As part of the cyber security awareness training for many organisations, the IT department simulates phishing emails via a third party service to help educate their users and report on who is more likely to click on a phishing email. Some of these third party phishing services are even free like Gophish and Duo Security, and yet, I have a policy of not phishing my own staff. Let me explain why.
The reason is, that for the past 5 years I have been encouraging all my colleagues to forward suspicious emails they receive to the IT department or to contact IT if they are unsure about the validity of an email. This feeds into the quarterly cyber security group training sessions so that it is based on actual ‘real world’ phishing emails we have received and allows us to update and tweak the email filters as part of a continuous improvement cycle. Most of the phishing emails that make it past the email filters are via compromised business email accounts of our third party suppliers (or even clients) trying to get us to enter Microsoft Office 365 credentials for a bogus file sharing service, or download a malicious payload. They are coming from people we work with, the signature is genuine, just the payload and body text is fake.
The criminals are even going through historic emails in the compromised email accounts, replying or forwarding old emails to projects from a year ago. So the subject line is plausible, even the main text can be in context. There may not even be anything malicious or untoward, that is for the follow up email, after a certain amount of trust has been built up. Even an explanation of the change of file sharing system, so that suspicions are reduced, as well as other topical banter. Even legitimate file sharing services are used, as one hop on the chain to fool the email filters.
So, my colleagues have been taught to question everything, including changes in how people greet them in an email and the normal way they expect to share files with that individual or company. Why is a small document compressed into a zip file, and then using a file transfer service? So filling their inboxes with simulated phishing emails will erode the trust I have built up over time and may stop them from forwarding the genuine phishing emails. It’s a bit like having too many fire alarm drills, over time people just assume it’s not real every time they hear it. I don’t want that to happen with phishing emails, where they don’t tell us about them, and maybe just follow the links because they think it is just a drill and end up on an exploit landing page. Trust takes a long time to build, and my staff trust me to help keep them safe, so in return I won’t phish them.
It also helps to have a robust web filtering system like Censornet, which in addition to all the usual blocking of malware and suspicious web traffic, acts like a huge ‘allow list’ of web domains. Any web domains less than 24 hours old that the service has not seen, are automatically denied, which is pretty much all fake phishing links, as they are often create hours beforehand. Layered defenses are key, which in turn allows me to not phish my own staff.