Embed Size (px)
Citation preview
inspiredelearning.com
By Mison Riggins
WHITEPAPER
PhishProof Report: How to Decrease Phishing Email Click Rates
WHITEPAPER – PhishProof Report: How to Decrease Phishing Email Click Rates 2
Contents
- 2 ExecutiveSummary
- 3 Introduction
- 4 LearningMoments
- 6 Comparisons
- 6 CompanyA
- 7 CompanyB
- 8 Findings
- 10 InSummary
- 10 ActionItems
- 11 WorksCited
Executive Summary Phishingattacksgrowmoresophisticatedwitheachpassingyear.Withmachinelearningtechnologicaladvances,weareseeingariseinautomatedspearphishingattacksthattargetC-suiteexecutivesandboardmembersonamassscale.Nefariousactorswillcombthroughsocialmediaprofilestoidentifytheseseniorleveldepartmentheadsandeitherattackthemdirectlywithpersonalizedemailmessaging,orspooftheiridentities,givinginstructionstosubordinatesthroughemail,SMSmessages,orvoicecalls.Theonlywaytocombatagainstphishing,SMiShing,andvishingrespectivelyistoshoreupourfrontlinedefense:theendusers.
ThroughtheuseofPhishProof,InspiredeLearning’sAnti-PhishingSimulationTool,andouraward-winning courseware,InspiredeLearningisabletoprovideaholisticsecurityawarenesstrainingsolution.Infact,wehavewitnessedatrendingdeclineinclickrateswhenusershaveparticipatedinphishingsimulationsasapartoftheirongoingcybersecurityawarenesstraining.Whenexaminingasamplingof215mid-sizedcompanieswithsimilardemographicsinMayof2018,wefoundthatifyouphishyouremployeesonceayear,yourcompanywillhavea27%susceptibilityrate.Instead,ifyouincreasethenumberofPhishProofphishingcampaignstoonceamonth,yoursusceptibilityratedropsto4%.
ThisreportwillexaminethetrendsandfindingsfromPhishProof’sGlobalReportingStatisticsandprovideasnapshotcomparisonoftwoanonymouscompanies.
WHITEPAPER – PhishProof Report: How to Decrease Phishing Email Click Rates 3
Introduction Aswithanystrategicplanofattack,thelowhangingfruitisusuallytheeasiestpointofentry.Ratherthaninvestingthebruntoftheirtimeandenergyintechnologicalhacks,cybercriminalsareinsteadtakingadvantageofthelucrativesideofsocialengineeringattacks.Phishing,themostcommontypeofsocialengineeringattack,usesfakeemailstoenticeuserstovisitaprefabricatedcorruptedsiteorfillintheircredentialsina“laced”form.Thecorruptedsitemayhavemalware,avirus,ortrojansembeddedonthesiteorwithinadownloadable“lure”—forexample,amust-see-cutest-cat-compilationvideo.Thelacedform,ontheotherhand,willcaptureallinputtedcredentialstoincludeusernames,passwords,addresses,mobilephonenumbers,etc.,whicharethensoldinbulkontheDarkWeborusedforescalatedattacks.
IntheU.S.alone,usersopen30%ofallphishingemails,with12%ofthesetargetedusersclickingontheinfectedlinksorattachments(Verizon,2018,p.3).Moreover,customizedorpersonalizedphishingemails,alsoknownasspear-phishingorwhaling,beingsenttoexecutivesareontherise.Symantec’s2019InternetSecurityThreatReport(ISTR),vol.24,states,“Spear-phishingemailsremainedthemostpopularavenueforattackandwereusedby65percentofallknowngroups”(p.49).TheC-suiteandboardmembersareconsideredhigh-valuetargetsduetotheirlevelofaccesstocorporateassetsandintellectualproperty(CheckPointResearch,2019,p.7).Bycombingthroughsocialmediaprofiles,attackerscanidentifytheseseniorleveldepartmentheadsandinvestors.Pullingpersonalinformationorevennamesofemployees,phisherseasilycreatespear-phishingemailsand/orspoofingattackstotrickbusyexecutivesintoforwardingfinancialinformationorothersensitivedata.
Thescarypartisthattheyareautomatingthisprocesswithwebcrawlersandmachinelearningtechniquestocreaterealisticinfectedemails.“Themostlikelyreasonforanorganizationtoexperienceatargetedattackwasintelligencegathering,whichisthemotivefor96percentofgroups”(Symantec,2019).Usercredentials,usermedicaldetails,intellectualproperty,andblackmailfodderareonlyafewofthemanypiecesofinformationupforsaleontheDarkWeb.Frightening?Indeed.Canwedosomethingaboutit?Yes.
