Sharp UK’s Director of Transformation and Security, Matt Riley, shares his experience of why it’s so important to educate and test your teams on phishing attacks.
You arrive late to work after being stuck in traffic, you are stressed, rushing and you’ve not yet had your morning coffee. You log into your PC to see an email from your new boss asking you to change the bank account details for an important supplier as soon as possible. Not really thinking, you rush the task hoping you’ll impress your boss and still make it to the kitchen to get that coffee before your first meeting. Little did you know, that email you thought came from your boss was, in fact, a phishing email from a threat actor. You have now changed the bank account details so the next payment will be received by them, not your supplier.
Unfortunately, this is an all-too-common example of how easy it is to fall for a phishing email. All elements of this phishing attack are likely to be publicly available. Let’s suppose you are a Finance Director joining a new company – you may post about it on LinkedIn. A threat-actor can see this and using this information find likely people in your team to phish, trying to trick them into thinking it is you. Simple but very effective.
There are a few ways in which the threat actors operate. The first is by mimicking an existing relationship where there is already trust. The second, is by creating a sense of urgency and, the third, is by offering something that is too good to be true. Combining all three elements is the perfect way to take advantage of the fact that most organisations have a weakness in their security – us users of IT.
There are several technical tools which organisations can deploy to help limit the risk of receiving a phishing email, but none are ever going to work 100% of the time. This means that your teams need to understand how to spot a phishing email and, in the example like the one I gave above, for you to have internal controls to prevent changes from being made without the proper due diligence.
Training should not just be messages to your team to just “look at the sender”. It should be multi-layered: education / simulation / lessons learnt / education…. You educate your team on the signs to look out for, you simulate an attack to test their understanding, you learn the lessons from that and then apply that learning through further education.
It is a cycle of continuous improvement which, hopefully, lets you understand the risks your organisation faces and minimises that risk by keeping your team up to date with the latest threats. A perfect example of that for us was during the last simulation I carried out – I discovered that it was not possible to know that an email came from someone outside of the company when looking at the email in Outlook on our Apple phones. If you didn’t click into the email address itself, you would never have known!
I once got told that a business didn’t want to do a phishing attack simulation because team members might be upset that they were being tested. I argued that if these people were upset at being caught out by a simulation, they are probably the most likely people to fall for a real phishing attack so are the biggest risk to that business. Never forget, businesses have fire drills to test the knowledge that people should get out of the building in case of a fire – testing your teams phishing attack readiness is no different!