I’ve just completed some training for a client on phishing and email security. As part of the project, I created a simulated phishing test to see how many of my client’s staff I could trick into handing over their system login details. My tactic was simply to create an online form requesting some information about each user including their department, email address, phone number, the type of computer they use and finally, blatantly, their user name and password. I then emailed a link to all the attendees in advance of this week’s training and asked them to complete the form in advance of the training “so I could update their system”.
I was a little shocked at just how successful a con-artist I am. Over 25% of the recipients provided their login details. I’d designed the form to securely discard any confidential details of course, but within minutes, the results started pouring in. Suffice to say there were a few raised eyebrows when my ruse was revealed part-way through my presentation.
A few users protested that they’d only provided such confidential information because I had emailed them to ask for it – as I’m the head of their IT department, they felt it appropriate to trust me.
Flattered as I was, I reminded them that it is extremely easy to masquerade as anyone on the planet when it comes to sending an email. Any one of the thousands of email messages I’ve sent lately could provide the email signature and authentic “look and feel”. Using my name as the IT director of a company would be one of the most obvious things for a cyber-crook to do. It’s called “spear-phishing” when attacks are targeted in this way.
It’s easy, too: just one look at my LinkedIn profile would reveal who to target.
This is the world we live in: an open one, where not very much is really secret, and that which is, doesn’t stay secret forever.
Weak link: Of course, my training course attendees had all heard of phishing and similar scams and, to be fair, they regularly check in with the helpdesk when they’re not sure about a particular email. That’s all good – but all it takes is one mistake. Just one weak link can bring a whole company down, wreaking havoc of considerable consequence.
By training the entire company, my client was investing time and money in strengthening that weak link. And not just training – they started testing too. Sneaky and secretive testing that I admit I collaborated with in the most devious way. I am actively trying to trip up the users in exactly the same way as the criminals do.
Using specialist tools, I have been running phishing campaigns with simulated scams that have all the hallmarks of the very latest phishing threats, just none of the nasty consequences. And I rinse, repeat and report – feeding anonymised statistics back to the executive team, who now see the very real risk that phishing represents.