As the saying goes the best things in life are free. Security professionals spend significant amounts of time on anti-phish training and many have paid anti-phishing simulation campaigns to maintain that ongoing training effort. However every organization has one very important weapon in their fight against phishing fraud. One very important and very cost effective, as in free, weapon!
I discovered this weapon when other staff members in the organization forwarded phish emails into the information security office. The quality of the phish emails was very good. No spelling mistakes and excellent grammar. The wire instructions in the Business email compromise (BEC) phish emails were well laid out. The email had all the hallmarks of a professional spear phish. Yet my people were catching these phish emails very easily. The folks catching the phish and forwarding to me were not computer geeks but regular office staff with average skills in computing and security awareness. How were these folks able to spot these sophisticated spear phish and regular phish attacks?
[ MORE ON CSO: Inside a phishing attack ]
The more I dug in I realized that while the malicious phish campaign had taken pains to craft a well-polished and targeted phish, they tripped up on some common details:
- The salutation was off. Somebody we refer to as William was named as a Bill in the email or the other way around. James in accounting was referred to as James in the email and not what we normally used, which was ‘Jim’
- The sender signature was incorrect in a similar manner; For example the phish email would say John Doe instead of simply John
- The style of the content was different. The wording of the content seemed different. The email was often very abrupt with no ‘please’ or in some cases no sender name in the message body.
All the above clues, individually and collectively were immediately picked up by the regular office staff. Each clue, by itself and in tandem with the other clues gave the phish email away. Moreover since this group of people had worked together for many years they were very familiar with the routine exchange of email and consequently they knew immediately when something didn’t sound right. They knew this because the organizational culture was very close and consisted of long standing relationships. In addition to the above clues, they also knew that if their finance colleague wanted a wire transfer he would always call and never email.
The organizational culture instinctively and intuitively gave them all the tools to spot a phish. No technical tools, but the cultural human element allowed our close knit humans to immediately spot complex spear phish campaigns.
This close knit and well connected organization working culture was my best weapon to identify and defeat the phish campaign! And best of all it was already there - no purchase needed!
For security professionals, it is important to recognize where these pockets of organizational awareness and culture exists in your organization. For these pockets, target training around building up and reinforcing this cultural element. Ask these teams to recognize this inherent strength that they possess. The messaging to these teams from information security office is to affirm that their team culture is what makes them great. In my security awareness training sessions I specifically call out this organizational cultural strength and ask the various teams for their subtle tips that they use within the team to recognize the phish.The teams do appreciate this message of recognition.
Also in these cultural mature teams, new employees become the highest risk because they do not have the cultural defense that the rest of the team members have gathered over time. These teams therefore need an emphasis on new employee training. In addition to the standard information security training, ask the team lead to spend some time educating the new employee on the subtle cultural ways of working within the team that the employee should be aware of.
So identify and recognize the existence of this free tool of cultural and organizational relationships. Reaffirm and build upon this tool as your primary anti-phish weapon. It is undoubtedly the best and most cost effective tool in the security officer’s anti-phish arsenal.
This article is published as part of the IDG Contributor Network. Want to Join?