One of the givens about working at Twitter is that employees regularly receive fake phishing emails to test their security awareness. The same is true for the 800 employees of Pinnacle Financial Partners, a financial services firm in Nashville, Tenn. Ditto for countless government workers in the U.S.’s military and intelligence agencies, where a staffer’s failure to detect a fake phishing attack might lead to their being publicly singled-out in an agency-wide email.
The CIOs of these organizations take phishing seriously because they know that malware-laden emails are a continuous and potentially costly threat.
- Ninety percent of organizations have experienced a phishing attack within the last 12 months, according to a 2016 study of 88 U.S. and U.K. companies by Vanson Bourne.
- Phishing emails accounted for 38 percent of the cyberattacks against these organizations.
- The average cost of a successful phishing assault was $1.6 million.
On the rise
The popularity of phishing as a data-breach tool for cybercriminals, nation-states, and various species of hackers shows no evidence of slowing down. According to CYREN’s 2016 Cyberthreat Report, the number of phishing email URLs increased by 55 percent from the first quarter of 2014 to the first quarter of 2015.
While fake-phish-your-employee programs can improve employees’ security awareness and knowledge, and reduce the success rate of phishing attempts, they are an imperfect solution. After all, as many security experts can attest, employees still fall prey to phishing attacks, sometimes within mere hours of attending a training session.
This state of affairs might improve significantly, thanks to Arun Vishwanath, a professor of communication at the University of Buffalo, who has developed a first-ever, data-based model that examines why a person falls victim to a phishing email.
Vishwanath’s model enables a CIO to provide personalized training to an employee, based on her or his specific weaknesses. Moreover, it lets a CIO create risk-based indexes of every employee and department, so if Harold in human resources is a repeat offender who clicks on every email attachment that comes his way, a CIO can proactively limit Harold’s email access and privileges.
Uncovering weak links
Today, CIOs who want to uncover the weak links among their employees can hire outfits like PhishMe, KnowBe4, and Wombat Security, each of which provide fake phishing services for a fee. For those CIOs who lack the financial clout of an organization like Twitter or prefer the DIY route, there’s plenty of open source programs. Security blogger Brian Krebs test-drove the Simple Phishing Toolkit, for example, and created a Gmail-based phishing campaign—including a fake website and phishing lures—in less than five minutes.
Why people can be SCAMmed
Arun Vishwanath first became interested in individuals like Harold in human resources when his employer, the University of Buffalo, was the victim of a phishing attack in 2008. Vishwanath’s research led him to develop Suspicion, Cognition and Automaticity Model (SCAM), which accounts for the reasons why people fall prey to phishing emails. SCAM examines a person’s behavior based on four criteria, including their habits, risk beliefs, and two ways of processing information.
A user’s risk beliefs, for example, is a measure of whether a person believes online activity has inherent risks. Risk beliefs stem from a user’s previous experience, exposure, and knowledge. For example, a soldier who clicked on the malware-infested link in an email with the subject line “Girls of the Israel defense forces,” for instance, tends to possess stronger risk beliefs as a result of the experience.
Thanks to SCAM, a CIO will be able to develop personalized training that addresses a worker’s specific weakness (i.e., the faulty belief that Microsoft Word attachments are safer than Adobe PDF attachments). Vishwanath’s model also helps a CIO develop risk indexes for employees and departments, so if Harold in human resources keeps playing the role of a repeat offender, his CIO can take appropriate security measures, such as limiting Harold’s email privileges, as opposed to shaming him in a mass email.