Anyone can be phished with the right targeted spear-phishing campaign, but we all know that person in our organization who will click on any phishing email no matter how fake it appears to everyone else. How do you reach that type of clicker?
Intelligence is no indicator of whether a person will be overly susceptible to a phishing attack. Some of the world’s smartest people — doctors, lawyers, engineers, scientists, even Nobel Physics prize winners — have fallen victim to phishing scams. So, what makes a person overly susceptible to phishing attacks? How can you change your security awareness training strategy to account for them?
The good news is that people are studying the issue, trying to determine what attributes make a person more susceptible to phishing. Dr. Matthew Canham, for example, is currently a post-doctoral scholar with the Institute of Simulation and Training at the University of Central Florida. His research focuses on the topics of spear-phishing vulnerabilities, human hacking and online influence. His research aims to identify the individual traits that predict which users will most likely fall victim to repeated phishing and other social engineering attempts.
Phishing victims are the least criminally minded
Bless those Ph.D.’s! When I first met Dr. Canham I got super excited. We all talk about humans being the weakest link in computer security (not necessarily true), but here was a guy researching and collecting data about why that is so. If you want to change the world, you need data. I predict Dr. Canham will be in demand for his services when he gets through with his scholarship duties.
Like with any complex issue, no single trait makes a person more or less susceptible, but Dr. Canham said some early observations appears to indicate that a common factor seems to be that the less criminally minded a person is the more likely they are to fall victim to all social crimes, including phishing. That makes complete sense. It’s an answer begging the question, except we have scientists using research to develop data around it.
Think about it. Why do some people believe that Microsoft is proactively calling them to help them remove a remotely detected virus when we know that the reality is so, so different? We technically trained people know that not only won’t Microsoft proactively call you, but you’d have a hard time finding a real Microsoft tech support phone number on the Internet that actually reaches Microsoft. Even if you have the right number and offer to pay $200, you’ll have a hard time getting a human at Microsoft to help you. That’s the reality. They certainly aren’t proactively calling you to warn about an infection.
Or why do people believe that the IRS is calling them to say they will be arrested if they don’t rush to the Walmart and buy multiple gift cards to pay off a supposed fine? Why do they think the IRS wants gift cards but won’t accept credit cards? Or that someone on Craigslist wants to sell something for half price and pay shipping? Or that Yanni or Bruce Springsteen is in love with them but needs their money because the star’s wife or entourage is controlling their money? It’s crazy!
The answer is they simply don’t know.
They don’t know that Microsoft doesn’t proactively call and help people. They don’t know that the IRS doesn’t proactively call and take gift cards to ward off possible fines. They don’t know about Craigslist scams. They think that somehow Craigslist will be able to protect them against fraud because “obviously Craigslist wouldn’t let scammers operate on their network!” The seller/buyer is even choosing an “independent escrow agent” and is sending them a check ahead of time that the victim can deposit in their account. They don’t know that the bank doesn’t verify the check right away. They’ve believed their entire life that when a bank took the check, that it meant the check was good. They didn’t know that the bank could come back days later and make them responsible for the whole amount.
How can you stop a scam that exploits the belief system of someone who hasn’t been exposed to these scam methods? That’s the whole purpose of security awareness training: Make potential victims aware of what could be perpetrated against them. When you let people know about the types of scams that are being committed, the less likely they are to be scammed.
Stressors, greed and sex drive phishing success
Add to that the fact that scammers usually include a “stressor event” in their fraud pleas, to trigger the victims into bypassing their normal, healthy level of skepticism. Wire-transfer fraudsters claim that a bill is overdue or that some big business deal is about to fall through if the victim doesn’t wire money right away. The infected computer victim will lose all their information or have their most intimate of personal moments broadcast to the world. Or fraudsters simply appeal to the lowest common denominators of greed or sex. We are all just human, looking for a better life, a better relationship, or both.
