At Some Point Every Employee Falls for A Phishing Email

How Has The threat to Companies Changed in The Past Few Months?

The number of attempted attacks on companies has risen sharply in the last year. Even at the beginning of the pandemic, criminals took advantage of people's insecurity and sent corona-related phishing emails. It has been shown that phishing is becoming more and more sophisticated and the attackers react to current events in short periods of time. Criminals are currently fooling users into having quick access to a corona vaccination, but files with malware are attached to the email that is sent. Or a link contained in the mail leads to a prepared website to access login data and sell them. I recently received several emails that tried to sneak me into a fake banking app and lured me to a fake website.

At the same time, the trend that many employees are still working from home is also playing into the hands of the attackers. Because many companies were unable to provide their employees in the home office with a sufficiently secure infrastructure under the required time pressure.

Why Are Protection Technologies No Longer Sufficient to Protect Against Cyber Attacks?

Modern endpoint protection is one of the most important basic components of IT security. These solutions detect the majority of attempted attacks and prevent outside access. But criminal hackers want to achieve maximum profit with little effort and are therefore looking for weaknesses in defense. These are of course gaps such as missing software updates or poorly secured RDP access with a password that is too simple. In reality, however, the poorly informed user is always the weakest link in the chain. A wrong click on the attachment or a link in an email can be enough to gain access to the network. You can then look around the system in peace and quiet, copy data and install other malware.

Why Are People Vulnerable to Phishing Campaigns?

Cyber ​​criminals have a clear goal of phishing. They want their victim to take a certain action. The target person should open an email attachment or click a link and then reveal confidential information such as login data. With this information, the attackers gain access to e-mail inboxes, for example, or can infect the network with malware. In doing so, they consistently take advantage of human behavior. They specifically address helpfulness, curiosity, or greed in their victim or create a feeling of urgency by building up pressure and, for example, demanding that passwords be changed immediately. The attackers address natural curiosity with subject lines and file names such as "curriculum vitae" or "new concept". Or the mails imitate trustworthy brands. For example, messages from Amazon support are replicated, in which the user is asked to update the bank details via a link that leads to a replicated phishing website. The data entered will go straight to the fraudsters. To make phishing emails appear even more believable, attackers are increasingly using "fake chains". They put "AW:", "Fwd:" or "WG:" in front of the subject and sometimes even add a fake email history. To make phishing emails appear even more believable, attackers are increasingly using "fake chains". They put "AW:", "Fwd:" or "WG:" in front of the subject and sometimes even add a fake email history. To make phishing emails appear even more believable, attackers are increasingly using "fake chains". They put "AW:", "Fwd:" or "WG:" in front of the subject and sometimes even add a fake email history.

Are Phishing Emails Restricted to Private Users Only?

No, phishing emails are part of everyday life for companies too. Dealing with applications for advertised positions or invoices is part of day-to-day business. Attackers take advantage of the usual way of handling these emails since employees tend to be inattentive during routine work. Again and again, the attacker's build-up time pressure in the emails forces the victims to act quickly and rashly. So very human characteristics are being exploited. Once an employee is convinced that he should enter his password on a website for legitimate reasons, for example, good technical security measures such as two-factor authentication can be bypassed.

Phishing is becoming more and more sophisticated - although countless mass emails continue to land in the mailboxes, the risk of targeted attacks has increased. To do this, the attackers spy on their victim on social media or on the company homepage and, based on this, create a customized phishing email. In this, they refer, for example, to an event that an employee has attended. Such so-called spear-phishing emails can hardly be distinguished from real messages. If you use malware such as Emotet to read out existing e-mail histories and send e-mails from within the organization with an infected attachment, it becomes even more difficult to detect them. An AV solution that is state-of-the-art is needed here. Also, cybercriminals use this route to attack other victims.

Are There Typical Characteristics for A Phishing Email?

It depends on the type of attack. In the case of simple mass spam emails, for example, the direct salutation is missing. Such an email is often addressed as “Dear customer”. Also, the email often contains spelling and grammatical errors or is illogical in its argumentation, so that it is actually easy to identify as a forgery. And yet enough recipients fall for the message.

The situation is different with spear phishing. The mail is elaborately designed and adapted directly to the victim. It is much more difficult to identify fraud. Most of the time, the forgeries are very close to the original and can only be recognized by small deviating details. A typical example emails with contact requests from a social network. Anyone suspicious here should under no circumstances click on the link in the email, but visit the website directly. Because a legitimate contact request is also displayed there and the user lowers the risk of falling victim to a phishing attack.

Why Do Companies Need to Sensitize Their Employees to The Topic of It Security?

In our everyday work, but also in private life, many processes are fully automated and IT-supported. A secure supply of digital information is now just as important as the supply of electricity or water. But when it comes to IT security, board members, managing directors, and employees still turn a blind eye. Many employees use easy-to-remember passwords for their IT user accounts, but simple passwords can be cracked very quickly. If you also get the login data of an IT administrator, you will have reached your goal quickly and can operate in the company network.

How Can Companies Support Their Employees so That They Do Not Click on Phishing Emails?

Companies have to take a holistic view of IT security. In addition to technical security measures, employees should become part of the defense strategy. A training video that informs employees about phishing emails and other cyber threats is not sufficient here. Even a two-day classroom training does not go far enough in the long run. Raising employee awareness of IT security risks is a long-term process. In my opinion, this is only possible with the help of extensive security awareness training. When employees are aware of the risks, they act more cautiously and deal more critically with emails. At the same time, they also have an understanding of password requirements and other security-related issues.

What Role Do Phishing Simulations Play in Security Awareness Training?

With phishing simulations, employees can gain effective experience with dangerous emails. It enables them to deal with phishing more routinely and increases their self-confidence. Companies can use a simulation to measure the status of IT security. A reporting shows the person responsible whether and how many employees have opened a dangerous email and even clicked on the link. This makes it clear how great the need for action is and where it is. Companies should then conduct security awareness training to sustainably improve employee awareness of cyber threats and to build up knowledge. Anyone who then runs another phishing simulation can see how the security level in the company has improved.

How Should a Phishing Simulation Be Structured?

Ideally, the exercise should last three to four weeks. Phishing emails should cover different levels of difficulty. The time component, i.e. the time of dispatch, should also vary because the attention of employees is not constant. For example, some employees are no longer as attentive in anticipation of the end of the day or the weekend as they were at the beginning of the working day. I'm pretty sure that every employee will fall for at least one email. But it is precisely from this mistake that they learn the most.

What Do Companies Have to Consider if They Want to Run a Phishing Simulation?

Of course, companies have to meet the general labor law. You should therefore involve the data protection officer or the works council at an early stage.

From my point of view, however, another point is much more crucial: A phishing simulation needs a suitable framework. This includes, for example, a reporting process for suspicious emails. In the event of suspicion, suspicious messages should not simply be deleted, but check. The IT security officers can then immediately initiate measures if the suspicion is confirmed. This includes, for example, adapting the spam filters used so that these emails are blocked directly. Also, company culture is required that protects employees who have fallen for a phishing email. Only those who speak openly about this behavior and do not sanction it create awareness of the existing risk within the workforce. 

All employees should have good security practices like using antivirus software.