October is Cybersecurity awareness month, which is a time to educate people on good security practices. Unfortunately, the users that really need the training are usually the ones that ignore the training opportunities. How do you get these people to actually take cybersecurity seriously? You trick them.
Ok – I know that sounds bad and I am not suggesting being a bad guy. What I did was launch a phishing campaign against the entire office part of my organization. That is roughly 5000 people globally. I really did not know what to expect when I started the campaign. I was hoping for better results but, regardless of the outcome, it was a really interesting project. At my level of involvement, I was privy to a lot of details that I cannot divulge even to other people in my organization. However, I can help you understand why this is a really good tool to help with the training effort.
Let’s discuss data privacy which can be a dreaded topic for international companies. Workers in the US should not expect data privacy, which means there are things that can be performed easier for security staff. However, there are laws and regulations in other countries that take data privacy seriously – just look up the EU data privacy laws (especially GDPR) to get an understanding of what I am referring to. This is why you need to get Legal and HR buy-in before moving forward with phishing your users. I think the important concept that helped my efforts was making sure I was not collecting any IDs and Passwords AND (this one may be more important) names will not get divulged under any circumstances. It is OK that IT Security knows these details because that is part of the job – how can you collect information without knowing the details? The important part is that IT Security will only be divulging statistical details – the percentages of users doing something. Statistics should be divulged to everyone including senior management but names should not be divulged to anyone under any circumstance.
Another important thing to mention is to inform users that give their credentials but, more importantly, do not make them feel dumb about it. Yes, they just did a really stupid thing but let them know why it was stupid. The message should not be “hey, you are stupid” but rather “oops, you fell for a phishing email – good news it was fake this time.” Also, add details around the campaign such as why it is being performed. Let the users know that there is a good reason for this and it is to help them be better with cybersecurity awareness. This is a good time to point out any tools that you have to help identify bad emails.
When performing these types of campaigns, you should not be looking to trick your users. The actual bad players are getting better but they do make mistakes The emails I used were (to me) obvious fakes. For starters, there was some tools already implemented to help the users. First, I had previously implemented a simple tag in the emails by prepending the email subject line showing that external emails were external. So, when the users receive an email from the “CEO” and the subject says it is external, they may do a better job realizing it is not really the CEO. I made sure all of my phishing emails included this tag. Some of the phishing emails purported to come from one of the executives so having that tag should have been an obvious sign (or at least I thought). Second is to use different but similar domains since this does happen in the wild. Finally, I made sure there was some spelling and grammar mistakes in the email body – nothing too crazy but a few here and there. Another tool I had already deployed was branding our Office365 login – the company logo and a photo inside one of my locations was added. One of my phishing emails claimed to be from IT asking to change their Office 365 password but I used the same screen that Microsoft uses as a default. I thought that not seeing the company logo would be a good sign that it was fake.
One thing to note is that the IT staff that deals with end users will get very anxious during the campaign. Their usual reaction to a major incident like a global phishing campaign is to notify users to be aware of it. This is where management needs to walk the tightrope by not allowing them to send out that notification. In addition, they need to be given some information about what is happening but not all of it as they should be part of the test. Besides, the more people that know about the campaign means the more risk that information will get out sooner.
The final part of my campaign was to inform all of the users about what happened. At this point, the people that gave over their credentials knew about the campaign and I am willing to bet that they shared that information with some others. However, there were people that still did not know. Most importantly is to share the information that you can. This is when the statistical findings should be shared so everyone can understand what happened. This should be done in a forum where the most people will hear. I was able to get the word out during my company’s quarterly employee forum and was able to include some details around the correct way to report bad emails. There were some interesting responses as to what happened but most were positive.
So what can I share about my campaign? Roughly 15% of the users gave their credentials willingly and roughly the same amount reported the attempts IT Security the way they were told to. There were a few users (roughly 2%) that reported it but not in a way that helps – if these were real phishes, IT would be forced to follow up with these users for further information. Of course, that means there was over 60% of the users that were unaccounted for. I can only assume that these people either deleted the email without notifying anyone or may have just not read the email, yet. Either way, it is a big number of people that did not do anything to help the situation. Unfortunately, these are probably the same people that tend to ignore cybersecurity training.
Even with those numbers, I think the campaign was a success. Why am I claiming this? Because there has been a genuine uptick in phishing reports since the campaign ended. Unfortunately, there has been an uptick in false reports, too. Roughly 35% of the email reports since the campaign are legitimate emails including some internal ones. I guess a future follow up training may include how to spot fake emails (and that some emails are SPAM, not phishing). Regardless, it is an improvement and I think my users are genuinely questioning emails more. I would recommend performing a phishing campaign to any company.