What did you do during last year’s Cyber Security Awareness Month in October? At Awin, we used the opportunity to hammer home some consistently needed messages on phishing by running an Anti-Phishing Campaign over the course of the month. Since the campaign was prepared in just a few weeks and with minimal effort from teams other than the Information Security Team, we wanted to share how you can also run such a campaign efficiently and effectively.
Why should Phishing be given special attention?
Phishing is a cyber-crime or “scam by which an internet user is duped (as by a deceptive e-mail message) into revealing personal or confidential information which the scammer can use illicitly” (ideas.ted.com). Most prominently, a phishing attack happens in the form of an email, whereby the attacker poses as a familiar person and asks for personal or confidential information, a transfer of money or for the receiver to click on a link which then installs malware on their computer.
According to the 2020 Verizon Data Breach Investigations Report, almost a fourth of all data breaches (from a sample of 150k incidents) involved some form of phishing. Specific cybercrimes such as cyber espionage almost entirely rely on phishing. Cyber criminals are learning more and more about the most efficient phishing techniques and the number of phishing attacks has been rising over the past years. What’s important to remember is that most phishing attacks don’t reach data breach status, hence are not reported, meaning the dark figures will be exponentially higher.
Further shown in the Verizon report, the top data varieties compromised in phishing breaches are credentials, personally identifiable information, confidential and medical information and bank details. On average, as of 2019, a phishing attack resulting in a data breach can cost the attacked company, institution or organisation USD 3.86 million. Global financial losses due to compromise business emails or accounts mount up to USD 12.5 billion. The reason it’s important to raise awareness about phishing and show people how to protect themselves in their private life as much as in their workplace is because phishing hurts people. Luckily, it’s avoidable in most cases.
How to choose the content for your campaign
To make sure you offer your audience relevant and informative content, you need to clarify the “Why”, back it up with interesting information and give real life examples and hands-on advice. This combination of factors is what keeps your audience engaged, so you can make sure your message sticks. When it comes to the topic of phishing, it could look something like this:
Week 1: Introduction to Cyber Security Awareness Month & Phishing
In your first piece of content, introduce your format (so for example, what is Cyber Security Awareness Month?) and your topic (for example phishing). A good security awareness campaign of any sort should also start with the ‘Why’, backed up with data, such as the referenced Verizon report above. To make sure your content is useful and relatable from day one, share interesting and hands-on tips on how your audience can protect themselves.
Week 2: Why Phishing Matters
Unfortunately, it is not totally uncommon for phishing attacks to be successful, and when it hits a larger company, the costs can be enormous. According to IBM (in 2019), the average financial cost of a data breach is USD 3.86 million. To make your audience understand the scope and gravity of your topic, show examples from outside your organization, the bigger the better (see Dirty Dozen below).
Awin is not a stranger to phishing and your company will not be either. Find or put together data on how many phishing attacks your company encounters and how many you filter out every day to show your audience that phishing is a real threat and that existing protection mechanisms work to a certain extent.
Week 3: A Day in the Life of a Phisher
Now that we know what phishing is and why it matters, we can have a closer look at how a phishing campaign is run, how a phisher plans and executes an attack and what tools, mechanisms and strategies are used. Understanding the ‘other side’ will help us to understand the attacker and be able to better protect ourselves.
You can fool all the people some of the time, and some of the people all the time, but you cannot fool all the people all the time.
When getting into the details of how a cyber-criminal conducts a phishing attack, the following points are relevant.
Preparing a Phishing Attack: domain & website imitation, email spoofing, personal research, getting email addresses and the possibility of using Phishing-as-a-Service (PhaaS).
The Phishing Attack: motivation & sense of urgency, design and language and embedded malware.
Tips & Tricks of a Phisher: inbox hacking, identity theft, targeting on personal social media channels and LinkedIn scams.
Week 4: Phishing @ Awin
Apart from what phishing is, how it works and why it matters, it is not only interesting but reassuring for your audience to know what you do protect your organization from phishing. What tools are used to keep a company safe, how are key figures protected and what happens to a detected phishing email? Your audience will appreciate to get an overview over already implemented solutions. Apart from that, it’s important to encourage your audience to be part of the solution by functioning as a Human Firewall.
Week 5: Case Study & Quiz
As mentioned before, real life examples really make people understand the gravity of an issue, so if you have a good phishing attack example from your company, this would be a good opportunity to showcase it, so that people see that phishing is not just on paper but affects people.
Further, a quiz is always a good and fun way to end such a campaign and gives your audience the opportunity to test their knowledge on all the information that was conveyed during the previous weeks. If you have the capacity, you can make it a competition between teams and have a price for the winner.
How to make the success of your campaign measurable
The success of any awareness campaign needs to be measurable. In the case of the phishing campaign, we ran two phishing simulations using a Microsoft Advanced Threat Protection solution. A subset of employees was contacted via a fake phishing attack, including a link, two weeks prior to the October campaign, and the same was done with a different random subset of employees one month after the campaign. Comparing the numbers of successful attempts, the click success rate and the overall success rate (the rate at which people provided credentials) allows for determining if the campaign resulted in more awareness and vigilance amongst the target employees.
How to keep the momentum going
From comparing your numbers from before and after your campaign, you might already see some success, you might not, and that is okay. Awareness campaigns are not sprinting but rather marathons, and it’s important to provide a constant supply of reminders and new content in the weeks and months after the campaign. At Awin, we run quarterly phishing simulations with random subsets of employees and share the results within Awin (of course anonymously), including the success rates, the actual attack and the learnings that we can all take from it. The more often people see examples of scams, the more likely it is they can detect one.
Awareness campaigns often sound more complicated than they must be, and we hope that this article shows that they can be run with little to medium effort, if you have a relevant theme, enough content and a good way to measure your success.
Supposedly, an intelligent person needs to hear something six times to fully internalize it, so repetition is key. What makes an awareness campaign great is if your audience doesn’t feel like they are consuming repeated content, because every piece is interesting and different in approach, style and substance.
1) A strong urge to action should always be a warning trigger. Question the urgency. Is it legitimate? Don’t let an email intimidate you.
2) Professional emails usually have a trend in how greetings/signoffs are phrased as well as layout, spelling & grammar. Beware of discrepancies.
3) Always verify you know the source of a message, as in the email address (check spelling and source), phone number or social media profile.
4) Never click on a link you don’t know. To check the source of a link, you can hover over a link in an email to see the actual source behind it.
5) Err on the side of caution. If something is too good to be true or seems suspicious, there is a good chance it is.
6) Beware of attachments, especially when usually things would be shared through other means such as SharePoint.
7) Only ever provide credentials (such as passwords) over secure connections and on known websites and forms (check URLs).
8) Expect phishing everywhere. No matter if at work or in your private life.
9) Ask for help. If you think you might have received a phishing message, no matter how small the suspicion, send it on to the cyber security team in your company.