model demonstrates, any bank would (and by the way, most do) implement a response strategy for those times the criminals bypass the early warning and mitigation capabilities. Banks utilize silent alarms, activated and monitored by people, to protect against and respond to robberies in progress.

Anti-phishing programs need to do the same.

Collaboration is Key

At conferences over the last few years, security vendors have pushed a new silver bullet— machine learning and artificial intelligence. Honestly though, we should be learning a key lesson from decades of security breaches and the history of change in associated technology.

That lesson is simple: no single technology investment will stop all attacks on our networks and users.

Further, we need to recognize the leading security issue of our time: human interactions with and management of available technology. Put simply, we can no longer ignore the fact that criminal actors, security professionals, and victims are all people doing their best either to subvert or harden the protection of personal (private) and corporate (confidential) data and communications.

It is at this intersection of technology and people where we can achieve the most gains in cyber-security.

The first step is to implement solutions that empower not just awareness but the user’s capability to recognize, report, and mitigate threats. Working with your security teams, you need to base awareness training on active threats, whether they’re Camaros, El Caminos, or Ram trucks.

I have seen this collaborative, user-integrated model achieve stunning results, over and over and over. If we really want to stem the rising tide of breaches, we can’t make criminals of victims. Instead, let’s combine our security technology with well-trained humans. Let’s empower everyone to succeed—except the guys in the El Camino.

To learn more about phishing awareness effectiveness, view the 2017 Cofense™ Phishing Resiliency and Defense Report.


All third-party trademarks referenced by Cofense, whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks.

Why You Need to Keep Brands Out of Phishing Simulations

The top 4 brands in the world—Apple, Google, Microsoft, and Facebook—are worth over $500B. Not the operations of those brands, not their proprietary technology, or their real estate—the brands alone. When something is that valuable, companies protect it zealously. They monitor how their brands are used and take action to defend them.

Cofense stands firm on not allowing 3rd party brands or logos to be utilized in our phishing simulations without prior express permission. There are times when we may partner directly with specific brands and organizations on the official inclusion of their brand assets in simulation content where it makes sense for something like an enterprise targeted phishing simulation. However, this is done in strict strategic collaboration with the brand’s legal and executive counsels to ensure the mission and strategy of protecting both the brand and reputation of ourselves and our strategic brand-partners is maintained throughout the entire exercise.

Who’s Got Access? “Value at Risk” Anti-Phishing

Part 3 of 3 

So far, we have looked at the concept of “value at risk” (VAR) and how it applies to anti-phishing. We’ve seen how this model can guide your anti-phishing program by focusing on the value of assets you protect. We’ve also examined ways to translate your organization’s data to dollars, which is useful if you’re responsible for data oversight and governance—in other words, it helps to know where data might live and the (estimated) value of digital assets should a breach occur.  

Data to Dollars: “Value at Risk” Anti-Phishing Strategies

Part 2 of 3

Last week,  we looked at the concept of “value at risk” (VAR) and how it applies to anti-phishing. This week let’s do a deep-dive into the “value” aspect of VAR. We’ll ask: do you know where your crown-jewel data is stored and how much it might be worth? Even if the answer is “Not exactly,” an educated guess can help set anti-phishing priorities.

This Amazon Prime Day, Keep Your Network Safe from Phishing

Unfortunately, with the world we live in, especially with any type of highly visible promotions or sales, scammers will try to take advantage of the situation. Remember last year’s Amazon Prime Day phishing scam? Consumers around the world received an email promising a $50 bonus for writing a product review, or an email stating there was a problem with their payment method or shipping information. When they clicked on an embedded link, they went to a bogus login page designed to harvest their credentials.