How to Catch a Phish: Where Employee Awareness Falls Short

  /     /     /  
Publicated : 23/11/2024   Category : security


How to Catch a Phish: Where Employee Awareness Falls Short


Advanced phishing techniques and poor user behaviors that exacerbate the threat of successful attacks.



Teaching employees how to spot malicious emails is one of many steps toward keeping phishing attacks at bay. As attackers adopt more advanced techniques, its imperative teams also learn how the behavior inside and outside their inboxes can put a business at risk.
For the fourth annual Beyond the Phish report, Proofpoint researchers pulled data from nearly 130 million responses submitted to its Security Education Platform between Jan. 1, 2018, and Feb 28, 2019. Its tough to compare the newest 2019 results with previous years because this time employees were quizzed on a newly expanded range of more advanced cybersecurity topics.
Simulated phishing attacks are handy for evaluating a portion of users weaknesses but dont fully reflect how well employees understand phishing. After all, you cant get a sense of someones password hygiene, mobile device security, or confidential data security by seeing whether or not they fall for a fake phishing attack. Instead, they have to answer questions.
We obviously do look at phishing but also take a broader look at the cybersecurity landscape and behaviors that influence cybersecurity posture, says Gretel Egan, security awareness and training strategist at Proofpoint. Beyond email are behaviors and risk that influence cybersecurity for an organization.
This year, users answered 22% of questions incorrectly, on average, across 14 subjects – up from 19% in Proofpoints 2018 analysis. Given the expansion of assessment programs and addition of tougher questions, Egan says the uptick isnt a surprise. The decline doesnt indicate a lack of awareness, she says; its a sign some organizations are starting to challenge people.
It points to the complexity of these topics and the nuances around phishing, around data protection, and around understanding some compliance directives related to cybersecurity, she explains. Its bigger than one decision inside of an email.
Categories with the greatest percentage of wrong answers included identifying phishing threats (25%), protecting data throughout its lifecycle (25%), compliance-related cybersecurity directives (24%), and protecting mobile devices and information (24%). Those with the most correct answers? avoiding ransomware attacks (11%), passwords and account authentication (12%), and unintentional and malicious insider threats (13%).
Users struggled to answer questions about mobile device encryption, securing personally identifiable information (PII), technical safeguards in blocking social engineering attacks, distinguishing public from private data, and responding to a suspected physical security breach.
There was also good news,
researchers found
: Employees demonstrated mastery in questions on identifying potentially risky communication channels, physical security safeguards while traveling, recognizing ransomware and malicious pop-ups, and risks linked to Bluetooth pairing.
Egan describes how users actions can unknowingly put their employers at risk and exacerbate the phishing threat. Some overshare information on social media, for example: A post saying my boss is out of town this week may seem benign but can be valuable intel for an attacker.
We also see users struggling to understand how their actions on local devices can impact the security of corporate data and sometimes personal data, she continues. People have been educated on how to use devices from a functional standpoint but not a secure one. For example, letting family members use corporate devices and using the same device for personal and business matters are both common behaviors that can put sensitive information at risk.
Attackers Get Sophishticated
The need to educate employees on secure behavior grows stronger as cybercriminals adopt sophisticated phishing tactics, as researchers
found
in INKYs 2019 Special Phishing Report.
The evolution of attackers techniques is really quite striking, says Inky CEO Dave Baggett.
In terms of trends we see, were seeing a ton of brand forgery emails whose goal is credential harvesting, he continues. Attackers often disguise emails as coming from legitimate Microsoft or Amazon accounts, trying to get users to enter credentials on a fake login page. With usernames and passwords, they attempt logging into banking websites or webmail accounts.
Many people are still under the impression phishing is intrinsically complicated, he adds, and it often isnt. In terms of a brand forgery, for example, its incredibly easy, Baggett says. More advanced actors know how secure email gateways (SEGs) work and how to bypass them.
One of these subtle tactics is hidden text, a specific way for attackers to sneak malicious code into an email, Baggett says. Most email is now designed using HTML, which is complex and difficult to properly interpret, making it tough for software to determine what users will see. This gives attackers new opportunities to slip malicious content through security systems.
SEGs often look for specific brand names or text that could indicate an email is brand spoofing. Cybercriminals can bypass this by inserting random small, white-text letters between the letters or phrases that are visible to users. Adding gibberish text, which is invisible to security systems and end users, will let phishing emails slip past SEGs and into unsuspecting users inboxes.
Some attackers craft emails to appear more conversational and forego the use of attachments or links in order to bypass SEGs. Security tools with traditional spam filtering techniques will likely allow a casual message from an attacker pretending to impersonate a CEO or vendor.
Related Content:
The State of IT Operations and Cybersecurity Operations
6 Security Tips Thatll Keep the Summer Fun
Persistent Threats Can Last Inside SMB Networks for Years
10 Ways to Keep a Rogue RasPi From Wrecking Your Network
Financial Impact of Cybercrime Exceeded $45B in 2018
 
Black Hat USA returns to Las Vegas with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions, and service providers in the Business Hall. Click for information on the 
conference
 and 
to register.

Last News

▸ Researchers create BlackForest to gather, link threat data. ◂
Discovered: 23/12/2024
Category: security

▸ Travel agency fined £150,000 for breaking Data Protection Act. ◂
Discovered: 23/12/2024
Category: security

▸ 7 arrested, 3 more charged in StubHub cyber fraud ring. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
How to Catch a Phish: Where Employee Awareness Falls Short