There is a reason that most data breach incidents involve phishing attacks: phishing works.  Attackers know that it is far easier to gain access to a protected network by tricking people into clicking on malicious links and attachments than it is to penetrate sophisticated firewalls and intrusion detection systems.  And they know that they have an edge over the defenders because they only have to win once to gain access. As defenders, we need to stop them every time.  We can’t prevent attackers from soliciting people with phishing emails.  But we can take away their edge.

According to Verizon’s 2015 Data Breach Investigations Report, the overall effectiveness of a phishing campaign is between 11 and 23%.  These numbers are borne from companies who run simulated phishing exercises to educate their users to recognize phishing emails.  Running a simulated phishing exercise across the entire population of a 100,000 employee company will typically show about 15% will click on a malicious link, attachment, or even enter their login credentials in response to a well-crafted phishing email.  Statistics like this tend to keep CIOs and CISOs up at night.

The Verizon report goes on to say, “The numbers again show that a campaign of just 10 e-mails yields a greater than 90% chance that at least one person will become the criminal’s prey”.  This is important because real attackers are not going to expose themselves by sending 100,000 emails to their target. They want to stay under the radar by sending the minimum number of messages that will ensure they get at least the one click they need to gain access.

Attackers have a pretty good estimate of how effective each of their phishing emails will be at getting people to click on the bait.  They know that if their phishing message has a typical 25% success (click) rate and they send 10 of these emails to employees of their target, they have a 94% statistical chance that at least one person will fall victim and open the doors for them to gain access.  If they send 15 emails, that jumps to a 98% likelihood of success.  Defending against phishing seems like a daunting task; it appears that the numbers are all on the villain’s side.  But there is more to this story.  The attackers must not only succeed in getting their victims to click on the phishing lure, they must also remain undetected long enough to do their dirty work.  And that is where we can reclaim the mathematical edge.

A well-run security awareness program using simulated phishing exercises can significantly reduce the number of employees who fall victim to phishing attacks. The key to true success against real life attackers, though, lies in leveraging this increased awareness of the workforce by training them to not just avoid clicking when they see a suspicious email, but to also report the email so that it can be investigated and addressed. Incorporating a simple, effective way for users to report phishing and encouraging its use through the anti-phishing program can neutralize the mathematical advantage that phishing attackers rely on for their success. It only takes one user to successfully report the attack to minimize the window of opportunity.

Companies that employ simulated phishing exercises often struggle with the question of “what is an acceptable click rate for a phishing exercise?”   The reason this is so hard to answer, is that deep down they know that it only takes a single click to open the door to the attackers.  It’s complicated by the fact that different phishing emails have different effectiveness rates, so setting an arbitrary “click rate” target is not a reliable indicator of the effectiveness of your program or the resistance of your organization against phishing attacks.  A stronger metric to consider is the percentage of your recipients who are reporting the email as a suspected phishing attack.  As this number grows, it diminishes the attackers’ edge, because now they have to worry about being detected before they can get in and achieve their goals.

Consider this example…  Suppose that through your phishing training program, you reduce the average susceptibility to a phishing email to 10% of your targeted recipients.  That means that an attacker needs to send only 20 emails to have an 87% chance of at least one person taking the bait.  Let us also suppose that through training, we get a consistent 10% of the recipients who report the email as suspicious.  Out of those 20 emails, we now have that same 87% chance that the phish will be reported. And these reports are likely to occur in the same time frame as those who would click on the phishing lure.

Here’s the fun mathematical impact of this: when the number of reports equals the number of clicks, the attacker’s edge disappears.  When the number of reporters exceeds the number of clickers, it actually becomes more likely that the phishing email will be reported than that someone will click on the link.  This lets us define a new metric for measuring a company’s susceptibility to a phishing attack: the Phishing Preparedness Index (PPI):

PPI = # Reported Phishes / # Clicked on Bait

A PPI value less than 1 indicates that attackers maintain the mathematical edge, and phishing attacks are “profitable”.  When PPI=1, that edge disappears. PPI values exceeding 1 indicate that the organization has reclaimed the edge against phishing attackers.

Reporting suspected phishing emails is the first step of the response process.  It’s also important to have an effective process that can investigate these reports.  By engaging the general workforce to recognize and report suspicious email, the incident response teams have a chance to get into the game before the attackers can achieve their goals.

Three steps to reclaiming the Edge:

  1. Perform regular phishing simulations to strengthen all email users’ ability to recognize and resist falling prey to phishing emails
  2. Implement simple process for recipients of suspicious emails to report them and incorporate this process into your simulated phishing programs.
  3. Implement process to investigate and respond to reported phishing attacks.