In a recent study on cyber security, the Federal Bureau of Investigation (FBI) estimated a $3.5 Billion loss due to email scams. Hackers and adversaries are making more and more use of the email as a medium to get inside the organization’s network. Emails are being used as a mechanism to deliver the malicious software on a user machines (malware, backdoor, rootkit, Trojan, etc.). Hackers will deceive the users in clicking links to deploy the malicious software and the email content and intended recipient is thoroughly researched. Adversaries also send URLs which redirect the users to a look-alike site and if a user falls in the trap and enters the login credentials, the hackers get hold of it to carry malicious activities.

Adversaries can also direct users to the websites which are infected by malware and once a user visits the infected website, the malware get deployed on the user’s work station (drive by download). In many cases the intent is not to deploy any malware but to trick the action upon things the way the adversaries requires, like requesting a targeted user in finance department to change the account details of the vendor for making the payments. In these cases, an adversary will forge the email id of the sender to be displayed as it appears to come from a legitimate sender. However, the reply-to field will be a spoofed domain. If the user does not check the reply-to, the details will land up in the hands of the adversary.

Most of the organizations spend billions of dollars annually to secure the infrastructure and environment, but they spend nothing or very little to protect the weakest link – ‘the human’. A simple targeted link is all it takes to trick the human mind, rendering the technical protection ineffective. In fact, 67% of the cyber security incidents started with phishing emails. Also the recent studies have shown that the effectiveness of the antivirus products in detecting the malware has reduced to around 43%. One of the best controls to prevent or at least reduce the chances of such cyber security incidents are to ‘phish your own users’. In the fast and dynamically changing cyber security world, it is equally important to conduct phishing exercises on your own users like doing internal and external penetration testing which is done to secure organization’s infrastructure.

Cyber criminals and hackers most of the time target the weakest link in the security chain; which is human. Organizations can put lot of gizmos at the perimeter and internal network such as Next Generation Firewall, Intrusion Detection/Prevention Systems, Threat Intelligence, Security Incident & Event Management, Data Loss Prevention, etc. but do very little to protect the weakest link. Providing an
annual training and expecting the end user to memorize those and not fall victim to phishing attacks is too much an expectation. Understanding the phishing technique and not fall victim to it may be somewhat easy for IT professionals but what about the other departments such as sales, marketing, human resource, procurement, finance, etc. It is difficult for them to understand the technical details; in a similar way understanding their lingo by a technical professional. How much an IT professional will make out of the words such as conversion ratio, direct marketing, Ex parte, Pro Se, etc?

Doing periodic phishing drills on your own Organization not only help an organization to raise the level of awareness but also help the organization to calculate and justify the ROI on the awareness program (web based, class room, video based, etc.). This will surely result in end user being more aware and chance of falling to phishing scams decreases which can result in avoiding any direct/indirect financial losses, reputation loss or customer churns. Also organization must take steps in which they must go one step further in providing training and awareness to their Top Executives and Business Heads, so that the organization and their end users are better equipped to handle Spear Phishing (or target phishing) or Whaling (phishing attack against top officials) attacks. Since the Board Members, Top Executive (CXOs) and Business Heads have very sensitive information about the company planning, future products, merger acquisition, they have to be provided adequate awareness and constant assessment of the subject understanding, so that the chances of them falling a pray to these attacks becomes less.

All of the above will surely result in changed user behaviour and will lead to the weakest link to be the powerful defence against preventing and responding to cyber security threat. But this has some cons as well. It is never a good idea to make the user feel guilty if they click on the link during a phishing exercise. An ideal way is if an user clicks on a link during the phishing exercise, instead of highlighting it or telling to the user’s manager, upon clicking the link, the user must be taken to the training site mentioning that the link which was clicked was a trap and the user must undergo the training on phishing to ensure that the possibility of re-occurrence is minimized. Following steps can be taken to raise the awareness of the end user, Executive and Management against phishing (Spear phishing and/or Whaling) attacks: Annual web based and/or class room training explaining details on phishing Inform the user not to click on the email they did not expect. Even if the email is look to come from a known email id, if asking to click a link and if the user is not expecting such things, they should never click on the link If the email id in the To field looks legitimate, the user must validate the reply to email id Video based training for the Top Management, Executives and Business Heads Half Yearly organization wide phishing exercise Half Yearly spear phishing and whaling exercise on top management.

Strong process must be established where if a transfer of money or change of account details is asked via an email, process must be in place to approve such transactions via approval from two or more people. A confirmation process must be built with the partners. Where on requesting certain change in information or account details, the recipient must confirm back to the other partner via sending an email on the known email address (not just replying to the received email), marking two or more concerned people. A phishing mail most of the time will demand an urgent action. Processes must be built to handle such scenarios. The whole objective is to ‘phish your own users in a safe manner’. It was not long when the idea of phishing your own users were controversial and few raised eyebrows. But since the cyber security world is dynamically changing and the adversaries are finding newer and newer ways to breach the security controls; the mind-set among organizations have changed and many organizations are finding the idea of ‘phishing your own users’ in a positive way. As the saying goes, ‘Prevent and Prepare is always better than repent and repair’.