There is a common mistake in security awareness training, where teams spend time creating complex and sophisticated phishing simulations that are meant to mimic spear-phishing attacks or business email compromise threats against high-up employees within a business.
The truth is, even the simple use of the words ‘spear phishing’, means that you’re approaching the phishing scam from the wrong side of the table. The term spear phishing is used by security professionals when they look at a successful hack against a high-up person in the company. Do you know who isn’t using this term? The attackers. Or for that matter, the employees who fall for the scam. It’s time to accept the facts. There’s either a successful phish, or there isn’t.
The Majority of Phishing Scams are Simple – That Doesn’t Mean They Don’t Work
90% of companies experience phishing attacks every single year, and more than half of these organizations deal with the consequences of at least one successful attack. No one is asking themselves, “how much time did the attackers spend customizing this content?” because attackers aren’t looking to customize their attacks – they are looking to target organizations at scale, working on improving the economics of phishing, and working out how they can get the most return for their efforts.
That means the attackers are casting a wide net, sending as many phishing scams into the wild as possible, and then measuring the results. This is why phishing scams have patterns, and why in some years you’ll see more of one style of phishing attack than another.
How Can I Protect my Organization from this Approach?
Firstly, start thinking as the attackers do. As an organization, you probably have a goal in mind to eliminate phishing scams completely. You might imagine that the ideal solution is to run sophisticated, context-based phishing simulations for all your employees at scale. However, the attackers don’t have the technology to make this level of threat happen, so it’s a waste of your energy to focus on protecting against a currently non-existent type of attack.
The truth is that there are no ‘complex’ or ‘simple’ phishing scams. Most ‘sophisticated’ phishing attacks rely on a context that is impossible to predict. Take an email that suggests that a flight is delayed for example. 99% of the time, a reader won’t fall for it, as they aren’t taking a flight that day or that week, or they aren’t using that airline. In the 1% of the time where it feels relevant for the recipient, they may fall victim to something the security team may call a spear-phishing attack. However, this is impossible to predict ahead of time.
Instead, machine learning can engage and train employees to recognize the types of scams that are likely to be effective within their group, whether that’s a location, a team, a department, or another differentiator. At CybeReady, we test these groups and measure the data that we get back on who fell for the phish, and who didn’t. This allows us to continually refine the algorithm and help employees modify their behavior per content that is relevant to them, so they are better prepared and educated.
This approach also means that you can test 100% of your employees every single month, unlike spending time and resources on customizing specific ‘spear phishing’ campaigns that only educate a small percentage of your workforce. The vast majority of successful attacks don’t hit the c-suite, so you want to be focusing on creating a broad level of resilience and a positive security culture across the whole organization. You can only do this by ensuring you’re training all your employees on an ongoing basis – not a select few, occasionally.
Focusing on Impact When Building a Security Awareness Program
When security teams say “I want employees to be protected against the most sophisticated kinds of attacks” they are missing where they need coverage the most. Attackers aren’t creating technology that phishes with sophistication at scale, so you don’t need to be, either. Instead, the best security awareness training will offer your employees real-world experience, and provide the ability to be prepared for simple phishing at scale, just like the hackers do.
Still thinking about spear phish your employees? Read the full video transcript here:
Security professionals created spear-phishing
Security awareness program managers are trying to spear phish employees because they’re trying to get better results. Spear phishing is something that we as security professionals created. It’s a construct we created, but from an employee perspective, there is only an email that either resonated with them or it didn’t. They’re oblivious to the fact if the hacker invested two seconds or two hours.
Continuous training is an effective training
Program managers try to highly customize their attacks to make them more effective. What really makes training effective is that you train all employees year-round continuously, because real phishing attacks and also from simulations show that attacks can be really successful, even if they’re simple-looking simulations.
Use simple-looking phishing simulations
We found that it’s much more beneficial to use data-driven simple-looking phishing simulations that work continuously, rather than building on spear-phishing and customized campaigns that train a fraction of the employees a fraction of the time.
Interested in seeing how CybeReady’s algorithms work in more detail? Reach out here.
