back to article If you have to simulate a phishing attack on your org, at least try to get something useful from it

Just when it looked as if the US Democratic National Committee (DNC) had finally got one over on the phishing hackers that had been owning it since 2016, the triumph was torn away by a moment of rebellious fakery. On August 20, DNC security partner Lookout's machine-learning system spotted a site impersonating the DNC …

  1. Zippy´s Sausage Factory

    My work does these every so often. They're easy to spot because they send them from SalesForce, so all you have to do is to hover over the URL and ... oh look, our IT department are at it again.

    Still, reporting them to the helpdesk always earns you brownie points, so I'm not complaining.

    1. Joe Harrison

      Embarrassing when you make false positive though. "Hahaha look at this complete moron pretending to be my boss, can't even write" etc. But it actually was from your boss.

      1. mmccul

        Removing the stigma against false positive reporting is important. If you aren't reporting false positives, you aren't reporting real phishing events. Err on the side of reporting. Build that culture of acceptance to presume *any* unanticipated email with links or instructions from the outside is a phish and you'll drop your click rate significantly.

        Yes, it's annoying to have to email your team and say "You will receive an email from such'n'such place. It will be about this topic. Please respond to it", but it helps.

        1. Yet Another Anonymous coward Silver badge

          >Yes, it's annoying to have to email your team and say

          Presumably you first have to send a memo to all of them telling people that `that email` is genuine, and have a company wide meeting to say that the memo is genuine and ....

      2. This post has been deleted by its author

    2. Gavin Chester

      We sim-u-phish employees too.

      I'm not sure whats worse, the fact we can't use anything as realistic in these exercises as the real phishers do, so most of our people can tell its a phish as it looks amateur (We can't use real brand/names/logos for examples such as fake Paypal/ iTunes invoices as that may cause other issues).

      Or the fact we still have a small number of people fall for these phishes almost every time even through they look fake to a semi-trained eye...

      1. Cuddles

        "we can't use anything as realistic in these exercises as the real phishers do, so most of our people can tell its a phish as it looks amateur"

        I wonder how much this actually makes things worse. It's essentially teaching people that phishing looks like obvious fakes, potentially making them more likely to fall for real phishing which doesn't have the same restrictions.

        1. Yet Another Anonymous coward Silver badge

          I get really professional ones at work all the time.

          They appear to come from the boss's email, demanding status reports and project updates - but I never fall for them

    3. GnuTzu
      Thumb Up

      Seeking The Best Phishing Education and Testing

      "hover over the URL and ... oh look, our IT department are at it again."

      There much better systems out there.

      We use an external service, and it takes a proper InfoSec analyst to tell that there coming from that external service. Furthermore, clicking the simulated phishing link just puts the user through a training page to educate rather than punish. We've also got a great big "Report Phishing" button in the outlook ribbon/toolbar, and we tally when users correctly recognize the simulated phishing email when they push that button. Finally, external email is marked as such in the subject line.

      This is the best phishing education and testing that I've seen so far. Anyone know of better features?

      1. Philip Stott

        Re: Seeking The Best Phishing Education and Testing

        You don’t work for S&P Global by any chance?

        They have a similar thing there. The praise from getting it right with the Report Phish button is like a virtual hug :-p

      2. EJ

        Re: Seeking The Best Phishing Education and Testing

        Sounds like KnowBe4...

    4. BillG
      Holmes

      The secret of blind phishing simulation, then, is good blind phishing simulation, which means following a few rules. The first of these is that running the test should generate useful data, both for the testers but also the people being tested.

      Or to quote Spock: "Before performing a test, decide what you will do if the results are positive or negative. If the answers are the same, don't perform the test."

    5. a_yank_lurker

      @Zippy - I see training attacks occasionally. I think all large companies will do it to see what happens. There will always a few who will fall for a phish and almost everyone will be fooled a few times also. Even if the training attack is not as sophisticated as a real one might be, I think the idea of seeing who consistently falls for one is good idea.

    6. Anonymou5 Coward
      Linux

      They could probably up the difficulty of the phishing tests. At my place of work, we use KnowBe4 and if you hover over the link on low-medium difficulty it will show up as from KnowBe4. But on the two higher difficulties you can pick any domain you want.

  2. Pen-y-gors

    But how...?

    I suspect there are many ways to do phishing research. Some good, some bad. But surely one of the things to be done is to occasionally have a confidential one to target senior management just to prove to them that they, with their mekon-brains, can be fooled, and that if they can, then think how easy it will be to fool their idiot menials. And so please can we have some more money for cyber-security. Ta.

    Sometimes these things need to be secret. I remember living on a Vulcan nuclear-bomber base in the early seventies. Every now and then a staff car would turn up unannounced at the gate (any time of day or night, but usually night), would go to the C.O. and shortly after the sirens would go off. No-one but the C.O. knew if it was a drill or if they had four minutes to live. Tends to focus the mind wonderfully. But f*cking terrifying.

    1. Rich 11

      Re: But how...?