Users open 30% of all phishing emails. – 2018 Verizon Data Breach Investigations Report (DBIR)
The most likely reason for an organization to experience a targeted attack was intelligence gathering, which is the motive for 96 percent of groups. (Symantec, 2019)
“
“
4WHITEPAPER – PhishProof Report: How to Decrease Phishing Email Click Rates
Learning Moments SincetheinceptionofPhishProof,InspiredeLearning’sPhishingSimulationTool,wehavefoundatrendingdeclineinclick-rateswhenusershaveparticipatedinphishingsimulationsasapartoftheiron-goingsecurityawarenesstraining.By“click-rate,”werefertothe“phished”userswhoclickedonamaliciouslink,downloadedaninfectedattachment,orfilledouta“laced”form.
SomeadditionalnoteworthyinferenceswewereabletodrawfromInspiredeLearning’sPhishProofGlobalReports (allorganizationsusingPhishProof)areasfollows:
•Themostsuccessfulphishingcampaignsoverallaretheheavilycustomizedoneswhereorgadminsbeginwitha BlankTemplateandcreatetheirownphishingemailtemplates.Thesetemplatesaredirectlytargetingtheirown userbaseandoftenresemblespearphishingattacks.
•PackageDeliverytemplateswithlinksto“TrackYourPackage”alsoscoredhigh—44%ofthesetemplateswere clicked.Moreexposuretothesetypesoftemplatesalongwithjust-in-timetrainingwillraiseawarenessand reduceclick-rates.
•Only1%ofusersweresusceptibletotheAppleFormSubmittemplates.Thislowclick-rateisduetothe awarenesslevelofusers,whetherit’sbecausetheywereabletoidentifythe“phishynature”ofthemessaging,or theydonotuseAppleoriOSproducts.
•Click-ratesdroppedevenlowerforcompanieswhoutilizedthephishingemailreportingtool,PhishHook1.When usersreportsuspiciousphishingemails,theyreceivedimmediatefeedbackonpositivelyidentifyingaphishing simulation.Thisintrinsicrewardfuelsparticipation.Inaddition,whenactualphishingattackemailsarereported, theusersarenowpartofthesolutioninprotectingthecompanyfromapotentialbreach.
1InspiredeLearning’sbuilt-inPhishProofreportingtool,PhishHook,isanadd-onthatsitsonyouremailclientwhichallowsuserstoactivelyreportphishingemailswithaclickofabutton.Userswillreceiveimmediatefeedbackonwhetherthephishingemailwasasimulationornot.Additionally,PhishProofwillforwardthereportedemailasanattachmenttoyourITadminssotheycanactonrealthreats.
WhencombiningInspiredeLearning’sSecurityAwarenessTrainingCoursesandjust-in-timetrainingwithphishingsimulations,usersarelesspronetoclickwithoutfirstverifyingthesender’semailaddressandhoveringtoseethefulllinkaddress.FromourGlobalReports,weareabletoseethatusersaremoresusceptibletospearphishingandpackagedeliveryscams.Withthatinmind,weshouldexposeuserstomoreofthesetypesofcampaigns.Infact, tomimicrealphishingattacks,weshouldincorporatethefollowingelementstoluresusceptibleusersin phishingcampaigns:
•timing, •flashyclickbuttons, • trustina“name”byusingrecognizabletitlesorC-suitenamesasthesender, • personalization(useofreceiver’sfirstandlastname)inthegreeting, • senseofurgency!!!,and • trustina“brand”byusinglogosorwidelyknownbrandiconstolendcredibility2.
Otheraspectstoconsiderwhencreatingsimulatedphishingemailsarecurrentevents,patchTuesdays,andanti-malwarewarnings.Sinceattackersusetheseverysamescamstosocialengineertheirwayintocompanynetworks, wemustcreatesimilarlythemedmockcampaignsinordertoequipouruserswiththetoolstothwartthese pervasiveattacks.
