Phishing is a constant threat to data and endpoint security. Cybercriminals use phishing attacks to break into accounts, steal company funds, and compromise sensitive data.
In this article I will introduce you to the dangers of phishing and guide you through the process of running your very own simulated phishing tests using BrowseReporter, CurrentWare’s employee computer monitoring software.
Phishing is a form of fraud where an attacker pretends to be a reputable person or company through some form of electronic communication (email, SMS, etc). Phishing is used to trick victims into disclosing sensitive information or infecting their network with malware by clicking links or downloading malicious attachments.
Around 67% of data breaches occurred due to phishing before COVID-19. In 2020, Verizon’s annual Data Breach Investigations Report found that users are three times more likely to click on a phishing link than before the pandemic.
The attackers – often called phishers – will typically use email to target their victims but they may also use other electronic communication tools such as social media and SMS.
Examples of email phishing attacks include:
A sophisticated attack documented by email security company Inky details how threat actors are using QR codes to bypass email security solutions. Since many email security tools rely on scanning text and URLs to detect malicious or suspicious emails, a threat actor can simply replace all of the text content with an image that includes a malicious URL within a QR code.
A QR code (short for “Quick Response” code) is a type of two-dimensional barcode that can be read by an imaging device such as a camera.
QR codes are used to quickly provide access to a given URL without the end-user needing to type the URL in manually. While this can be convenient, threat actors can use QR codes to send their victims to a malicious URL. Legitimate QR codes can also be covered by a sticker with a QR code that links to a malicious URL.
Making a QR code is as simple as placing the desired destination URL into a QR code generator, then placing the generator QR code anywhere an end-user can scan it with their phone.
Attackers use phishing to steal money and gain unauthorized access to sensitive data. They exploit the trust of employees to convince them to enter their account credentials on malicious websites or download malicious software such as ransomware.
Phishing campaigns are extremely effective at tricking employees. A report from Tessian found that a staggering 1 in 4 employees have admitted to clicking on a phishing email at work. The damages from these events are severe – the FBI’s Internet Crime Complaint Center found that phishing and related schemes caused $57 million in losses in 2019 alone.
These attacks can lead to:
Clicking on a malicious link in an email can have severe consequences, including financial loss, data theft and potential account compromise.
All it takes is one wrong click of the mouse to cause a company reputational damage, possible downtime and even closure, depending on the severity of the attack. Once someone clicks on a phishing link, there’s a high risk that the device will become infected with malware, including viruses, spyware or ransomware.
Malware may collect device statistics, location information or other voluntary data the user has provided. The infection may deliver more phishing emails to people on the user’s contact list or give a threat actor access to other devices belonging to the user. Malware can also go undetected if it is installed behind the scenes.
How Phishing Causes Damages:
This next section will overview practical advice for avoiding phishing emails.
Your first line of defense against phishing emails is to not provide your employees a chance to see them in the first place. Email filtering technology such as secure email gateways or email firewalls will help to reduce the amount of suspicious and fraudulent emails that reach your employee’s inboxes.
Anti-spam/anti-phishing tools will typically include advanced features such as attachment sandboxing to analyze incoming attachments in a lower-risk container and URL rewriting to help catch zero-day exploits. Should your email content filtering allow a phishing email through, a web filter can provide an added layer of security by blocking known malicious domains.
Email security tips
Two-factor authentication is another layer of protection against account compromises caused by phishing scams. Should employees inadvertently leak sensitive credentials the second factor can help prevent an unauthorized login.
Do not add the emails of individual employees to any public-facing platforms such as your website. If visitors to your website need to contact anyone you can use webforms instead. This helps to reduce the amount of spam and phishing emails by making it difficult for attackers to collect email addresses using a bot.
Even with a robust security system it takes only one negligent employee to be fooled by a phishing attack to compromise your network, sensitive accounts, or leak the data you’ve worked so hard to protect.
Even the best anti-spam email filters will miss a few malicious emails. Employee security awareness training is non-negotiable for protecting sensitive data against phishing. A report from PhishMe found that employees who open a phishing email are 67% more likely to respond to another phishing attempt.
For the best phishing education for employees you need to teach them how to recognize a phishing email and you will need to perform regular phishing simulations that measure the impact of that training. A phishing awareness exercise will provide you with the data you need to determine if further phishing training for employees is required.
