It is said that humans are the weakest link in cybersecurity; this proves true as employees are often a crucial access point for cyber-attackers. Companies need to ensure that employees are well-trained and educated about cyber-attacks.
Cybercriminals today use savvy phishing tactics to trick people into performing actions or divulging confidential information in real-world cases.
The objective of such attacks is to exploit the weakness of human psychology, using universally vulnerable human qualities such as fear, greed, curiosity, compassion, deference to authority, and so on.
94% of malware is delivered via email and 150 million phishing emails are sent daily according to Verizon’s 2019 data.
While the plots of phishing attacks are constantly evolving, the fundaments still boils down to the following techniques:
- Social Engineering
- Spear Phishing
- Baiting and Quid Pro Quo
Phishing is extremely dangerous because it takes only one careless act to open the door for a cybercrime, resulting in a significant impact on data breach or infection of a device, server, or network that can severely harm the organization’s financials and reputation.
What is a Phishing Simulation?
Phishing Simulation is a phishing campaign run against your team to test if they can identify the phishing attempts. It can also be used to ascertain the effectiveness of phishing training. The simulated phishing emails may look like it’s coming from the manager, HR, etc.
The IT team sends identical emails but instead of triggering a malware attack, the links in these emails track different parameters like who clicked the link, the time taken to click the link, etc, whilst informing employees that they have fallen victim to a simulated phishing attack and show them how they could have identified and avoided it.
It is a good idea to identify employees who are falling victim to these phishing emails before an actual phishing mail lands in their inbox.
Why it is important
Phishing simulations are something that every organization today must perform with their employees. Here are a few reasons why phishing simulation is important:
- It is an effective way to understand how likely employees will click on real phishing emails by simulating a phishing attack. Employees who fall for the phishing attack simulation can be trained to identify these attacks which will help them avoid real phishing attacks.
- It is also a good way to check how the security team deals with phishing attack reporting. With phishing simulations, the company can understand what the security team does once an employee reports a phishing attack to the security team.
- It is a practical way to show the importance of cyber security and cyber hygiene to the non-IT staff of the company.
How Phishing Simulation works
Phishing simulations can be done both manually and by using various tools. Here are some ways it can be done manually:
1. Water hole attack: Here, one can infect sites/forums frequently visited by the employees and then lure them to click on the link. The website here is compromised and malicious codes and files are added. As these sites are frequently visited by employees, they would hence be susceptible to attacks.
2. Inner group chat tools: By sending links or files to the company’s WhatsApp group / Microsoft Teams and identifying how many employees fall victim to it. In the modern context, many employees work from home so they often utilise instant messaging apps like WhatsApp, Skype, etc. to connect with their colleagues. These chatting tools can be used to target the employees and see how wary they are whilst using these applications.
3. Reaching out on LinkedIn: Reaching out to employees on LinkedIn with job offers and asking them to click the link for the Job description. With some social engineering skills and knowing the employee and their requirements, this attack can be done with a high success rate.
4. Disguising as a potential client: By disguising as a potential client and reaching out to employees, asking them to perform tasks. This technique works well when targeting the sales team as they are constantly looking for new clients.
5. Evil Twin phishing: Most employees connect their laptops and smartphones via Wi-Fi. Evil Twin Phishing involves creating a Wi-Fi hotspot that looks like a real one and even configuring the SSID similarly to the real network. When employees connect to it, their account names, passwords, etc can easily be accessed.
6. Smishing: Smishing or SMS Phishing is a form of phishing done via SMS. Here SMS can be sent to the target with a convincing template and link. As links sent via SMS are unfiltered, it is easy to execute this type of attack.
7. Vishing: Similarly to smishing, vishing is voice phishing. The attacker calls up the target with a spoofed number and impersonates someone known to the target, attempting to attain confidential information.
8. Spear Phishing: In most of the above-mentioned techniques, a generic message is sent to many people. In spear phishing, a targeted message is sent to one single individual. This message is customised whilst keeping that particular individual in mind. For example, they may use email subject lines that would be topics of interest to the target.
Manual phishing simulation can be a tedious task as companies have hundreds of employees and targeting every employee might not be easy and practical. Also, manual phishing simulation reporting and creating metrics can be an issue.
Most Phishing simulations are usually done with the help of various phishing simulation solutions. We have plug-and-play phishing solutions with hundreds of realistic phishing templates. They can be used to target multiple employees and see how well-prepared employees are with regard to realistic phishing attacks. For more information, reach out to us here.
Phishing Assessment Campaign Components
1. Registering a fake look-alike domain: A fake domain is registered that looks almost similar to the real domain. This is done to trick the employees into clicking the link/mail.
Some techniques used while choosing a fake domain are:
· Bitsquatting: Swapping one or two letters in a domain name with similar characters. example.com to exannple.com
· Repetition: Duplicating a letter in a domain name. example.com to examplle.com
· Omission: Omitting a letter in a domain name. example.com to exmple.com
2. Phishing templates: Cybercriminals use different phishing templates to make their phishing email look genuine and convincing. For example, covid/covid vaccination-related email templates are currently the most popular phishing template. The idea of phishing simulations is to introduce an email template and its pattern to employees before an actual cyber-criminal sends them one.
Each phishing template usually includes :
· An email message: A convincing email so that people open the mail and click on the links.
· Landing page: A fake webpage that will either ask the user to enter personal information or show a google or Microsoft login page.
· Redirect to Warning message: Once the user enters the details and clicks the sign-in, it redirects to a warning message page that informs them that they got phished.
Important metrics to collect
When a phishing simulation is done, it is important to collect some key metrics so that the organization can better understand the phishing simulation campaign and can make informed decisions.
Some of the important metrics that can be collected in phishing simulation are:
1. The minimum time taken to open the mail: This will determine how quickly people fall for the phishing email.
2. Link-click rate: This shows how many people clicked the link out of the number of people who opened the mail.
3. Credential capture rate: This shows the rate of users who gave their credentials.
4. Report rate: This shows the rate at which people report the email to the security team.
With companies moving to the Cloud and employees working from home, phishing attacks are becoming increasingly prevalent. For cybercriminals, it is very easy to execute phishing attacks but for businesses, the effects can be catastrophic. Companies need to ensure that employees avoid falling for these phishing attacks. With proper awareness training and phishing attack simulation, this can be achieved.
Numen Cyber Labs is committed to facilitating the safe development of Web 3.0. We are dedicated to the security of the blockchain ecosystem, as well as operating systems & browser/mobile security. We regularly disseminate analyses on topics such as these, please stay tuned for more!
This blog was originally published on our Medium Account.