Frequencyofphishingcampaignsalsogreatlyinfluencethedeclineinclick-rates.Whenexaminingasamplingof 215mid-sizedcompanieswithsimilardemographicsinMayof2018,wefoundthatifyouphishyouremployeesonceayear,yourcompanywillhavea27%susceptibilityrate.Instead,ifyouincreasethenumberofphishingcampaignstoonceamonth,yoursusceptibilityratedropsto4%.Moreexposuretodifferentkindsofphishingtemplates,differentlevels,anddifferenttypesofphishingattackshelpusers,youremployees,torecognizethesignsandleantowardreportingaphishratherthanclickingonone.Toaidindiversifyingcampaigns,PhishProofalsohasaCampaignRandomizerfeaturewhichallowsorganizationadminstoeasilylaunchavarietyofemailtemplatesinone Campaignsend.
5WHITEPAPER – PhishProof Report: How to Decrease Phishing Email Click Rates
2Discretionisadvised.UnauthorizeduseoftrademarksisprohibitedunderthetrademarklawsoftheUnitedStatesandothercountries.
Comparisons Let’sexaminethephishingdataoftwoofInspiredeLearning’scustomers.CompanyAisinthetelecommunicationsindustryandiscomprisedofmorethan3,000employees.CompanyBisinthegovernmentindustryandiscomprisedofover9,000employees.LocatedintheUSA,bothCompanyAandCompanyBhavebeenactivelyusingPhishProofforjustover3years.Hereisasnapshotofeachcompany.
Company A ThroughitsownfacilitiesandagreementswithotherprovidersacrosstheUSA,CompanyAprovidescabletelevisionservice,Internetaccess,andwirelineandcellulartelephoneservice.Oftheir3,000employees,1,700ofthemareregisteredactivePhishProofusers.Beforewelookatthephishingdata,therearetwothingstonote:
1. Campaign Style:CompanyAdividestheirusersalphabeticallybylastnameintogroupsof100,andthenspreadsout theirphishingcampaignsamongthesegroupssothatuserswithinadepartmentwillreceivedifferentemailtemplates. Theyusethis“popcorn”campaignstyletoreducetheworkroomchatterandhavemoreaccurateclick-rates,since theemployeesarenotabletoidentifywhoelsemayreceivethesamephishingemail.Ontheflipside,employees willhavemoreexposuretothetypesofphishingthreatsoutthereastheyeachsharetheirsetofphishingemail templates.Thisstyleisakintoutilizingourbuilt-inRandomizertool.
2. Campaign Frequency:Aseachcampaignissentoutpergroup,CompanyAhasgonefrom171campaignsacross 17,800totalphishingemailsayearto252campaignsacross21,700emailsayear.Overthecourseofthelast3years, theyhavesentout662campaignsacross61,800phishingemails. Asyoucanseefromthecharteddatabelow,CompanyAexperienceda58%decreaseintheirclick-ratesonbaitedlinksoverthe3-yearperiod.Theyalsosawa98%decreaseinuserswhofilledoutlacedforms.
1%
2%
3%
4%
5%
6%
0%2016 2017 2018
Company A: % of Clicks Year over Year
6WHITEPAPER – PhishProof Report: How to Decrease Phishing Email Click Rates
Company B CenteredintheUSAwithsatelliteofficesabroad,CompanyBdealswitharchivinghistoricalassetsalongsidetheirotherfederalduties.Withover9,000employees,9,118ofthemareregisteredactiveusers.Beforewelookatthephishingdata,twothingstonote:
1. Campaign Style:CompanyBsendsoutonecampaignatatimetoallusers.Theyusethisstandardcampaignstyle sincetheemployeesarespreadoutacrosstheU.S.andabroad.Theyalsopromoteddialogueaboutthesimulated phishingemailsbetweenemployeessothatcollectivelearninghelpstobringtheclick-ratesdownoverall.
2. Campaign Frequency:Fromtwocampaignsperyeartoonecampaignpermonth,CompanyBisnowsendingouta totalof12campaignsperyear.Overthecourseofthelast3years,theyhavesentout26campaignswithatotalof 210,300phishingemails.In2019,theyarenowsendingouttwocampaignspermonthwithhigherthanbefore reportingrateswheretheirusersactivelyreportpotentialphishingthreatsusingPhishHook. WhileCompanyBsignificantlyloweredtheirclick-ratefrom10%in2016to3%in2018,wecanseefromthegraphbelowthat2017wastheirbestyearcominginat1%ofbaitedlinksclickedbytheirusers.Uponfurtherexamination,wenoticedthatmostofthecampaignssentoutin2017wereatthe“Easy”level.In2018,CompanyBdecidedtochallengetheirusersfurtherbydoublingthenumberofsimulationssentouttoonceamonthandincreasingthedifficultylevelsofeachcampaign.Thelow3%click-rateisatestamenttotheircontinuedeffortsatengagingusersandtargetingdifferentdifficultylevels.Overall,CompanyBexperiencedagreaterdecreaseinbaitedlinksbeingclickduringthe3-yearperiodat72%.Theyalsosawa97%decreaseinFormFillsimulationsmakingtheircurrentclick-rateforlacedformssubmitted.09%.