Some common indications of a phishing email include:
While it’s true that legitimate companies can send emails with grammatical errors and spear-phishing campaigns can use high quality and highly targeted messaging, being aware of the signs of common phishing schemes goes a long way to avoiding the average phishing email.
Phishing scams may not be obvious to the average employee, so someone could accidentally click on malicious links. There’s a high probability that someone will accidentally download a dangerous email attachment.
Thankfully, there are specific actions people can take to safeguard any sensitive information and quickly recover from the attack. Here are the steps someone can take after clicking on a phishing link or accidentally downloading a malicious attachment.
The first step is disconnecting the device from the internet immediately. Unplug the internet cable if it uses a wired connection, or navigate to the Wi-Fi settings and turn Wi-Fi off. Any compromised devices connected to Wi-Fi should be disconnected. If you’re having trouble disconnecting the device, consider bringing the device to the IT team.
The main reason for disconnecting the device is to prevent malware from spreading to other machines on the network. It also prevents malware from taking sensitive data and sending it from the device. Nothing can be shared with the public if there’s no internet connection. Additionally, it prevents someone from gaining remote access.
Phishing attacks are so common among cybercriminals because they’re easy to execute and usually have a high success rate. If you’ve fallen victim to a phishing attack, don’t be too hard on yourself. You’re not the first victim of a phishing scam, and you certainly won’t be the last. Once you’ve disconnected the compromised device, you should alert the IT or security team in your organization as soon as possible.
Your IT team must be aware of the incident so they can respond appropriately. Many modern teams have incident response plans designed for these attacks. They will identify the source of the attack, contain the infection, repair any damage, assess why the attack was successful and create a plan to move forward. The team may improve phishing awareness training for all employees to reduce the chances of a future attack.
Now is the time to back up any critical files from the device. Some users will back up files to an external hard drive, a cloud storage account or a thumb drive. Employees should focus on backing up the most critical files or any documents that contain sensitive information, trade secret, financial records or confidential data.
Using an external hard drive or a USB drive is a simple way to effectively back up files. The cost to purchase one of these storage devices has dropped considerably. If your company has a dedicated IT team, they can guide you through the backup process and may provide you with a hard drive or USB drive for file storage.
The next step is to check the device for malware. It’s common for people to use antivirus or malware software for this purpose. IT teams can get the scanning process started for you if you’ve never completed a scan on your own. Do not reconnect the device to the internet without the approval of your IT team.
Once the scan is complete, the software will show any suspicious files discovered and recommend options to fix the problem. This may mean deleting or quarantining the files. An experienced IT professional should make this decision to ensure the problem is rectified.
The ultimate goal of a phishing attack is to gain access to login credentials or accounts, so it’s wise to change any passwords. Employees within an organization likely rely on various accounts or software that require a username and password. Changing them can make it more difficult for a hacker to access data.
Avoid using the same password for all accounts. Everything will be at risk of being compromised if someone gains the password to one. Use unique passwords with special characters, set up two-factor authentication (2FA) and consider using a password manager to keep everything organized. Your IT team can suggest new passwords for you to use and recommend a password manager to keep your account information safe. It’s also smart to set up reminders every few months to change passwords and update your password manager accordingly.
Suppose an employee believes their information could be compromised. In that case, they can set up fraud alerts on their credit reports as a safeguard. It will prevent anyone from opening up new accounts in their name and notify the worker of any suspicious activity.
Following each of these steps will ensure employees minimize the damage to their organization. They must know what steps to take if they accidentally click on a phishing link.
Phishing awareness training is designed to reduce the amount of phishing emails that your employees fall for. Because of this a typical phishing simulation will focus on establishing a baseline of employees that fall for the simulated emails and work to reduce that number over a given span of time.
Key metrics for a phishing test include…
Anti-phishing measures need to encourage employees to recognize phishing attempts and report instances where they have fallen for an attack. You should avoid punishing employees that fail the simulation as this will disincentivize them from reporting legitimate threats. Instead, reward employees that successfully report the phishing emails and provide targeted security awareness training for employees that fall short of your company’s goals.
If an employee discovers a phishing email in their inbox they need a convenient method to report it to your anti-spam solution or the IT department. Ideally they will be provided with a report button directly within their email client, though a designated email address to forward suspected phishing attempts can be used.
