By Matthew Goodwin
In this paper, I will be going over what phishing email attacks are and how end-user training can help secure an organization against such attacks. In my organization, I am responsible for securing our network from threats and employee training plays a large part of that. I will go over some of the different things end users need to be aware of when interacting with emails to ensure they are not opening their organization up to an attack as well as discuss recent attacks which have made the news. I will also discuss some of the different employee training tools that may assist organizations with training their employees to spot and mitigate phishing email attacks.
Email is one of the most convenient forms of communication that is used for not only business communication but also for personal correspondence. Due to email’s wide usage and ease of use, it is the perfect courier for outside entities to use to compromise an organization. The most common attack method, called Phishing, seeks to trick an individual into clicking a link or opening an attachment by appearing to come from a legitimate source such as a friend or trusted business. Phishing emails are usually sent from malicious sources out to millions of recipients in the hope that some will fall for the hoax and infect their machines or give out personal information. According to Phishing (2015), “Phishing is similar to using a net to catch fish; you do not know what you will catch, but the bigger the net, the more fish you will find.” Links and attachments in phishing emails are usually designed to either harvest information or infect the recipient’s computer and/or network. Once infected, the recipient’s file may be encrypted, and they will be forced to pay to have their files unencrypted or their machine may begin sending out phishing emails attempting to infect other machines. In March of 2018, the city of Atlanta was crippled by a ransomware cyberattack that encrypted much of their network and demanded a ransom. Atlanta’s law enforcement, the court system, city hall, and multiple municipal departments were all taken down for days while teams worked to rid their network of the infestation. The cost of the city’s response to the cyber attack is estimated to be around $17 million. It is not known if this infestation was started by a phishing email, but phishing email has the capability to deploy ransomware and infect networks once run by the recipient. Even though most organizations have spam filters which will catch and stop many malicious emails from reaching their employees, some email will always get through, which is where employee phishing training comes in.
When an organization’s prevention systems fail to block a malicious email sender it is up to the recipient to catch that an email is malicious and deal with it accordingly. Your defenses don’t depend on high-tech anti-hacking coding, as much as they do on your people knowing what to look for and reporting attacks (Anti-Phishing, n.d.). Phishing emails can be tricky by their nature, but there are some things employees can look for to help spot a phishing email. The “From” address of an email is often a quick way to tell if an email is from a legitimate source because many scammers use email addresses that are close to legitimate sender addresses but are slightly different. If recipients take a second and double-check these “From” addresses, they should be able to catch the fake address and prevent the phishing attempt. Phishing emails will also usually request urgent action from the recipient in the hope that they will act quickly without thinking about their actions. Employees should be trained to be very cautious of any email requesting immediate action and when in doubt staff should contact their IT department before taking any action. Since most phishing emails are sent out to millions, the scammer needs to format the email’s text to be relevant to most of its recipients, which is why a generic greeting can be a big red flag for a phishing email. Another big red flag of a phishing email is an incorrect hyperlink or website address. If an employee hovers over a link in an email and the link that appears is different, then this is a strong sign that the email could be malicious. When organization employees receive these tips and others from Phishing training they are less likely to fall for the phishing attempt. A study performed by Gordon, Wright, and Aiyagari (2019) found that among a sample of US health care institutions that sent phishing simulations, almost 1 in 7 simulated emails sent were clicked on by employees. Increasing campaigns were associated with decreased odds of clicking on a phishing email, suggesting a potential benefit of phishing simulation and awareness.
According to HIPAA Journal (2018), A survey conducted by a consultancy firm Censuswide revealed that one in five workers had not been given any security awareness training whatsoever, but even when training was provided, many office workers still engaged in unsafe practices such as clicking hyperlinks or opening email attachments in messages from unknown senders. This survey result helps emphasize that just providing training is not enough, but that you need to provide the right training for your organization and your organization needs to enforce that training. Just like there is no one type of phishing attack, there is not just one type of phishing training or training vendor. There are multiple vendors available today that offer great phishing simulation and training for end users and I will briefly discuss three noteworthy platforms include SANS Security Awareness, PhishingBox, and KnowBe4. SANS, a company well known for its training courses, offers a well-rounded end-user training course which includes animations, live-action scenarios, hands-on simulations, and interactive cyber-attack games. SANS tailors its training to a large audience by making it available in over 30 languages and delivering training videos with subtitles, voiceovers, and transcripts. PhishingBox advertises its phishing awareness training as an easy-to-use platform that is mobile friendly and has real-time reporting. PhishingBox offers several training courses ranging from general information security to more targeted phishing awareness training and allows the organization to create their own training. KnowBe4, a recognized leader for security awareness training, provides an easy to use training website with a training library of 850+ instructional and interactive training items. KnowBe4 also offers features such as Industry Benchmarking which compares your organization with other companies in the same industry, Phish Alert Button that allows end users to report phishing attempts directly from outlook, and USB Drive and Vishing tests to help train end users on various attack surfaces. All three of these training vendors provide similar services that are all intended to help an organization’s end user be better prepared for a phishing attack. It is important for an organization to view various training options and find the solution that works best for them.
