Against phishing: How companies can raise awareness among their teams

The number of cyber attacks is on the rise: Companies, authorities and municipalities are affected, but also healthcare facilities such as hospitals. And reports of successful attacks are increasing in Switzerland: just recently, the ICRC was hit by a cyberattack, and companies such as Stadler Rail, Comparis, Griesser Storen and even the municipality of Rolle in Vaud have also been attacked. In Germany, the MediaMarkt electronics retail chain was affected by an extortion attempt with ransomware in November 2021; servers and systems were compromised, which significantly disrupted operations in stores. According to a company spokesperson, the attack was targeted. In 2020, the Uniklinik Düsseldorf and Funke Mediengruppe were victims: in the case of the latter, a phishing email served as the gateway for a ransomware attack. In such an attack, ransomware acts like an "encryption Trojan" by encoding data indissolubly for the user and only releasing it again against payment of a ransom. Since phishing exploits human weaknesses, it is very difficult to prevent with technical solutions. 

A form of social engineering

Phishing is a so-called social engineering attack: it exploits the weaknesses and guilelessness of people. Phishing e-mails make the recipient believe that he or she is under a certain amount of confidentiality or put him or her under pressure. This entices them to click on a link, initiate a process or disclose confidential information. Three types of phishing can be distinguished:

• In the case of CEO fraud, the attackers pretend to hold a high position within the attacked company in order to inspire trust and to use the authority of the hierarchy and the threat of consequences to entice their victim to transfer a large sum of money, for example. The attackers often take a targeted approach and invest a great deal of time in selecting the company and the appropriate recipients. They often have a foot in the door and know how communication works in the target company.
• The same applies to the spear phishing variant: these mails are specifically tailored to the victim or to a certain victim group. The individualization makes it very difficult to recognize such a mail as phishing. Spear phishing is often the initial attack vector for introducing malware into a company.
• Classic phishing often aims to obtain victims' access data to systems and services. However, these e-mails are not tailored to individuals or groups of individuals, but are sent to a broad mass. It may also happen that a recipient does not use the service addressed in the mail.

Phishing is a constant threat

The danger should not be underestimated, as phishing emails are written with sophistication. They no longer feature per se strange and dubious email addresses of the sender or spelling and grammatical errors. In addition, the range of addressees is extremely broad: All employees who communicate with external parties via email are potential victims. Companies are usually affected by CEO fraud or spear phishing and thus by targeted campaigns. It turns out that phishing attempts are particularly frequent among those addressees whose names and email addresses are publicly listed on the company website, for example - usually, they have less pronounced expertise on the subject of malware than members of IT departments. As a result, it is often precisely those employees who are less sensitized to malware who are targeted by attackers. This makes it more likely that they will click on a link or download a contaminated attachment.

The danger for private individuals is that personal and sensitive data is tapped. Malware can also be infiltrated via phishing e-mails, so that the attacker secures permanent system access unnoticed. He moves invisibly in the network and thus obtains the sensitive data.

In companies, phishing emails are frequent gateways for malware such as ransomware. The attackers can gain control of computers, steal victims' identities and use them to launch further attacks. The victim can also be extorted for a ransom with sensitive data. These attacks are very costly for companies: they result in long IT outages, hinder or prevent business, and damage reputations. If malware is infiltrated, industrial espionage can also take place via phishing.

Prevent phishing with simulations

Since phishing is a psychological weapon and targets human behavior, it is difficult to defend against it on a technological level: Spam filters recognize the emails poorly and thus they usually reach the intended recipient. Using the example of a human resources department, it is possible for them to accept applications via a portal and thus bypass gateways via e-mail.

One effective way to defend against phishing is therefore to train employees and raise their awareness. Simulations and regular campaigns can be used to raise awareness, e.g., of possible entry points, and thus minimize the risk of an attack.

Employees are specifically confronted with the danger of phishing under real, but controlled conditions. Simulations of spear phishing, for example, familiarize them with the attackers' tricks without causing any damage. In such a campaign, phishing e-mails are sent out in a company over several hours or days, to all or to individual persons, groups of persons or departments. The company decides whether or not the employees are informed of this or of the duration.

If a recipient now opens one of the campaign mails or even clicks on the link, their behavior is stored anonymously in a database. This is made possible by user-specific links in the mails. A permanent evaluation is carried out over the agreed campaign period, and the results are summarized and processed at the end. This makes it possible to identify which areas or departments are particularly susceptible to phishing e-mails. Countermeasures can then be taken with training and education.

Communication is key here: It is not about assigning blame, but it must be clear that the simulations are used to build up know-how and that it is a learning scenario. It is also possible to educate employees about the phishing simulation directly after they click on a link, or to keep them in the dark for the time being. The latter is a good idea, as otherwise it is easy for word to get around in companies that a simulation is underway, which can distort the results.

Promoting skepticism and awareness with training

Follow-up training can establish processes to raise awareness and maintain skepticism. Sometimes the name of the boss in an email is enough to prompt immediate action - even without thinking. Employees are therefore provided with features to make it easier to recognize whether an e-mail is valid, for example whether the sender's name and provider match. But it is also important to establish a culture of skepticism, i.e., to ask questions, even if an e-mail from a supposed superior is accompanied by an immediate request for action.

It makes sense for employees to take part in a phishing simulation at regular intervals, for example once a quarter or every six months, depending on the company, in order to achieve the greatest effect, keep the training level high and develop a gut feeling for phishing emails. In doing so, the width of the spread can vary and gateways can be trained again directly with tailored campaigns.

Conclusion

Threat scenarios from cyber attacks are expanding, and more and more companies are affected by ransomware attacks that hinder operations and cause immense costs. The gateway is often phishing emails, through which the attackers gain access to systems and sensitive data and can thus blackmail companies. This worst-case scenario can be prevented by raising employee awareness through targeted phishing simulations and training.

Authors:
Leon Hormel is Cyber Defense Consultant at SECUINFRA Falcon Team in Berlin, Tobias Messinger is Senior Cyber Defense Consultant there. https://www.secuinfra.com/de/news/digitale-bedrohung-phishing/