How end-user phishing training works (and why it doesn’t) – Source: www.bleepingcomputer.com

It always takes two for a phishing attack to work – an attacker to send the bait and an insider to take it. Almost every organization carries out some form of security and awareness training (SAT) to try and tip this balance in favor of the employees in their organization.

Because if we can train end-users on the tell-tale signs of a phishing email, they’ll stop clicking on them, right? IT security teams know this is rarely true.

CISA estimates that as many as 90% of cyber-attacks start with email phishing. It’s still a highly effective way for cybercriminals to gain an initial foothold in organizations by deploying malware or stealing login credentials.

IBM’s 2023 Cost of a Breach report lists phishing and compromised credentials as the two most prevalent attack vectors, as well as being behind many of the more costly breaches.

Training end-users to spot phishing has its benefits, but it’s clear to see organizations as a whole have failed to make a dent in phishing attacks.

So where is SAT effective and how do hackers find ways around it? And how can we protect businesses when attackers do successfully compromise credentials?

To start, it’s important to understand how phishers use social engineering to exploit human psychology.

Why end-users fall for phishing attempts

We can broadly split human thinking into two types: Type 1 and Type 2. Type 1 thinking can be likened to ‘working on autopilot’ where we react intuitively to familiar situations, like driving a car. We can switch into slower and more analytical ‘Type 2’ thinking when encountering a novel situation – like solving a math problem.

Attackers carefully craft phishing emails to keep end-users in the Type 1 mindset. They want people to react quickly, clicking on familiar things like links and attachments without stopping to notice the sometimes-subtle signs of phishing.

The goal of SAT is to help people spot these signs and nudge them back towards Type 2 thinking. However, this won’t work every time. And it’s quite a lot of pressure to put on people.

People react predictably, which is why credentials are compromised by phishing attacks every day. Ever wondered how many of your end-users may have already fallen victim to phishing attacks? 

Run a quick scan of your Active Directory with Specops Password Auditor – it’s free to download, simple to use, and you’ll get a report packed with useful info to keep. Specops Password Auditor is a great way to give your Active Directory a quick ‘health check’ by scanning it against a list of over 950 million compromised credentials.

The strengths of SAT: How can training help?

IBM estimates regular security training for employees can help reduce the cost of a data breach by an average of $232,867. Despite the prevalence of phishing, there are clear benefits to carrying out SAT, when done correctly.

Spotting the obvious stuff

SAT helps individuals spot the telltale signs of phishing attacks by helping users “practice” seeing them in real-world, controlled environments.

While there are advanced phishing attacks targeted at individuals, there are also more basic ones doing the rounds with a quantity over quality approach. End-users learn to spot the following more obvious phishing signs:

• Unusual hyperlink addresses (users can hover with a mouse but this is harder on mobile)
• Spelling and grammatical errors
• Unusual sending times
• Out of the ordinary requests
• Spoofed display names (slightly altered to appear legitimate at a glance e.g. Miicrosoft)
• Low quality images

Catching the clever parts

There are also more subtle tactics that are more likely to be employed in targeted, planned phishing attacks such as spear phishing, CEO fraud, executive impersonation, supply chain compromise, or business email compromise. These include:

• Urgency: A phishing email usually requests action to be taken straight away – they want automatic Type 1 reactions. Speed can also be used as an excuse to break normal processes. The longer an end-user has to think, the more they may question whether it’s legit.
• Plausibility: Phishing attempts are based on real-life, often mundane scenarios. An invoice needs paying, or a file needs reviewing – a believable task that a boss or client might need dealing with quickly.
• Familiarity: Spear phishing is where the attack is at least partially tailored to an individual – often claiming to be from an authority figure such as a CEO, client, or IT team. It’s easy for attackers to learn these relationships from social media or corporate websites.
• Confidentiality: The action required will be specific to the end-user and needs to be done by them alone, as involving another person increases the chances of the scam being spotted.

Phishing simulations: Morally gray?

Fairfax County Public Schools recently made the news by carrying out a phishing exercise to help users understand the dangers of phishing.

On the last day of the school year, a test phishing email was sent to the school district, thanking employees for their work during the school year and offering gift cards as a sign of appreciation. All users had to do was click the link to redeem the offer.

The fact people fell for it proved how effective phishing attacks can be and suggested that some more end-user SAT was needed. The lesson won’t be forgotten quickly. However, some staff members found the test insensitive and unfair. It certainly opens up some interesting questions around how far IT teams should go to find security gaps!

Limitations of security training

It’s a familiar frustration for IT teams. SAT is delivered in line with compliance requirements and best practice, yet the next week an end-user falls for a phishing email. Cybersecurity is at the forefront of IT teams’ minds, but it can be quickly forgotten by end-users.

Hermann Ebbinghaus’s ‘Forgetting Curve’ is a helpful visualization to show how quickly people forget information without regular refreshers. A handful of lengthy information-dense sessions a year is unlikely to have major benefit. SAT is better served little and often helps create a culture of cybersecurity within a business.

The key limitation training is that even if SAT is delivered with regular reinforcement, accidents still happen, especially when end-users are under pressure to make decisions quickly in their day-to-day jobs. Even cyber experts can find it hard to detect a high quality phish at first glance when they’re rushing or stressed.

Organizations need end-users to get it right every time – attackers just need one phishing email to work. Although SAT can be effective against weaker phishing attempts, they often fail to stop users from falling for complex social engineering attacks.

And despite the serious damage that breaches can have on an organization, it’s usually down to overworked security teams to plug the gaps and step in to fix things when phishing inevitably strikes.

As phishing attacks become more sophisticated, it’s vital that organizations equip end-users and IT teams with technology to help. Things like email security software, multi-factor authentication, and endpoint detection and response (EDR) can all complement SAT in the fight against phishing.

However, no technology is bulletproof, so it’s equally key to know when your users’ credentials have been compromised by phishing.

React fast to credential theft

Credential theft is often the goal with phishing, as it gives attackers an entry point into your organization and a platform for further illicit activity. Even strong passwords can become compromised by phishing attacks, especially if end-users are reusing them across personal applications and devices.

Running a scan with Specops Password Auditor is great for an initial health check of your Active Directory, but longer term it’s best to have an automated process in place.

Fighting phishing is a continuous task. Integrating a more advanced third-party tool such as Specops Password Policy into your Active Directory can give IT teams the ongoing visibility into breached credentials they need.

It can enforce compliance requirements, block over 3 billion unique passwords, and help users create stronger passwords with dynamic, informative client feedback.

Specops Password Policy with Breached Password Protection, a feature that checks your users’ passwords against a list of over 3 billion unique compromised passwords – even those being used in attacks right now.

End-users are notified and forced to change passwords before attackers can benefit from purchasing and using their breached credentials. Try Specops Password Policy for free today.

Sponsored and written by Specops Software