My organization chose to implement KnowBe4 for our employee security training and we have been pleased with the results. When we first started with KnowBe4, they performed a baseline simulated phishing test on our environment which resulted in about 24% of our organization’s employees clicking on the simulated malicious link. These results helped drive the development of testing and training programs for our organization. Our testing program with KnowBe4 is a monthly simulated phishing attack with double-random message delivery. The test is double-random because it pulls from the top reported phishing attacks each week and the email delivery is spread over the month throughout working hours, so every employee can receive a different phishing email at a different time. This random testing help simulate variety and prevents one employee from clicking and then warning others, which throws off any results. Our training program utilizes KnowBe4 for both mandatory yearly training and remedial training. Every August, training is selected from KnowBe4’s inventory and deployed to be completed by all of our employees. Our organization supports this training with a policy which states if an employee does not complete this training in a timely manner then they will lose all computer access until it is completed. We also have quarterly remedial training for an employee that click on simulated phishing emails. If an employee clicks on a simulated link, then their account is added to a group. About every four months, training is selected and any employee that is in the group is automatically assigned to the training and notified both their supervisor and they are notified via email. If the employee fails to complete their remedial training in a timely manner, then they will also loss computer access. Our organization has been running this testing and training program for about two years now and on average our percentage of phishing email clicks has fallen to about 4%. It is our hope that continued training, coupled with increased support from management, will help bring that percentage even lower.
Awareness and training can play a large part in keeping an organization secure from phishing attacks. There are many types of phishing attacks but if an end user is aware of what red flags to look for, then they are less likely to fall for them. With many different companies available that provide security training, an organization should be able to find one that meets their budget and their needs. Do you agree that training is an essential part of security? If you oversaw an organization, would you implement a training program for your employees?
Phishing. (2015). Retrieved March 31, 2019, from https://www.sans.org/security-awareness-training/ouch-newsletter/2015/phishing
*Anti-Phishing: The Importance of Phishing Awareness Training. (n.d.). Retrieved March 31, 2019, from https://resources.infosecinstitute.com/category/enterprise/phishing/phishing-countermeasures/anti-phishing-the-importance-of-phishing-awareness-training/#gref
HIPAA Journal. (2018, December 17). Study Highlights Seriousness of Phishing Threat and the Importance of Security Awareness Training. Retrieved March 31, 2019, from https://www.hipaajournal.com/study-phishing-security-awareness-training-employees/
*Gordon, W. J., Wright, A., & Aiyagari, R. (2019, March 08). Employee Susceptibility to Phishing Attacks at US Health Care Institutions. Retrieved March 31, 2019, from https://jamanetwork.com/journals/jamanetworkopen/fullarticle/2727270
Douglas, T. (2018, October/November). What Can We Learn from Atlanta? Retrieved March 31, 2019, from https://www.govtech.com/security/What-Can-We-Learn-from-Atlanta.html
KnowBe4. (n.d.). Enterprise Security Awareness Training. Retrieved March 31, 2019, from https://www.knowbe4.com/products/enterprise-security-awareness-training/
Phishing Awareness Training. (n.d.). Retrieved March 31, 2019, from https://www.phishingbox.com/products-services/phishing-awareness-training
SANS™ Institute. (n.d.). EndUser Training. Retrieved March 31, 2019, from https://www.sans.org/security-awareness-training/products/end-user
About the Author
Matthew Goodwin is a Network Manager with the Carteret County Government. For the last several years he has overseen the County’s network, infrastructure, and security needs.