• United States




Thanks for all the phish

Jul 22, 20155 mins
Data and Information SecurityPhishingSecurity

Controlling spam and phishing messages is critical to tight information security

phishing attempt
Credit: Thinkstock

Some years ago, a popular spam message began making the rounds with a title that read something like “Did you enjoy your free cup holder?” Clicking on the link or attachment would cause your CD drive bay to pop open, which had a hole in it the size of a standard cup. Versions of that old joke still linger today. We should have realized at the time that it was a harbinger of bad things to come.

Verizon, in its 2015 Data Breach Investigation Report, found that for three years running, phishing attacks were a factor in over two-thirds of cyber-espionage incidents. More astounding is the fact that more people than ever are acting on these messages, having increased to 23% opens and 11% clicks as of the 2015 report.

“Phishing” is defined by Webopedia, as “the act of sending an email to a user falsely claiming to be an established, legitimate enterprise in an attempt to scam the user into surrendering private information that will be used for identity theft.”  It is very often employed as part of an attempt to gain access to accounts at banks or other financial institutions.

Making the news recently has been a malware type known as “ransomware.”  Essentially, a ransomware message attempts to download to your PC a small program that encrypts all of your files. The perpetrator then attempts to extort money from you in exchange for the encryption key, which you may or may not ever see, even if you pay the ransom. This threat has become so pervasive that the FBI was prompted to issue a warning about it in January. The newest variant of this malware, known as CryptoWall, has been making news in the last few months, with thousands of people being forced to pay to restore their data.

I suspect most of you already appreciate the dangers of phishing. At the same time, given the number of users opening and acting on phishing messages, we are clearly not getting the job done in terms of prevention. The following are specific suggestions regarding control of phishing. Check this list against your current measures, and consider acting on any you have not implemented:


User education and awareness is the most fundamental approach to prevention, and in my experience, the least implemented. I think this is in part due to the perception by many that users are already educated, or that this approach is futile. In The Art and Science of Phishing, I cited a Carnegie Mellon study showing conclusively that the proper training reduces the incidence of user opens and clicks. I could probably write an entire book on awareness training, but in the interim, there are a variety of ways to achieve this. There are plenty of organizations that will perform customized live or Web-based training as a service, and you can find some templates online that you can use yourself. My favored approach is Web-based training. The best products are self-paced, include testing and reporting, and add a note of fun to keep the user’s attention. I recently vetted a product from eLearning Corner for a customer, and found it to be good and affordable.

To address just the specifics of phishing, Dell recently published a free, online quiz that is great for user self-assessment. It is challenging; very few pass on the first try.


In reality, the only way to fully assess the extent of your user phishing awareness is to test your users. To help with this, a number of products have been introduced that will send customized fake phishing messages to your users and report back the number who opened them, and acted on links. One example is PhishGuru, but the product category is growing. Various free tools are available for those with sufficient technical skills. Lucy, one such example, is free for download within certain usage limits.

security phishing hook Thinkstock


Your users cannot act on a phishing message if they never get it. Various email filtering products are available which are able to spot suspicious messages (and much of your general spam as well), and block them. I have been a user of CloudMark’s DesktopOne free version with Outlook for a number of years, and can honestly say that a phishing email rarely gets through to my inbox. A free version of MailWasher covers Gmail users. Microsoft has incorporated antispam capabilities in Exchange, and a variety of products will add to this protection. Various firewalls incorporate some antispam and antiphishing filtering capabilities that are employed as data enters the network, and appliances, such as those from SonicWall and Barracuda, provide turnkey solutions.


As the saying goes, forewarned is forearmed, so just keeping up with active threats and warning your users can be a great help. The Anti-Phishing Working Group is a good general resource on what is happening in the world of phishing. The United States Computer Emergency Readiness Team (US-CERT) takes phishing reports and will issue alerts for major outbreaks. You can also join various Twitter users (myself included) who issue tweets for significant outbreaks).

With much of our information security exposure today related to phishing, you cannot afford not to take every measure you can to prevent being a victim. To paraphrase what one of my favorite authors, Douglas Adams, might say, “So long, and thanks for all the phish.”


Robert C. Covington, the "Go To Guy" for small and medium business security and compliance, is the founder and president of Mr. Covington has B.S. in Computer Science from the University of Miami, with over 30 years of experience in the technology sector, much of it at the senior management level. His functional experience includes major technology implementations, small and large-scale telecom implementation and support, and operations management, with emphasis on high-volume, mission critical environments. His expertise includes compliance, risk management, disaster recovery, information security and IT governance.

Mr. Covington began his Atlanta career with Digital Communications Associates (DCA), a large hardware/software manufacturer, in 1984. He worked at DCA for over 10 years, rising to the position of Director of MIS Operations. He managed the operation of a large 24x7 production data center, as well as the company’s product development data center and centralized test lab.

Mr. Covington also served as the Director of Information Technology for Innotrac, which was at the time one of the fastest growing companies in Atlanta, specializing in product fulfillment. Mr. Covington managed the IT function during a period when it grew from 5 employees to 55, and oversaw a complete replacement of the company’s systems, and the implementation of a world-class call center operation in less than 60 days.

Later, Mr. Covington was the Vice President of Information Systems for Teletrack, a national credit bureau, where he was responsible for information systems and operations, managing the replacement of the company’s complete software and database platform, and the addition of a redundant data center. Under Mr. Covington, the systems and related operations achieved SAS 70 Type II status, and received a high audit rating from the Federal Deposit Insurance Corporation and the Office of the Comptroller of the Currency.

Mr. Covington also served as Director of Information Technology at PowerPlan, a software company providing software for asset-intensive industries such as utilities and mining concerns, and integrating with ERP systems including SAP, Oracle Financials, and Lawson. During his tenure, he redesigned PowerPlan's IT infrastructure using a local/cloud hybrid model, implemented IT governance based on ITIT and COBIT, and managed the development of a new corporate headquarters.

Most recently, Mr. Covington, concerned about the growing risks facing small and medium business, and their lack of access to an experienced CIO, formed togoCIO, an organization focused on providing simple and affordable risk management and information security services.

Mr. Covington currently serves on the board of Act Together Ministries, a non-profit organization focused on helping disadvantaged children, and helping to strengthen families. He also leads technical ministries at ChristChurch Presbyterian. In his spare time, he enjoys hiking and biking.

The opinions expressed in this blog are those of Robert C. Covington and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.

More from this author