There’s a famous saying “give a man a phish, and he’ll be able to recognize one phishing email. Teach a man to phish, and he’ll be able to avoid phishing emails for the rest of his life.” Or something like that.
Typical security awareness training involves showing examples of phishing emails and testing staff by sending fake phishing emails to the inbox (giving out some phish, if you will). To be fair, this has proven to be mostly effective. However, there is a unique opportunity to really impact your employees by showing them how phishing works from the bad guys point of view.
Phishing, it turns out, is incredibly easy for attackers. There are how-to videos on YouTube and free, open source tools available for anybody to download on the Internet! The cost to begin phishing is zero, virtually no technical knowledge is needed, and wannabe bad guys only need to invest a small amount of time to get started.
Anatomy of a Phishing Attack.
Phishing attacks are easy for attackers because they are ultimately very simple to set up and operate. The basic steps of an example attack go like this:
1. The bad guy creates a fake login page. These can be generated using a phishing toolkit (more on those later).
2. The bad guy creates and sends phishing emails. Like phishing toolkits, there are a number of programs that provide this function and create scarily accurate looking emails. Some programs can do both steps 1 and 2.
There are many variations on the basic phishing attacks. Sometimes the attackers will send malware disguised as something innocuous, like a Word document (“Can you help me with this report?”), or attackers will target someone in accounts payable with fake statements to fool them into wire transfers. Even with the variations, most phishing attacks only require a computer and one or two pieces of software to work.
To see what this looks like in action (with a few bits removed so it’s not a complete step by step guide), you can check out this video from NetworkChuck on YouTube. He makes it simple, easy to understand, and entertaining as he “hacks” a pug named Bernard Hackwell. It really shows just how easy it is for anyone to send a basic phishing email.
VIDEO
While NetworkChuck’s email is super basic, the ones you’re likely to see in the field will not be. Below is a real phishing email, meant to look like an official request from DHL. This sort of sophistication is becoming more common as hackers try to fool even well-trained employees into clicking!
Image via Cofense
The Readily-Available DIY Phishing Kits, Starting at $0.
Now you might believe that the scary technology is only available through seedy Internet forums and the dark web, but you’d be wrong.
It’s available freely on GitHub! You know, the biggest software development website in the world?
A cursory search of “GitHub phishing” yields eight different phishing tools on the first page of Google. This doesn’t include the tool used by NetworkChuck in the video listed above – or the many many others out there. There are over 4,600 repositories on GitHub tagged as “phishing.”
Many of these tools, like GoPhish, have YouTube videos created to accompany them to show how they work. With a little bit of guidance, anybody can download a phishing kit, watch a video, and make a basic attack.
And by the way, you weren’t actually wrong about phishing software on the dark web. It’s out there.
There’s a whole market around creating and selling DIY phishing kits on dark web commerce sites. There are sellers claiming to offer entry-level no-experience DIY phishing kits for as little as $1. The market caters to attackers with deeper pockets too – specialized kits can go for as much as $880 (in 2019). Many of these include tutorials that can be setup in less than an hour without any previous hacking or technical knowledge whatsoever.
Teaching your employees to phish.
While the easiness of phishing is bad news in the “number of phishing emails sent” department, it does mean that it’s pretty easy for anybody to take a peek behind the curtain and learn how the attacks work. This can be put to good use within your cybersecurity training program.
While it’s no substitute for traditional cybersecurity awareness training (which has proven to be very effective), teaching employees how these social engineering attacks work behind the scenes may improve their ability to recognize the spam and increase how seriously they take the matter.
Does it work? Well, there’s no scientific data going one way or another, but it is something that has been incorporated into cybersecurity awareness programs before. Freaky Clown (yes, that’s what he actually goes by), the co-CEO of Cygenta, a UK-based cybersecurity firm, has found success with the tactic.
“If I get on stage and I perform a spear phishing attack or any kind of hack, I’ve already introduced myself as a hacker. I’ve been doing it for many years, I’ve got loads of skills. If I get up and do a thing, then everyone’s like well yeah, he’s a hacker; he’s gonna do that, right? But if we get someone up from the audience and we talk them through how to do the procedures, even if it’s something simple like a spear phishing attack using the SE toolkit, then it becomes really more impactful for them and for the audience because the audience is like OH MY GOD, this person who has never done this before is able to put in all of these commands and then take over this network like, really easily, in like, TWENTY MINUTES. How easy is it for someone with actual skills? It becomes a lot more impactful when you see someone who doesn’t have those skills originally. It doesn’t take a lot to really show someone how easy it is to do.”
Freaky Clown, aka FC, Co-CEO of Cygenta Ltd.
You could take Freaky Clown’s methodology and apply it to your own company.
Arrange a similar presentation for your company, have your own cybersecurity team snag a GitHub phishing kit and put together a presentation, or you can simply send out a (legitimate) email with a video like the one embedded above. An entertaining video or presentation can improve employee engagement and retention of the information.
Any of these approaches could be a unique and valuable addition to the phishing training basics of “how to spot a phishing email.” With a prepared presentation, someone from your company that has no previous hacking experience could do this in as little as 20 minutes! This can really drive home just how dangerous the inbox really is. If security awareness training doesn’t seem to be sticking with some employees, seeing just how easy and cheap phishing kits are to set up may change some previously uninterested minds.
And once they’ve been shown how to phish, they will hopefully be even better at catching phishing emails.
Want to get great cybersecurity content delivered to your inbox? Click here to sign up for our monthly newsletter, Tales from the Click.