Tips to Prepare for an Effective Phishing Attack Simulation
94% of malware comes via email and 32% of security breaches in 2019 included phishing, according to statistics, and while there has been a big improvement in the way SMEs respond to vulnerabilities and even zero-day attacks over the course of the last year, the result of which is that attackers are changing the focus of their assaults from the operating system to a remote control tool and consultant and changing to phishing attacks that target users.
Businesses have responded to this change by making use of “patch the human” phishing attack simulations, but these are frequently ineffective and sometimes even unethical. The system can be kept safe by staff training but phishing bait needs to keep external issues in mind with the focus of design being on training staff rather than shaming them.
Employees who do not pass a phishing simulation are a demonstration of the way in which the company they work for has failed in their effort to train and protect them. Education needs to be a continuous reinforcement technique in order to succeed, not just an event that catches the attention of the public and results in accidents.
A phishing simulation campaign will not succeed unless there is proper use preparation, so it is important for companies to be aware of what they need to provide or teach before testing their employees.
Explaining the motivation and technique of attackers
Before they start a phishing simulation test the attacker needs to understand the concept of attacking users based upon certain behaviors and topics. Attackers should understand the type of information that people actually want. Over the course of the last year real attackers have used phishing bait based on everything from the pandemic to the US election.
Users should be educated so that they are aware of any news that could be made use of as phishing bait and to distrust news that comes in email links and avoid visiting sites that are offering this type of news.
Strong passwords are essential
Attackers use such sites as a way of tricking users into inputting authentication data, and it is important to explain the way in which this is dealt with by password policies. This is near the tipping point in regard to authentication information management, with one long-standing process method for the protection of authentication information being to ensure that information is changed on a frequent basis.
However, this method can result in authentication information fatigue, and these days other protections that are used include two-factor authentication and technologies that do not use passwords at all. It is important for companies to make sure that users have an understanding of these changes.
Trusted links
Users should be taught to make use of a small number of trusted links and to avoid clicking on links that are included within emails. For instance, if a user receives an email instructing them to change their password, that password should be changed via an established link rather than one included in that email.
It is equally important for administrators to have a management workstation that they trust. Network administrators may need to click on various admin links, and it is a good idea to use bookmarks to enter admin portals. It is important for such links to only be opened via a trusted location. Make use of a workstation that is dedicated to that function, and sufficiently protected, or use remote access.
Identifying malicious links
Users should be taught to only ever visit links that begin with the standard HTTPS and to never visit unprotected sites that only use HTTP. Even experts can find it difficult to check if an SSL certificate is genuinely appropriate and linked to the correct root certificate, so the best that can be done for users is to teach them to check that sites come with a padlock symbol and site certificate. Another method to ensure compliance is to use a browser tool that forces SSL use.
Users need to be taught to hover their mouse cursor on top of the link before clicking on it, as even if you have a firewall or link filtering turned on in your email software, users should still know how to check for links within emails.
Conclusion
Random simulated phishing attacks should be run on a recurring basis, but the process needs to be employed in order to educate workers rather than to berate them.
Indusface offers penetration testing services that can perform a phishing attack simulation and determine the employees who may need additional training.
These services also help to test your company’s email defenses in addition to checking how capable your firewall is, identifying website defense gaps and test and detail how malware such as the likes of ransomware, spyware, viruses and worms are spread throughout your devices and if your security solutions are up to the task of detecting and preventing the spread of malware.