Why Your Phishing Training Sucks

If you've worked in an office environment in the last 10 years you most likely had to do your mandatory security and awareness training that taught you the dangers of phishing emails. This probably included some of the tell-tale signs of phishing and the dangers of clicking links. You may even have had phishing simulations, where your internal security team sent phishing emails as tests. When you receive a phishing email the instructions are simple - smash that report button to let your IT/security team know you didn't fall for it.

This type of training has its place and does improve the security awareness of staff, but it does little in the way of empowering individuals to defend against social engineering attacks. Let's be real, do you really think the hacker doesn't know that they should try make the email as convincing as possible? Yes, some hackers still do make those basic mistakes, but they are literally the lowest tier threats. And not to jump on the hype train too much but yes, AI is making creating convincing emails even easier.

In this edition we want to dig into what exactly phishing is, why your training sucks, and what to do instead.

Weaponisation of Social Norms

Most phishing, or scam tactics involve what I like to call the "weaponisation of social norms" - that is using/abusing social norms to achieve a particular outcome. In the cyber security industry this is more commonly known as "social engineering”, but I prefer my naming.

Phishing or scams in general rely on social norms to be effective. By understanding social norms, it is possible to predict how people are likely to behave in certain circumstances. A hacker will leverage social norms in such a way that they can control their target's response. Much like computer hacking, before you can break software you must intimately know how it works. The same applies here. If a hacker understands the social norms of their target, they can use that to their advantage.

You probably all know a story about someone receiving an email from their "boss" asking for urgent gift cards to be purchased. When you look at it objectively, it seems almost laughable. But there’s a reason it works. If someone is used to doing what their boss says or are eager to please, they might not question the request. The same applies to those tax office scams. People don't want to get in trouble with the government or pay a fine, so they react quickly to avoid that outcome.

Emails, SMS, Voice Calls & More

In this modern day and age, we are hyper connected, and your contact details have probably made their way online in one way or another. Whether that's from a data breach, marketing platforms, or you published your number online at some point. Either way, our phone numbers, email addresses, and other personal information is not hard to find. So, getting a phone call where someone knows your name, email address, postal address, or even who your internet provider is should be expected. The same applies at organisations. While LinkedIn is great for professional networking, finding jobs or connecting with old colleagues, it is also a trove of information for hackers.

In adversarial simulations (AKA acting like a hacker) we often used social engineering and phishing tactics to gain access to a network. And LinkedIn was our first stop. We could find the names and positions of our client's staff and then send highly targeted phishing campaigns using the information that was publicly available online to build trust and demonstrate "insider knowledge".

So, the takeaway here is that even if someone calls you and knows certain details about you, this is not a reason to trust them.

Why Spelling Mistakes Don't Matter

Phishing training is generally focussed on getting staff to closely examine the emails they receive. Looking for discrepancies in email addresses, or suspicious links, or spelling mistakes. My opinion is that this is completely useless. Firstly, it is possible to send a phishing email that passes all those checks. Plus, legitimate emails often fail those checks too. Have you looked at a link contained in an email recently? The number of trackers, URL shorteners, or other stuff going on in links basically ensures every email link should be considered suspicious.

But the more important point here is that all those checks go out the window when someone is not in the right frame of mind. Even Troy Hunt fell victim to a phishing campaign against his Mailchimp account. So, if a cyber security professional who knows the ins-and-outs of cyber security, data breaches, and scams could accidentally fall for a phishing email, trust me you and your staff can too. Being tired, stressed, or just otherwise distracted quickly reduces your ability to effectively scrutinise a scam.

A Sneaky Phish Just Grabbed my Mailchimp Mailing List

You know when you’re really jet lagged and really tired and the cogs in your head are just moving that little bit too slow? That’s me right now, and the penny has just dropped that a Mailchimp phish has grabbed my credentials, logged into my account and exported the mailing

Troy HuntTroy Hunt

So, the point of all this is to say that someone will fall for phishing or other scam.

Oh Sh*t I Clicked the Link

We definitely don't want people clicking bad links, but the good news is most of the time simply clicking the link isn't the end. Most phishing campaigns will take you to a fake login page that you need to login to. The next step is entering your username and password.

In most phishing training there is a too large an emphasis on not clicking links and not much guidance on what to do if you do click on the link. I believe teaching people what to do even after they've clicked the link is more important than telling them not to click the link. Teaching someone not to click the link is basically like trying to teach someone first aid by teaching them how not to get injured.

A better framing for training would be to teach people what to do when they eventually get tricked. Assuming people will eventually get tricked is a more realistic approach and will ultimately provide more security than hoping people never get tricked. Do you or your team know what to do if you just installed malware on your computer? What about if you put your username and password into a scam page?

What To Do

Ok, I've been going on for a while talking about problems. It's time for solutions. Here are the mindsets I recommend you adopt and instil in your staff.

Be Suspicious of Everything Inbound

I take this to the extreme. Even if I'm expecting a call, I still never divulge personal information. If someone wants to verify my identity, I need to verify theirs. And if there is no way to do that, then sorry, I'll have to call back. And no, sending me an SMS with a code doesn't count. The point is, you should also treat any inbound call as suspicious, even if you're expecting it.

Always Think Again

You may have responded to an email, maybe even taken a phone call, and then later they send you a link. Is that link legitimate? Even if it’s your friend, colleague, or someone you spoke to 5 minutes ago, always think twice. Breaking a phishing campaign into multiple steps is a great way to build trust so that the person stops being critical of the links or attachments you send.

Don't Break Protocol

Often when you are being tricked, the hacker will likely need you to do something that you don't usually do. Even in a classic phishing scenario, you may click a link that should take you to your Microsoft account, but it's now asking you to log in... But you thought you were already logged in? That's not normal. Stop. Scrutinise the website you're on. Check the URL. Call your cyber security team.

Don't Reprimand Victims

If someone has fallen for a phishing campaign, don't punish them. And yes, doing more mandatory training is punishment. You want to have a culture where people don't feel shame for being tricked. Instead, they should be comfortable knowing what they should do once they realise they have been deceived.

How To Respond

Lastly, here are the steps I would recommend taking once you realise you may have fallen victim to an attack (i.e. you clicked the link, downloaded the attachment or put your password somewhere you shouldn't have).

1. Immediately change your password. This is the most effective way to block the hacker's access. Do this as fast as you can. Use a completely new password, write it on a piece of paper. Don't just go from Superman123! to Superman123@.
2. Call your security team. Don't use teams, email or fax. Call the team directly. Any potential compromise should be treated immediately, so the sooner you can contact the security team the better. If the attacker has access to your account, they can see your emails and Teams messages so best to avoid these.
3. Turn off your computer. If you clicked an attachment or think you installed something you shouldn't have, turn off your computer until you have better instructions from the security team. Trust me, that work deadline can be easily pushed to avoid the whole company being hacked.
4. Be on high alert. If a hacker was able to trick you once, they may try again, but maybe this time instead of an email, they might send you an SMS or call you. Treat everything with extra precaution.

Conclusion

To wrap it all up, don't rely on you or your team's ability to scrutinise emails. Assume that eventually someone will make a mistake. Focus on teaching your staff how to quickly respond when an incident happens and make sure your incident response plan is rock-solid.