A mature anti-phishing program keeps organizations safer, claims Cofense, and offers as proof the decreasing susceptibility of their customers’ employees to mock phishing emails as well as rising reporting rates of the same.
Overall, the resiliency rate of its clients has almost doubled, and it’s improving throughout major industries, except education. “Possible reasons: tighter security budgets compared to other industries, lack of central control and typically open environments that encourage users to ‘bring your own device.'”
The company’s third annual report on controlled phishing activity, based on the experiences of 1,400 clients in 23 industries in over 50 countries, also shows that employees are most susceptible to phishing emails that target them as consumers.
“Employees will always take a break to do personal business online, so you can expect work and home email to continue blurring. Personal devices in the workplace often have multiple email accounts—the source of an email may not be distinguished as it should. However, to sustain morale, communication and collaboration, among other reasons, companies are unlikely to restrict BYOD or access to social media, news and entertainment sites,” the company explains.
“At a high level, the issue is how consumers/employees get their news and interact. Many news and social feeds are now subscription based; they’re common in email and mobile device alerts. This explains the rise in phishing attacks via social media links and fake news sites. Because they’re accustomed to them, people think it’s safe to click.”
Top motivators behind successful phishes
It used to be that fear, urgency and curiosity were the top emotional motivators behind successful phishes. Now they’ve been replaced by entertainment, social media and reward/recognition.
According to the company, simulated eCards, internal promotion/reward programs, and a number of financial and compliance scenarios (e.g., phishes with “Financial Information Review” or “Compliance Training” in the subject line) are most successful at getting users to click.
Employees should be trained to be aware of their emotional reactions to emails and see them as phishing triggers.
“When creating simulations, remember consumer scams—those phony Netflix or LinkedIn emails sent to busy employees, who are glad to switch gears and click on something fun,” the company notes. “Understand the dynamics of entertainment or social phishing (think uncritical social acceptance and shortened URLs).”
And when it comes to emails promising rewards, employees should be taught to be critical of rewards and deals that sound too good to be true.
Certain types of content make for irresistible phishes, the company also found: social (eCards) and personal safety content (e.g., “Mold Found in Office!” or “Workplace Safety Training”) top the list, followed by retail promotions:
Improving employee resiliency to phishing
For anti-phishing efforts to be increasingly successful, organizations must make it easy for employees to report phishing attempts and to receive feedback on that reporting.
They also need to run frequent simulations (not just one or two per year) and to implement trickier simulations (by using targeted attacks, personalization and other attacker tricks).
“A program that proactively defends by mirroring the newest, most dangerous phishes is even better. To help you stay out in front of attacks, simulations must be relevant,” the company advises.
It’s important to train employees to spot phishing messages that are designed to specifically appeal to them because they work in a certain industry and to imitate active threats. But simulations should also condition users to spot “vintage” attacks that had high success rates.
“When a phishing type disappears for awhile, be afraid. It will likely come back and you need to be ready,” the company concludes.