7WHITEPAPER – PhishProof Report: How to Decrease Phishing Email Click Rates
2%
4%
6%
8%
10%
12%
0%2016 2017 2018
Company B: % of Clicks Year over Year
Findings WeselectedtwocompanieswithverydifferentapproachestotrainingtheiruserswithPhishProof’sphishingsimulations.CompanyAchosethe“popcorn”campaignstylewheretheydividedtheirusersintoarbitrarygroupsof100andsentoutrandomcampaignsacrossuserssothatemployeesinsimilardepartmentsreceiveddifferentcampaigns.CompanyBwentwiththestandardcampaignstylewhereeveryemployeereceivedthesamecampaign.Whileeithermethodissuitableandgainsresultsinloweringtheoverallclick-rates,wedidfindthatCompanyBhadahigherpercentageinoveralldecreasedclick-ratesbyalmost15%.Wecanspeculatethatthismaybeduetoconversationsamongstcolleagueswhoalerttheirneighborswhentheyseethephishingcampaigns.Byencouraginguserstohaveopenconversationsaboutpossiblephishingthreats,CompanyBwasabletoraisetheiroverallawareness.CompanyA,ontheotherhand,hadasteadydeclineastheylaunchedmultipleandfrequentcampaignsacrosstheiruserbase.
Bothcompanieshadlowclick-ratesforattachmentsopenedandformsfilledout.
Otherfactorsthatalsocontributedtothedeclineinclick-ratesforCompanyBwerethetimelySecurityAwarenessFundamentalscoursesthatweredeployedtotheiruserbase.CompanyAdidnotaugmenttheirsimulationtrainingwithcoursewareduringthethreeyears,whereasCompanyBdeployed36separatecoursesfromourSecurityAwarenessLibrary.Wecanseethemarkeddropinclick-ratesfrom2016to2017forCompanyB.
WHITEPAPER – PhishProof Report: How to Decrease Phishing Email Click Rates 8
2%
4%
6%
8%
10%
12%
0%2016 2017 2018
Percentage of Click-Rates Over Time
Company A Company B
Key Take-A-Ways TestuserswithPhishProofatleastonceamonthtodrivelowerclick-rateswhetherthroughpopcornor standardcampaignsstyles.UtilizingthePhishProofRandomizertodobothwouldbeabestpractice.
EmpoweryouruserstoreportpotentialphishingattacksbyusingthePhishHookReportingtoolalongwith InspiredeLearning’sSecurityFirstSolutions.
Challengeyourusersbyvaryingthedifficultylevelsandthetypesofcampaignsbeingsentout,eitherwith LinkClick,FormSubmission,orAttachmenttypes.Don’tforgettoincludespearphishingsimulationsby personalizingthecontentoftheemailtemplate.
Emphasizetheimportanceofreportingallpotentialphishingthreats.Thiscanbedonethroughcompanywide emailsaboutphishingsusceptibility.MakesureeveryemployeeknowstheyareapartoftheHumanFirewall protectingthecompany.Thisincreasesemployeebuy-intotheprogramifyoukeepthemuptodate.
Encouragedialogueamongemployees.Awarenessoftenspreadsthroughexperienceandwordofmouth. Thisispartofkeepingsecurityawarenesstopofmind,andwhyitisimportanttosometimessendphishing campaignsthatareeasytodetect.
AdditionaltrainingforsusceptibleuserscanbesetupthroughPhishProofinwhichtheseuserscanreceive additionaltargetedphishingcampaignstoincreasetheirexposure.
9WHITEPAPER – PhishProof Report: How to Decrease Phishing Email Click Rates
In Summary “Securityislikealivingorganism.Ithastoadapttothechangingenvironment,oritwon’tbeeffective”(CheckPointResearch,2019,p.11).Aswehaveseenfromourfindingsabove,inordertocombattheever-evolvingsocialengineeringattacksofphishing,wemustinoculateourusersthroughexposuretovarioustypesofphishingcampaigns.Executivesoftenoptforquickandeasyaccessbystoringconfidentialinformationontheirmobiledevicesratherthanusingsecurebestpractices.Notonlyshouldexecutivesandboardmembersreceivephishingcampaigns,buttheyshouldalsoutilizeInspiredeLearning’sSecurityAwarenessforManagerscoursetomakesureC-levelexecutivesareactiveparticipantsinyoursecurityawarenessprogram.Moreover,wemust“educateandremindeveryonethatphishingattackshavebecomefarmoresuccessfulduetosocialengineeringtactics”(CheckPointResearch,2019,p.7).