      Delivering a four-minute warning by staff car seems like a very slow method of distributing a warning of impending doom. What if the messenger gets held up in traffic?

  3. Potemkine! Silver badge

    Simply proving that some people fall for phishing attacks is an empty discovery because that much is known.

    In IT circles maybe, but outside of them not that much.

    At both sides of the organization, many CxO and many standard users are mostly untouched by information/education on phishing. Pwning them is not an empty discovery for them. Also, it's interesting for IT to have an estimation of the clicky-happy crowd.

  4. Red Ted
    Thumb Up

    Expect a Who Me? column soon

    Who, Me? It's that time of the week again, where Reg readers 'fess up to IT errors and jokes that went awry, in the hope of some catharsis.

  5. Anonymous Coward
    Anonymous Coward

    We do these "tests" on staff...

    ...and we use convincing imitations of banking, fast food, coupon, on-line email, HM Tax office, and auction site alerts. And of course Social Networking sites - both the usual "big" sites, personal and professional.

    Don't work too hard to disguise the "from" address, and obviously the links don't even look a little bit genuine if you hover.

    But clicking the links takes you to a semi-believable "login" type page that if interacted with generates an error (so you can't *actually* put in any credentials...).

    All contracted out which makes things easier and saves us mocking up emails and websites...

    We get details of who opens the email, who clicks the links, and who tried to interact with the fake page.

    Depressing report.

    Usual suspects.

    Too many.

    Everyone in our Government org has had to work through Cyber defence training courses EVERY year, but apparently some shallower areas of the gene pool cannot be educated about Cyber Security.

    Anon because I still enjoy my job... and if you could work out who I work for, political masters would demand a spherical sacrifice.

    1. John Brown (no body) Silver badge

      Re: We do these "tests" on staff...

      "...and we use convincing imitations of banking, fast food, coupon, on-line email, HM Tax office, and auction site alerts. And of course Social Networking sites - both the usual "big" sites, personal and professional."

      Not forgetting that most of those categories should not be used by employees with their work email addresses anyway so anyone responding to some of those should be being educated on how to separate personal and work stuff.

  6. mmccul

    What's the metric?

    In any effort like this, one of the things a good manager wants to know is how do we measure this so we know if it is effective? What is the method to measure improvement? Number of clicks? Number of repeat clicks? As the article says, someone will always click. In one phishing training I saw, the security team member clicked on the link and was literally typing in their live username and password, "to be helpful".

    I argue that the critical missing metric is time based. How long until that first report? How long until that first click? Can we get people trained to report these things quickly, alerting the trained staff fast enough that they could actually respond and block the malicious URL before the first click? It's ambitious, but it gives you a real measure of your window of vulnerability and your ability to contain the damage.

    1. a_yank_lurker

      Re: What's the metric?

      The metrics I would want to see is who is consistently falling for a phishing attack and how many failed the each test. I would not be surprised if there is a group of 'usual suspects' who usually fall for a phishing attack and there would be some random number who had a bad day, accidentally clicked on the link, etc. Also, properly designed, it might give a clue of how to screen emails from the outside to cut down the number of attacks getting through.

    2. usbac Silver badge

      Re: What's the metric?

      The security team member that clicked and tried to enter their credentials should be either reassigned or dismissed. They clearly should not be on the security team!!!

      We just started using an outside service for testing for phishing. I sent out the first wave of emails without letting anyone know ahead of time. Even senior management wasn't informed. Frankly, I wanted to know if they would click through?

      Fortunately, our CEO very much values efforts to keep us secure, and he has a good sense of humor (and a lot of humility). If he would have fallen for it, we could have just had a big laugh about it. When I told him about the test (a few days later), his response was "good job!, oh crap I didn't open it did I?" No one from senior management fell for the test. That is a very good thing.

      I did get a good butt chewing from a couple of managers during the test for not sending out a company-wide email warning everyone about the phishing attempt. This would have of course ruined the test. They understood later when everything was explained, and some apologized.

      Out of 45 people, I had 2 open and click the link. No one tried to enter credentials. As people mentioned above, what does this data mean? It's good news, I think? The two people that did click have openly admitted it to everyone, and thus been humorously embarrassed internally. I wasn't going to name names, just speak to them personally. They outed themselves!

      Overall, I think it was a successful educational moment. I was very happy that so many people called or emailed me asking about this suspicious email.

      What I wasn't mentally prepared for was how to answer the questions like "what should I do?" or "does this email look suspicious?" The fact that the user called me to ask, I considered that a success. What I didn't think through was the effect of, if I told someone that "yes, that does look suspicious, don't open it" they would warn other users. How many of the other users might have clicked through if they didn't get warned ahead of time from other users?

      Bruce

      1. John Brown (no body) Silver badge

        Re: What's the metric?

        "How many of the other users might have clicked through if they didn't get warned ahead of time from other users?"

        I would have thought that would another useful metric, although a bit more difficult measure at the time.

  7. amanfromMars 1 Silver badge

    For Whom Does the Bell Toll? ... The Buck Stops with What/Whom?

