Phishing Defense: Let’s Get Personal

We all know phish aren’t just sent to corporate email accounts, yet this is what we hear about most often in the news. The reason, at least in part, is because headlines highlighting millions of dollars lost or millions of accounts compromised make for better news than “Man Has Personal Savings Account Drained After Clicking Malicious Link.”

As a company with over 50% of the Fortune 100 as customers, Cofense™ focuses on threats to the enterprise. We do, however, take a unique approach by enabling users to act as human sensors, report suspicious emails, and help disrupt unfolding attacks. There is an individual, or personal, aspect to our programs.

It’s smart business to educate users on protecting their personal data. Consider the advantages: employees learn to safeguard themselves against consumer phishes; they apply those lessons when they receive similar emails at work; and with a personal interest in anti-phishing, they take it more seriously.

When Phishing Hits Home

While visiting clients in Texas this past March, I had the opportunity to connect with a friend and former coworker who moved to the area some time ago. After years of renting, he was excited to become a first-time homeowner. During the closing process he received an email with a link containing wiring instructions for his mortgage down payment. You can probably guess where this is going: it was a phishing email. It was reasonably well-crafted attack which used a URL one character off from the legitimate domain (typo-squatting, a common tactic used by malicious actors) and was sent at a time when such instructions were expected as part of the home buying process.

My friend is an artist, game designer, and very technically savvy, but this potential $20K mistake, while not the sort that makes headlines, could have cost him his first home. This example demonstrates that anyone is vulnerable to an attack, given the right combination of motivator, timing, and context.

When It’s Personal, It Matters

In Cofense PhishMe™ Managed Service, we are often asked by clients how they can get their users more engaged in the awareness and reporting process, and thus in the broader process of disrupting phishing attacks. It has been long observed in human psychology that many people don’t truly care about an issue until it affects them personally. How do you think my friend felt when he thought he might lose the home he’d spent months trying to find, not to mention a significant amount of savings? The global issue of phishing became a personal problem.

Cofense research indicates that employees are most susceptible to phishing emails that target them as consumers. Our 2017 Phishing Resiliency and Defense Report noted that the most effective phishing emails (in simulation training) aren’t really about business at all. Headers like “Free Coffee!” or “Office Party Pics!” are hard to resist because they’re fun and personal. Among Cofense customers, the susceptibility rate for these emails can range from 15-25%.

Thus, it’s imperative to remind your users that the skills they’re learning have applications both inside and outside the office—and  could mean the difference between being a victim and keeping information safe.

This can help bridge the gap between the concept of users and consumers, since in most cases they are truly one and the same. If you want your employees to take threats in the workplace seriously, it would be smart to remind them they face similar threats at home, and the same indicators which help them distinguish legitimate emails from phishing attempts apply regardless of where and when the message is received. If you do, the next time a user gets a phony e-card at work, he or she will be more likely to report it, so your SOC can investigate and, if needed, take quick action.

If your employees are vigilant in the workplace, they’ll be more resilient in their personal lives. The opposite is true as well. Everybody wins.

Learn how Cofense uses human intelligence and technology to stop attacks in progress—watch this short video.

Vigilance, Like Phishing Attacks, Needs to Be 24/7 

In our 2017 Phishing Resiliency and Defense Report, CofenseTM noted a curious trend. The most effective phishing emails (in simulation training) aren’t really about business at all. Headers like “Free Coffee!” or “Office Party Pics!” are hard to resist because they’re fun and personal. Among Cofense customers, the susceptibility rate for these emails can range from 15-25%.

Adding more personal scenarios to your awareness training helps. Your users become accustomed to reporting “friendlier” emails, which helps incident responders stop attacks in progress faster. Here’s another way to build resiliency: teach users to be vigilant at home as well as work.

For Cofense PhishMe™ customers who would like to make their users aware of this threat, see our latest phishing template called “Home Mortgage Wire Transfer.”

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks.

The Washington Post Names Cofense a 2018 Top Workplace
The FBI’s Global Business Email Compromise (BEC) “Wire-Wire” Bust: A Personal Perspective

Leave a Reply