Though IT departments will seldom have the resources to continually monitor individual phishing reports, an increased awareness of phishing risks is valuable data. This data can help inform security policies, improve the accuracy of anti-spam filters, and provide the organization with a record of advanced phishing emails that they can warn their users about.
There are a few methods of running this test with BrowseReporter. This section will show you how to set up Email Alerts that will send an email every time the designated URLs are visited. Later in this article you will also learn how to use BrowseReporter’s Sites Visited report to see an overview of each employee that visited the target URLs.
For this test we will be using BrowseReporter, CurrentWare’s employee computer monitoring software. If you do not already own a copy of BrowseReporter you can get a free 14-day trial here. After downloading BrowseReporter you can follow these instructions to install CurrentWare on your computers.
This test will use BrowseReporter’s internet monitoring features to send an alert to an email address once a given webpage is visited. For the simulation you will be sending out emails with a chosen URL and encouraging your employees to click on the link. To ensure the accuracy of your test you must make this a unique URL that your employees would never visit or be familiar with.
With CurrentWare and BrowseReporter installed, you will next need to set up email alerts. You can configure CurrentWare’s email alerts to use either an internal SMTP mail server or an email service such as Gmail, Outlook, and Yahoo. If you do not already have this configured, you can find the instructions for that here.
Now that you have CurrentWare configured to send emails, you can use BrowseReporter’s email alerts to send reports to a designated email address when your users fail the phishing test.
That’s it! The email address you designated for the alert will receive an email each time your users visit the designated URLs. To test your email alert simply add yourself as a user to the alert and visit the URLs you used in the alert. Depending on your specific mail server configuration the alert may take a moment to arrive in the inbox.
Now you’ll just need to write 3-5+ sample emails that you will use to test your users. When writing your simulated emails, consider this: Phishing emails typically use a phishing message that invokes curiosity, fear, and urgency to persuade their victims. Attackers attempt to bypass our logical thought process by triggering these emotions. Be certain to play into these themes to best simulate a legitimate attack.
Want free phishing templates? Check out these 10 examples.
Try these themes to convince users to click the URL:
If you’d like some inspiration, Norton has an article with a few real-life examples that you can reference.
At this stage you will need to create or designate an email address that will be used to send the emails. An attacker could be using a compromised account in an advanced attack, but the more realistic scenario would have the attacker using an email address that attempts to mimic a trusted vendor or employee.
Use the account to send convincing phishing emails that prompt your users to click a link that leads to one of the target URLs. Ideally you will avoid sending the emails to all of your employees simultaneously as they may warn each other about the emails once they figure it out. While this is an excellent thing to see from a cyber security perspective it may artificially skew your results in a way that doesn’t represent what a real phishing attack could be.
Most phishing emails are opened the day they are received. After 1-2 days you are likely to have enough data to understand who is the most susceptible to the attacks so you can prepare supplementary anti-phishing training for those users.
In addition to the email alerts you received when your users visited the URLs, you can use BrowseReporter’s Sites Visited report to see an overview of each employee that visited the target URLs.
There you have it! You now have a repeatable process you can take to run your very own phishing simulations. You can use this data to identify learning opportunities for your employees and improve the security posture of your organization. You can use this first test as a baseline to measure improvement by tracking repeat offenders and decreases in susceptibility over time.
Now is the time to create a positive feedback loop. If you have a process for tracking who successfully reported the phish be certain to reward them in some way. The reporting process could include forwarding a phishing email to a designated email address, filling out a report, or logging a ticket.
It is best to avoid punishing employees that did not pass the test as your employees need to feel comfortable self-reporting when they fall for phishes in the future. Instead, provide these employees with further training and support so they can be better prepared to identify and report phishing attempts in the future.
Phishing awareness training is a critical component of improving the security of your business. If you are already using BrowseReporter to monitor employee internet and application use you can use this guide to simulate your very own phishing attacks in-house without any other tools.
As your organization grows you can also consider a phishing assessment with purpose-built phishing campaign tools such as KnowBe4 or Beauceron Security. You can also try a free online phishing test through a free phishing simulator such as PhishingBox.
Portions of this article were contributed by Zachary Amos of ReHack.com