    And whenever there are no known higher ups?

  8. Nick Kew

    Russian Hackers

    So they discovered it within 30 minutes, and of course blamed Russian hackers.

    If they're sufficiently alert to flag an attack within 30 minutes, doesn't that make the whole thing a Red (under the bed) Herring? If Putin really does have a team seeking to "hack" US politics, they must be laughing at the enemy's focus on an area where it's already so strong.

    Microsoft's recent announcement about taking down similar phishing sites looks like another indication that such sites are a deeply ineffective approach to *acking the US. At best, yesterday's attack.

    1. doublelayer Silver badge

      Re: Russian Hackers

      I wouldn't count on that. Sure, generic phishing attacks are fragile; they can be detected and usually they are ineptly built. However, a standard phishing attack is usually done to get a few people. If an attacker gets four credential pairs out of a thousand people, they're probably quite pleased. There are ways that phishing can be done better, be that "spear phishing" (tailoring everything to one specific victim, which increases the likelihood that someone clicks on it), using various methods to make detection harder (for example, many phishers don't try to pretend to be from a trustworthy domain, but it can be done), or having lots of small phishing sites such that the death of one doesn't really affect much. The proper flagging of this attempt doesn't mean that something else can get through.

  9. David Roberts
    Facepalm

    Is the real problem...

    ......that people were just too keen to be the first on Social Media to blame Rusiia and Republicans and other usual suspects?

    Perhaps the correct approach should have been to notify in-house security and give them time to investigate rather than go public immediately and warn the attacker that they have been rumbled.

    As far as I can tell, there was no clear evidence of the source of the attack so the knee jerk blaming was counter productive. No doubt they are now ganging up on the security testers to try and conceal what idiots they are. A knee jerk reaction based on no firm evidence puts them in the "boy who cried wolf" category and confirms them as a source of fake news.

    A meatware email virus, quite common, involves sending out an email such as "Local Police are warning that Iranian spies are operating in your area disguised as window cleaners. Please warn ALL your friends IMMEDIATELY!" which has loads of people flooding email with this bogus information.

    People are so keen to demonstrate how they are privy to important information that they don't stop to think that it might be bogus.

    The people who cried Wolf are the ones who should be getting the roasting,

    1. amanfromMars 1 Silver badge

      Is the real problem then in UKGBNI ... Cabinet Office Numpties?

      The people who cried Wolf are the ones who should be getting the roasting, ... David Roberts

      The post title both questions and says it all remarkably succinctly. And IT outs simply a gang of politically incorrect lightweights proving themselves to be unfit and totally unsuited to Future Greater IntelAIgent Game purpose.

      And it does have one questioning the collective intelligence of Parliamentarians whenever they cannot generate peace and prosperity to replace their support of conflict guaranteeing austerity and expansionist taxation?

    2. Chairman of the Bored

      Re: Is the real problem...

      Aye! A pint, sir, excellent comments.

      My first thought is that having your ship together before blathering to the press should be considered a core organizational capability.

      My second thought is... damnit! Those window washers were not Iranian spies?? I wasted some illegals for nothi..? Damn, brb... gotta call someone...

      1. John Brown (no body) Silver badge

        Re: Is the real problem...

        "My first thought is that having your ship together before blathering to the press should be considered a core organizational capability."

        In any normal organisation, things like this get pushed out via the PR department or equivilent if a smaller org. But here we a talking about a political party where all the elected party members think they are more important than the party officials and have their own PR contacts. Good luck with getting that sort of org to pass everything through a proper procedure when they all think they can get a scoop on their enemies and their friends.

  10. Anonymous Coward
    Anonymous Coward

    Too much carrot, not enough stick.

    Until there are some actual repercussions for clicking that link then nothing will change. Make falling for phishing a disciplinary offence, if your current training would have highlighted the phishing attempt and someone clicked anyway then write them up. If someone falls for a fake/real phish that is not covered by your training then use it as a good opportunity to update your training.

    e.g. Our training says hover over a link and inspect the domain names / urls before clicking and someone gets stung by an obvious fake be it a test fake or a real phishing attack they get written up. Too many fails and you're out the door. It would only take 1 or 2 getting fired over phishing before the rest of the workforce wises up. Too much carrot and not enough stick imho.

    1. Robert Carnegie Silver badge

      Re: Too much carrot, not enough stick.

      Is clicking on a link in e-mail ever a good idea?

      Hmm... yesterday I sent some third-party public site links in internal e-mail.

      That's probably all right but perhaps I should have used a nice zip file?...

  11. LucreLout

    Wait, what?

    For sure, blind phishing simulation – tests where important people are not in on the test – tend to end badly.

    Much of the time these are the people that cause the problem in the first place. They sit further up a notional hierarchy than you do and insist on having elevated access permissions to anything they can possibly conceive they might one day look at once. Then they go get phished.....

  12. Anonymous Coward
    Anonymous Coward

    Constant stick no carrot ....

    Does work the other way as well ...

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like