Phishing is the action of exploiting human nature in order to acquire information for the purpose of identity theft, financial fraud or obtaining unauthorised access to sensitive information.
A phishing attack is typically delivered in the form of an unsolicited email designed to lure a user into visiting a web site or to open an attached document. Typically, the link or document attempts to install malware on the user’s system.
Once a victim clicks on a link or opens a document, a chain of events is put into action which can lead to a serious data breach, including intellectual property theft, ransomware, and financial loss.
Attackers are not only looking at stealing credentials and financial information, but are also looking to infiltrate companies’ infrastructure to gain an undetected persistent foot hold within the core of the organisation. The Verizon 2016 Data Breach Investigations Report (DIBR) indicates that “The majority of phishing cases feature phishing as a means to install persistent malware”. This is also known in cyber security as an Advanced Persistent Threat (APT).
Phishing is a very effective way of attacking an organisation as it targets their weakness link, the human being. It is extremely successful because it exploits one of the fundamental attributes of the human psyche: trust. It is part of our evolutionary process and we have built our society on the basis of trust.
Technology is relatively ineffective at preventing people exploiting trust. Humans are the weakest link in the security chain and it does not matter how much effort and money organisations have invested in technology to secure their information, it only takes one person to make it irrelevant. Organisations can be assured that threat actors will be looking at the weakest link within their organisation.
The most effective method to mitigate against phishing attacks is to learn through experience, to give users the opportunity to learn how to recognise and how to react to phishing attacks by conducting realistic phishing attack simulations.
The purpose of a phishing attack simulation is not to lay blame on individuals but to enhance their ability to recognise and to respond to real world phishing attacks, thereby increasing the security posture of their organisation.
An effective phishing attack simulation should be delivered periodically and at all levels of the organisation. This campaign would include:
- An organisation-wide simulation to determine the overall level of phishing awareness of the organisation;
- Targeting a selected group of users based on their role, such as system administrators; and
- Targeting to specific individuals with high responsibility within the organisation.
Various scenarios should be considered to reflect sophisticated and targeted real world phishing attacks, and should include emails, phone calls, lost media, and fake web sites. By developing a phishing attack simulation program, an organisation can provide their employees with the best chance to counter modern cyberattacks and significantly reduce their risk exposure.