Running a Successful Phishing Simulation
Running a Successful Phishing Simulation
Simulating a phishing attack can be part of staff security training and will increase awareness of genuine phishing threats.
Fraudulent phishing attacks may be the first step in a chain of events leading to personal, corporate or financial data loss. Users probably recognise the grammatically poor request to help out a Nigerian prince. Successful phishing attacks tend to be much more sophisticated and are still a major threat vector for organisations. What may be a laughable fake to one user could appear plausible to another. A recipient would not usually click on an uninvited parcel delivery link but what if they were expecting a package? Spear phishing ups the ante by targeting specific user emails rather than a generic ‘Dear Sir/Madam’ with a greater chance of attracting the mark.
Phishing is best prevented by training the user to recognise the initial emails and to report them to the relevant authority. These will in-turn allow phishing source addresses to be blocked and employees made aware of current threats. One aspect of this will be taught or self-paced learning. In addition simulated phishing attacks will show how susceptible employees are to phishing while exposing them to realistic yet harmless threats. The phishing emails are sent out by or on behalf of the organisation and any linked websites are under their control.
Software toolkits are available to simulate phishing campaigns. Some run with the software as a service model others require installing dedicated software. They allow phishing emails to be crafted and will report on the quantity of emails opened, replied to or embedded links clicked. The organisation should also have a procedure in place for reporting phishing attacks so they can also harvest the number of reports linked to the simulated campaign. Be aware that there is a very slight chance that any website offering such a service could itself be hosting malware. Any user should carefully check the URL and search engine results before signing up or downloading software.
A real-world campaign run by an Italian hospital with 6,000 staff is documented in ‘Digital Health, March 2022’. This not only includes details of the campaign and its results but also throws up other questions that need to be considered when planning such an exercise.
Should the users be aware that a simulated campaign is running? Senior management and technical staff do need to know about and be on-board with the exercise. If other users are not aware then the response to the phishing emails will be a better representation of their awareness. This approach does throw up privacy and employee well-being issues. It would not be reasonable to taunt or tease employees within the phishing emails, perhaps with promises of rewards or threats of account access restrictions. A real phishing email might do this to encourage a click through but within a corporate exercise this might break employee working practice rules. A web-link from the phishing email could require the mark to enter account details. The company may already have these details but within a system of restricted access and encrypted passwords. The simulated phishing site might collect this as clear text. These issues can be overcome by mandatory training before the phishing begins and the adoption of an employment clause that allows the company to send out emails or other messages to test security compliance.
What content should be in the phishing emails? Several emails can be sent spaced over several months with each becoming more plausible than the previous. Obviously poor grammar is usually a red flag for any phishing attempt. The content of proposed emails will need to be drafted or approved in house before they are used in a campaign. If an email is too generic it is likely to end in a Spam folder. This is not likely to be actioned and will not provide useful data on its effect although it will prove the efficiency of any Spam filter. If day to day work requires frequent checking of the Spam folder and sending messages into the main inbox there is an increased likelihood of real phishing emails being retrieved from Spam and actioned.
Should emails be directed or anonymous? Phishing emails are more likely to be actioned of they are directed to the addressee and come from a believable source. Any email needs an address to send it to. Many phishing emails try a range of addresses based on a common domain (they do not worry about those that bounce back). Scammers can also merge the relevant subject name into the text. An email sent to June.Smith@anything .com would begin Dear June or Dear Ms Smith. A message beginning with Dear Customer is more likely to be false. Having the email come from a known source should make it more successful. In an exercise this will require some genuine members of staff to know that their email or a close copy of it will be in use. They will need to be aware of new emails related to the simulation or of genuine emails lost in their new fake address. These factors should be considered where the campaign will consist of (hopefully) increasingly believable phishing attacks.
What will the phish link to? A simple result is to have a mark reply to the phishing email. Checking the sender’s account will indicate who has responded and when. A more sophisticated tool is to have a link redirecting to a webpage on a server. If the server exists but not the page then 404 (page not found) errors will provide some response data in the web server logs. Having a believable page allows the opportunity to have the user enter data. We would not only know who clicked (from the source IP) but what data they entered. This page needs to be sophisticated enough to trap the user. A simple JavaScript style pop up would not fool many users. It must also avoid being threatening; the employee must not feel that they are somehow at fault. This is foremost a training and awareness exercise. The linked page cannot award a reward or prize as the company should be prepared to pay this out. Any reward runs the risk of how to achieve it being shared and users clicking through the phish solely for the reward making it impossible to judge how effective the campaign might have been.
Planning is the key to a successful phishing simulation. Better preparation will lead to more useful final data and more reliable conclusions. Kindus will provide advice and support to ensure that the campaign is beneficial to employees and security staff alike with minimal disruption to normal working practice.