Phishing, a form of social engineering, is often used by cyber criminals to mimic trusted entities and create a sense of urgency to manipulate people into carrying out actions they would not do unprovoked. For example, attackers may send scam emails or text messages that contain links to malicious websites. The websites may contain malware which can sabotage systems and organisations. Alternatively, they may be designed to trick users into revealing sensitive information such as password or transferring money.
There are several topic areas that may allure individuals to fall prey to phishing. For example, emails with a subject line like “Holiday Policy Change” or “Suspicious Activity on your Account”. Especially if seemingly sent from C-suite names. Authority, scarcity and cooperation are just some of the powerful manipulation tactics used, designed to influence individuals to reveal sensitive information. A study conducted on phishing states that there has been a drastic 61% increase in phishing attacks from 2021 to 2022. The attacks are not only getting more frequent, but also becoming more sophisticated and beyond emails!
How we help
1 Cyber Valley has partnered with CybSafe to run intelligent phishing simulations that reveal what’s driving user risk and therefore influence better security decisions. As a first step, we recommend setting a clear goal ahead of running the phishing simulation. Goals may include ‘decreasing the number of security incidents linked to phishing’, ‘increasing engagement with cybersecurity across the workforce’ and ‘increasing ability to spot and report genuine phishing attacks’.
Next, we will determine the measurement metrics. Gathering the right information will reveal the behaviours that lead to people clicking and why they chose to report. As a result, better decisions can be made about training and other interventions. Examples of metrics include ‘confirmed security incidents linked to phishing’, ‘number of repeat clickers’ and ‘policy violations linked to phishing’. Once a goal has been outlined and metric discussed, we will begin running the campaign. It is recommended that people are informed about the campaign, to spread awareness about phishing and encourage people to report concerns or ask for help.
We will use the data gathered from the campaign to understand patterns and behaviours and therefore be able to formulate appropriate next steps. In order to ensure that enough data is gathered, we recommend running phishing campaigns throughout the year. This also emphasises the fact that phishing activity can happen at any time. The approach outlined above ensures that phishing campaigns are an essential part of your wider cybersecurity initiatives.
Customer Feedback
Phishing campaigns are an essential information security practice that can help avoid detrimental outcomes within organisations. By running phishing simulations that reveal the click rates, you can find out what’s driving your user risk and influence better security decisions. One unifying factor related to phishing campaigns is that many of our clients and organizations have seen a reduction in security incidents related to human error. The reason why financial services companies are being target by hackers is because they have masses of customer data, access to money and payment information. Therefore, this incredibly data-rich environment is very alluring to attackers, and they are more likely to get their hands on private, and incredibly valuable information. Consequently, there is also tremendous damage to the organisation’s reputation in the event of such a breach.
With each passing year, there is a wider range of attacks against financial services and that is the reason why the human aspect has never been a more vital part of organisation's cyber security strategy. Caroline B. from Credit Suisse states that phishing campaigns “help financial services organisations protect their customer data and their reputation. It gives us really robust metrics that help us measure where our people are. It shows their behaviours as well as their attitudes.” Technology is key in almost every aspect of a business. Therefore, a cyber-attack against a tech company can have consequences across other industries. What is the number one goal for attackers when it comes to technology companies you may wonder? The answer is simple - IP theft. In the USA alone, the cost for IP theft reaches more than $300 billion per year.
How do you avoid data theft in an ever-changing technology landscape? Our Phishing campaigns help tech companies make sure that secure end-user behaviour is natural. Whether at home or in the workplace. It helps in measuring and identifying any risks in the human element of their cyber defences. Information Security and Data Protection Officer from Condeco states that this service is "tailored to people’s individual needs. If I need to be heavy in one area for specific job roles, then I can do this.” We understand that every organisation requires a tailor-made approach. Another super important sector which is the victim to data-theft is education. There are approximately 32 million personal records exposed annually and it is quite a gold mine of opportunity for cyber attackers. Some of the data the attackers are prone to steal from the individuals in the education sector is names, addresses and phone numbers. Besides the personal information, higher education institutions also contain valuable, cutting-edge research and development.
Our phishing service allows educational institutions to protect the valuable student, staff and research data. We provide IT teams with a suite of tools to manage Awareness, Behaviour and Culture better. Susie W. who is Estates & Facilities Administrator at The John Whitgift Foundation says that through “timely reminders and refresher courses, their team is now empowered to recognise cyber threats. They know to treat phishing emails with more caution and to report anything suspicious. This has saved time for the foundation. It’s no longer dependent on an external team for help with everyday security concerns.”
PCI DSS v4.0
The upcoming PCI DSS V4.0 standard emphasises that the current ‘best practice’ isn’t enough. As the phishing attacks have evidently increased over the years, section 5.4 of PCI DSS V4.0 states that anti-phishing mechanisms must be in place to protect the business, suppliers, and financial partners against them. Specifically, requirement 5.4.1 mandates the implementation of processes and automated mechanisms to detect and protect personnel against phishing attacks. People need to feel cyber secure working in organisations and dealing with internal and external data.
Notably, this requirement is not satisfied by security awareness training alone, which means that other methods will be needed when this requirement stops being noted as a “best practice” and becomes mandatory in March 2025. Moving forward into the PCI DSS V4.0, auditors will be looking for companies to have anti-spoofing controls to increase security within their organisations.
Conclusion
It is important to remember that phishing emails can hit any organisation regardless of its size and type. As methods of phishing attacks are becoming increasingly sophisticated, it is important to understand the risks involved and implement and maintain an action plan to keep sensitive data protected. Therefore, we recommend taking an intelligent approach to phishing, identifying the behaviours that lead to falling prey to a phishing attack and using that data to support continual improvement.
Disclaimer: the data and information mentioned in this article is partially taken from testimonials provided by CybSafe.