Some phishing emails are so well crafted, relevant and stress producing that you can see how some otherwise normal people get sucked in by the fraud. Then you have those users who seem to get sucked into every phishing scam. They act like they’ve never seen a Nigerian scam email before.
When I was working for an accounting firm many years ago, one lawyer opened emails generated by the Iloveyou worm three times in two days, infecting the email system at the firm each time. I asked him, “Doesn’t this email subject of Iloveyou look familiar?” He replied, “No.” I said, “Well, right now no one loves you!” We all have those end users who are not just missing a healthy level of skepticism but seem as if they might actually enjoy hosing the company because they are so click happy.
How to solve the phish-prone, click-happy user problem
First, remember that the most common trait they all share is they don’t think like the criminals trying to scam them. They are innocent and naïve. Start by educating them.
When we were young, our parents taught us to look both ways when crossing the road. It takes time, but with enough repetition, soon every young boy and girl automatically looks both left and right before running off of a curb without even thinking about it. That’s what you want to do with anti-social engineering training.
Train, train, train and train often. How often? Many studies show that training only once or twice a year is not very effective. More than that seems to give some reasonable level of payback, while training at least once per month seems to be the sweet spot. Start by giving every employee a nice, relatively long (15 to 60 minutes), security awareness training education experience. Then follow that with monthly, shorter (say 5 minutes or less) trainings.
You want the trainings to be relevant, covering hot, recent topics, reflecting what’s going on in the real world. It’s becoming more the norm today for companies to send simulated phishing emails to test employees. Years ago, you might have gotten fired or warned over “testing” employees, especially if one of the employees to fail the test was the CEO. Today, fake phishing training is accepted in most organizations. Just make sure not to surprise your CEO. It’s good if all employees are aware of the tests.
Test using specific phishing attempts that are relevant to people’s lives. For your frequent clickers, this means sending repeated tests that are relevant to their job function. For example, if they work in accounting or can wire money, test them with wire transfer fraud tests. If they can’t wire money, don’t use that sort of test.
Around special times of years, like Christmas, send Christmas-related phishing tests (e.g., “Fill out this free survey to win a $100 gift card”). After national tragedies, send related phishing emails like charity requests. Intermix job- and season-specific tests with general tests (“Free donuts!”) that could apply to anyone. The idea is to send them a good mix of tests and education. Link the two activities together. Train, then test, and repeat. If they fail a test phishing email, give them immediate training. Even waiting just a few days can diminish the value of the training.
More carrot, less stick improves phishing training effectiveness
Just a few years ago, the thinking was that frequent clickers need to be threatened with loosing their job for failing multiple phishing tests. Today’s mantra is “more carrot and less stick”.
Instead of making it a culture of punishment for missing something, give prizes for getting X number of tests right in a row. Possibly bring the whole team into the contest. For example, to the individual bad clicker say, “If you get three tests in a row correct, we’ll give you a $10 gift certificate. But if you get 10 tests in a row correct, we’ll send your whole team out for a free lunch at a nearby restaurant of their choice. We won’t tell your team we made the larger offer.”
What you’re trying to do is to encourage them to be a hero, and by hero I mean someone that goes from being a frequent clicker to someone who acts normal when faced with regular phishing emails. If the frequent clicker improves their behavior, even a little, ask them if they would be willing to share their experiences of how “they used to get fooled” with new employees. You want to let them see what they are doing as a positive experience.
Build a culture of acceptance and communication around phishing awareness
You also want to foster a culture that communicates that anyone can be successfully phished. You want them to feel like part of a team, not an outcast. You want to communicate that it’s OK to make mistakes, but it’s also just as OK to report a suspected email as a phish even when they aren’t sure. You want to say, “When in doubt, chicken out, and report the email.”
At one time we all peed the bed. Some of us took a little longer than others to get over that behavioral hump. It’s not as natural to some as it is to others. Be patient, be encouraging, but be consistent, and you’ll convert your frequent clickers, too.