Endpointprotectionmeasuresandinboxscanningtoolsgoalongwaytoreducingtheexposureofouruserstophishingattacks.However,withBYODandmobiledevicesbecomingthego-toforcheckingbusinessandpersonalemail,weneedtofortifyourendusers,thefrontlineofdefense,throughbite-sizedlearningmodulesinconjunctionwithhands-onsimulatedattackssuchasPhishing,Vishing,SMiShing,andUSB-Baiting.
Action Items 1. Don’twait,startnow!Securityawarenesstrainingstartsnow, regardlessofagegroup,leveloftechsavviness,orpositiononthe corporateladder.
2. UsePhishProoftoitsfullestpotentialbyphishingyouruserson amonthlycadence.Includeavarietyofsimulationsinyoursecurity awarenesstraining:SMiShing,Vishing,USBBaiting,andPhishingtoincludenotonlylinkclicksbutalsoform submitsandattachments.SecurityFirstSolutionsmakesthiseasyforyouwithitsintegratedlearningpath.
3. Don’tallowexecutivesandboardmemberstoskipthetraining!C-suiteexecutivesandboardmembersshould alsoreceivethesametypesofphishingsimulationtrainingalongwithtargetedspearphishing.
4. Setyourphishingthresholdcountto3max.Thethirdtimeusersarephished,eachwillautomaticallybeassigned arelatedtrainingcourse.
5. Makeuseofourfreebuilt-inreportingtool,PhishHook!Itconvenientlysitsonyouremailclientasanadd-on. UserscanclickthePhishHookbuttonwhenevertheyfeelanemaillookssuspicious.Theywillreceiveimmediate feedbackonwhethertheemailwasaphishingsimulationorapotentialthreat.
6. CreateaSecurityFirstcultureandraiseawarenesswithinyourcompany.Takeadvantageofourfreeresourcesby postingsecurityawarenesspostersandinfographicsinhightrafficareas.
10WHITEPAPER – PhishProof Report: How to Decrease Phishing Email Click Rates
Not only should executives and board members receive phishing campaigns, but they should also utilize Inspired eLearning’s Security Awareness for Managers course to make sure C-level executives are active participants in your security awareness program.
“
“
WHITEPAPER – PhishProof Report: How to Decrease Phishing Email Click Rates 11
Works Cited CheckPointResearch.2019.2019 Security Report: Welcome to the Future of Cyber Security.SanCarlos:CheckPoint SoftwareTechnologiesLTD,68.AccessedMarch15,2019.https://pages.checkpoint.com/cyber-security- report-2019.html.
CheckPointResearch.2019.A Cyber Security Field Guide for Executives: Putting the Cyber Landscape in Perspective. San Carlos:CheckPointSoftwareTechnologiesLTD,12.AccessedMarch15,2019. Symantec.2019.Internet Security Threat Report, Vol. 24.MountainView:SymantecCorporation,61.AccessedMarch 15,2019.https://www.symantec.com/security-center/threat-report.
Verizon.2018.2018 Verizon Data Breach Investigations Report.NewYork:Verizon.AccessedMarch15,2019.https:// enterprise.verizon.com/resources/reports/dbir/.
About Inspired eLearning NamedanInc.5000companyforthe5thyearinarow,InspiredeLearningdeliversthehighestqualityeducationalproductstotransformcorporateculture,nurtureandenhanceworkforceskillsanddelivermaximumROIforthecorporateeducationbudget.InspiredeLearningoffersSecurityAwarenessandCompliancesolutionsthatincludeSecurityFirstSolutions,CyQCybersecurityAssessmenttool,PhishProofphishingassessmentsoftware,contentintegrationandafullyhostedweb-basedeLearningcoursedeliveryandtrackingsystemusingtheiLMS(InspiredLearningManagementSystem).
Contact Inspired eLearning at: [email protected] orcallusat800.631.2078.
inspiredelearning.com
©2019InspiredeLearningLLC.
4630NLoop1604W,Suite401SanAntonioTX78249
Phone:1.210.579.0224 TollFree:1.800.631.2078
