Phishing attacks, especially through email, are becoming a huge problem, with cybercriminals increasingly using “disguised” emails as their preferred entry point into an organisation. Thwarting the threat, however, isn’t quite straightforward because:

1. Email-borne threats are becoming more sophisticated and phishing emails are designed to evade traditional email security solutions.
2. Phishing goes after what’s believed to the weakest link in the cybersecurity chain, humans. You can have the strongest cyber defence system in place, but if the cybercriminal is able to somehow trick the person that’s sitting inside the security perimeter, then they have free rein to do as they please.

Besides educating users on the dangers of phishing and how to avoid getting tricked, phishing simulation is a very effective method that many businesses are now employing to instil better user security awareness.

It is basically a phishing test where deceptive emails, similar to ones that actual cybercriminals would produce, are sent by a company to its own employees to gauge their response to phishing and similar email attacks. After all, what better way for someone to truly understand what a phishing attack would entail, other than experiencing it first-hand?

Moreover, phishing simulation is a methodical way to gauge staff compliance and measure their progress as time goes on, when run regularly. You can see it as a form of fire drill for the digital era.
 
AOPG Put Through the Phishing Test
Last month, AOPG (our parent company) management decided to put employees through the phishing test by using PhishLine, Barracuda’s platform for social engineering simulation and training, to covertly run a phishing simulation on our team!

Three types of emails were sent to AOPG employees depending on what attackers would deem to have the highest chance of clickthrough. For the editorial team, it was an email informing us about a press award nomination. Concurrently, those in our requirement investigation and marketing unit were baited with “cold calling tips” while HR received a rather convincing parcel information email from Poslaju.

The objective was to get people to trust that the email is legitimate and then click an embedded link.

This form of highly personalised phishing is known as ‘spear phishing’. PhishLine had the advantage of having a ‘mole’ (in the form of our boss!) that knows the company and employees well enough to provide the right information for a potentially potent phishing campaign.

In real-world attacks, the mole could be someone that works for or with the organisation, those with physical access to the company or even former employees. Nevertheless, in the age of ubiquitous online and social media presence, even without insider information, an adversary could just as easily scour the internet for as much information regarding the target organisation and its staff to effectively phish them.

Now for the result of the phishing simulation: Out of 19 emails sent to AOPG staff, seven clicked on the “fraudulent” link that was embedded in their personalised email.
 
All It Takes Is Just One Wrong Click
When interrogated (actually, we asked nicely), most of the employees who clicked on the link said they either had no suspicions at all about the legitimacy of the emails, or they had some doubts but clicked the link anyway. Some missed the email completely and were not aware that a test had taken place.

Interestingly, we noticed that a higher number of users clicked on the award nomination and Poslaju parcel notification than the “cold calling tips” emails. This probably explains why phishers are trying ever so hard to find the right hook for their would-be victims and getting the “bait” right would almost certainly give them a much higher chance of success.

Regardless, a click-rate of just over 35% (that’s one in three employees) in our case is actually quite risky because if you think about it, all it takes is just one wrong click by one employee, which could lead to fraud, a data breach or huge losses monetary and reputational to the whole organisation.

We asked Barracuda to comment on this matter and James Forbes-May, the company's Vice President of Sales, APAC, said that once you click on a phishing link, you are in the domain of a cybercriminal.

“The fact you clicked the link means they have, to a greater or lesser extent, fooled you into trusting them, hence you are more likely to enter password credentials into their fake pages. Depending on how advanced their technology is, just spending time on their page can be dangerous. They could track your activity on their page to better understand your interests or online behaviour and better target you in the future, through to finding ways to download malicious files to the device from which you are browsing,” he explained.

James also listed other potential risks of clicking an unknown link, adding that in most cases of targeted attacks, the following steps are most likely to happen:
1. It gives the attacker the opportunity to understand the victim’s environment.
2. It potentially leads to targeted attacks that weaponise vulnerabilities in the environment to disseminate malware or exploits, usually through drive-by download approach.
3. It may lead to credentials harvesting, which is one method attackers can use to gain access into the infrastructure and system.

Through phishing emails, adversaries have over the years managed to trick unsuspecting victims into revealing sensitive information, such as login credentials or financial information, or even transferring large amounts of money.
However, in order to work, phishing usually requires human interaction, such as clicking a link, downloading and installing software, or opening an attachment – which is why having such a simulation that focuses on the people is crucial.
 
Social Desirability Bias
What happens when an employee clicks on a link in a simulated phishing email? Instead of getting exposed to something nasty, they get diverted to a micro training page that explains what just happened, what phishing is and what the dangers are. According to PhishLine, this kind of quick dose, immediate training is very effective.

Speaking with my colleague Aron Raj, he agreed. Having clicked on the link, he explained his first reaction was shock and concern that he had clicked on a bad link. Then as he read the page and saw the personalised educational content, he calmed down and realised that it had been a training and education exercise. Aron confirmed that this approach had an immediate impact and has certainly raised his own level of alertness as to what might be coming into his inbox.

For AOPG, even though most of the employees have heard of online scams, phishing was a term that not everyone was familiar with. The simple to understand cautionary advice and information on the micro training page, which included a short training video on phishing, certainly helped them become wiser to the workings of the harmful and deceptive threat.

One fault that people have pointed out about running a phishing simulation to all employees on the same day and at the same time, is that it could lead to something called the social desirability bias.

Unless specifically warned not to beforehand (which would defeat the purpose of a surprise digital “fire drill”), it isn’t uncommon for the first few employees that discover the simulation email to alert others about it. If people already know that a test is underway, then it would certainly affect the effectiveness and legitimacy of the whole exercise.

While it did not happen to AOPG as a whole, a couple of employees were alerted about the emails by an earlier “victim”.

But overall, the simulation has indeed given the staff greater awareness of the threats that could be lurking within the emails that they receive every day and kept them on their toes. All agreed that they would now be more wary and vigilant when it comes to opening strange emails and clicking unknown links.