Security Awareness and phishing security testing

Phishing attacks account for around 90% of data breaches.
In the last year, phishing attacks have increased by 65%.
As many as 76% of businesses have accepted that at least one of their employees fell victim to a phishing attack.
Further, a Verizon report found that 30% of phishing emails are opened by targeted users.
As phishing attacks are credited with 90% of cyber attacks, BreachLock experts recommend regular security awareness sessions coupled with phishing penetration tests so that the chances of a successful phishing attack are reduced with a multi-fold approach.

What is phishing?

Phishing is a type of social engineering attack in which the attackers pretend to be trustworthy or reliable sources to gather personal or sensitive information about the target organization or individual. Over time, the attackers have started to employ sophisticated techniques along with using realistic email templates. Readily available phishing kits have made it easy for cybercriminals with minimum technical skills, to launch large-scale phishing attacks.
While preparing for phishing attacks, many attackers study their target audience to craft a relevant email to get a better success rate. When phishing attacks are targeted on businesses, the attackers aim to gather sensitive information such as usernames, passwords, trade secrets, client details, among other types of business information not available in the public domain.
Phishing emails, disguised to have originated from genuine sources, contain malicious links or email attachments. At times, an attacker may communicate repetitively with an employee over an email conversation to establish a sense of trust before he aims to trick the employee into sharing business information that he is not supposed to share.

Examples of phishing attacks

In one of our recent articles on ensuring cybersecurity and compliance while employees are working remotely, we briefly discussed how COVID-19 has led to a significant increase in the number of phishing emails being received by employees. For example, individuals are receiving emails that appear to have come from WHO with a request for donations.
In another phishing as a service, phishing emails appearing to come from the US Centre for Disease Control (CDC) have been reported. These emails claim that by accessing the given link, one can access the list of coronavirus cases in their area.

Figure: Source - US Health & Human Services

Moreover, emails claiming to originate from healthcare specialists have also been reported. In one such phishing campaign, employees have received emails regarding changes in workplace policies. It is observed that the name of the policy is hyperlinked to a malicious site.

Figure: Source – Norton

Why should an organization be worried about phishing attacks?

Human beings continue to be the weakest link in a cybersecurity ecosystem. Irrespective of the robust technical security solutions an organization implements, its people remain vulnerable to manipulation that can lead them to reveal sensitive information. At times, an attacker targets a very specific set of employees, and such attacks are referred to as spear-phishing attacks. A spear-phishing email may contain information relevant to a target employee’s areas of interest, hobbies, organizational position, etc.  As a result, the email is easily believable, and the targeted recipient gets engaged.
With the statistics discussed earlier, it is safe to consider that phishing attacks pose a significant risk to all organizations, public or private. Unfortunately, there is no full-proof solution yet. Therefore, organizations must organize security awareness training for employees, regularly, so that they are aware of trending phishing attacks and are able to identify whether an email is genuine or not. Good internet etiquette such as browsing safe websites and avoiding downloading any files or tools from untrusted or freemium websites can also be instilled.
Employees must understand that the security of their organization’s technical infrastructure is not only the sole responsibility of the internal security team but they, too, have an equally important and responsible part to play here. When an organization conducts regular training sessions; phishing penetration tests, or phishing simulations can be conducted to measure the efficiency of such sessions.

How does BreachLock help in phishing penetration testing?

Simply put, a phishing penetration testing exercise aims to identify the employees who are susceptible to phishing attacks. Depending upon the agreed plan between BreachLock and its clients, the scope of employees to be targeted is decided. There are two possible ways:

Level 1: Baseline Phishing Penetration Testing

This is a generic exercise in which phishing emails are sent to all the employees of an organization. The number of clicks on malicious links contained in the sent emails is recorded. The results of this activity are considered for establishing a baseline for security awareness within the organization.

Level 2: Advanced Phishing Penetration Testing

Instead of merely sending phishing emails, an advanced level phishing penetration test not only allows an organization to test the efficiency of training programs and measure effectiveness but also helps in assessing the maturity of their security program through the following set of steps:

1. Checking firewall rules and proxy servers, if any.
2. Assessing the implementation of updates and patch management policy.
3. Checking the efficiency of available anti-virus/anti-malware applications in detecting malicious files.
4. Ascertaining the percentage of employees susceptible to phishing attacks.

Often, we have seen organizations believing that an email is harmless, and cannot disrupt their business operations. However, the statistics and case studies do not tend to agree. It should be noted that absolute security is a myth. Maintaining the security posture of an organization is a continuous process, and humans, as well as technology, are equal partners in striving for the highest level of security. Phishing attacks are high-probability and high-impact threats, and hence, they must be dealt with meticulously. BreachLock helps organizations ensure that their defenses hold strong against various evolving phishing attacks.