Thanks for all the phish

Controlling spam and phishing messages is critical to tight information security

phishing attempt

Some years ago, a popular spam message began making the rounds with a title that read something like "Did you enjoy your free cup holder?" Clicking on the link or attachment would cause your CD drive bay to pop open, which had a hole in it the size of a standard cup. Versions of that old joke still linger today. We should have realized at the time that it was a harbinger of bad things to come.

Verizon, in its 2015 Data Breach Investigation Report, found that for three years running, phishing attacks were a factor in over two-thirds of cyber-espionage incidents. More astounding is the fact that more people than ever are acting on these messages, having increased to 23% opens and 11% clicks as of the 2015 report.

"Phishing" is defined by Webopedia, as "the act of sending an email to a user falsely claiming to be an established, legitimate enterprise in an attempt to scam the user into surrendering private information that will be used for identity theft."  It is very often employed as part of an attempt to gain access to accounts at banks or other financial institutions.

Making the news recently has been a malware type known as "ransomware."  Essentially, a ransomware message attempts to download to your PC a small program that encrypts all of your files. The perpetrator then attempts to extort money from you in exchange for the encryption key, which you may or may not ever see, even if you pay the ransom. This threat has become so pervasive that the FBI was prompted to issue a warning about it in January. The newest variant of this malware, known as CryptoWall, has been making news in the last few months, with thousands of people being forced to pay to restore their data.

I suspect most of you already appreciate the dangers of phishing. At the same time, given the number of users opening and acting on phishing messages, we are clearly not getting the job done in terms of prevention. The following are specific suggestions regarding control of phishing. Check this list against your current measures, and consider acting on any you have not implemented:


User education and awareness is the most fundamental approach to prevention, and in my experience, the least implemented. I think this is in part due to the perception by many that users are already educated, or that this approach is futile. In The Art and Science of Phishing, I cited a Carnegie Mellon study showing conclusively that the proper training reduces the incidence of user opens and clicks. I could probably write an entire book on awareness training, but in the interim, there are a variety of ways to achieve this. There are plenty of organizations that will perform customized live or Web-based training as a service, and you can find some templates online that you can use yourself. My favored approach is Web-based training. The best products are self-paced, include testing and reporting, and add a note of fun to keep the user's attention. I recently vetted a product from eLearning Corner for a customer, and found it to be good and affordable.

To address just the specifics of phishing, Dell recently published a free, online quiz that is great for user self-assessment. It is challenging; very few pass on the first try.


In reality, the only way to fully assess the extent of your user phishing awareness is to test your users. To help with this, a number of products have been introduced that will send customized fake phishing messages to your users and report back the number who opened them, and acted on links. One example is PhishGuru, but the product category is growing. Various free tools are available for those with sufficient technical skills. Lucy, one such example, is free for download within certain usage limits.

security phishing hook Thinkstock


Your users cannot act on a phishing message if they never get it. Various email filtering products are available which are able to spot suspicious messages (and much of your general spam as well), and block them. I have been a user of CloudMark's DesktopOne free version with Outlook for a number of years, and can honestly say that a phishing email rarely gets through to my inbox. A free version of MailWasher covers Gmail users. Microsoft has incorporated antispam capabilities in Exchange, and a variety of products will add to this protection. Various firewalls incorporate some antispam and antiphishing filtering capabilities that are employed as data enters the network, and appliances, such as those from SonicWall and Barracuda, provide turnkey solutions.


As the saying goes, forewarned is forearmed, so just keeping up with active threats and warning your users can be a great help. The Anti-Phishing Working Group is a good general resource on what is happening in the world of phishing. The United States Computer Emergency Readiness Team (US-CERT) takes phishing reports and will issue alerts for major outbreaks. You can also join various Twitter users (myself included) who issue tweets for significant outbreaks).

With much of our information security exposure today related to phishing, you cannot afford not to take every measure you can to prevent being a victim. To paraphrase what one of my favorite authors, Douglas Adams, might say, "So long, and thanks for all the phish."

Copyright © 2015 IDG Communications, Inc.

Microsoft's very bad year for security: A timeline