Phish and Chips

Author: Gary Hibberd

Date: 3rd June 2020

 

At the end of March 2020, Action Fraud reported that Coronavirus-related scams increased by 400% between 1st February and 18th March. This related to 105 cases which resulted in over £970,000 in loses.

These scams reported to Action Fraud were largely carried out using some form of phishing email. For those of us in the cybersecurity industry, this increase isn’t a surprise, and I believe the number is far higher than that which Action Fraud reported.

But if you’re the kind of Information Security specialist who says ‘This is an awareness issue, because users are the weakest link’, then you’re not going to enjoy this blog. Because people are actually the last line of defence, and chances are your awareness programme is the fault in the chain.

Allow me to explain.

 

I Love you

Over my 20 year career in cybersecurity and data protection, I have watched as we warn hundreds, perhaps thousands of people to be on the lookout for ‘dodgy-looking’ emails. The intent to trick millions of people into opening infected links goes back to the start of the internet, but many would argue that the first phishing email campaign was the ‘Love Bug’ email which spread on the 4 May 2000.

All over the world millions of people began receiving emails with the subject line “ILOVEYOU”, which contained a mysterious attachment, and the following text in the body of the email;

“Kindly check the attached LOVELETTER coming from me.”

 

Curiosity killed the Chip

Approximately 45 million people couldn’t resist the urge to discover who their secret admirer was, so opened the attachment. Once they did, the virus (which was a Worm) would damage files on their machine, destroy image files and then access the victims’ address book to email itself out to all their contacts. Ouch!

This wasn’t carried out in order to gather money. It was done for ‘lulz’ (a joke). But what it demonstrated was that it was possible to get a program to replicate itself and infect millions of people, by using our emotions against us.

Of course it didn’t take the criminally minded to figure out that a tool as powerful as this could be monetised. After all, if just £1 could be obtained from those infected by LoveBug, then it would be a £45 million windfall. Not bad when all you need is a computer nerd and a place to hide (the internet is a great place to hide if you know how).

 

Big Phish, Little Phish

20 Years ago phishing was in its infancy, but today it is a multi BILLION pound business. The impact of scams and cyber breaches on the global economy are set to rise to $6 Trillion by 2021, just 6 months from now.

During COVID19 Action Fraud have identified 150 different phishing email campaigns which are actively using the pandemic as a leverage to trick people into clicking infected links and attachments. Alternatively they are directing people to sites which are not legitimate and then extracting bank account information or other personal details which they can then use for other forms of fraud and theft.

I almost guarantee that you, your family members, and your employees will have received a phishing email in the last five days. Some are easy to spot, and others are far harder.

 

What should we do?

Now, this is the point of the blog where you expect me to list a few things to look out for in relation to phishing emails (bad spelling, poor grammar etc). Or offer advice about ‘hovering your mouse over the senders’ name’, but I’m sorry to disappoint you. I’m not going to do that.

You can get that kind of information from the internet in about 5 seconds. In fact, that advice has been around since 2000, and it hasn’t improved things.

Why hasn’t our language or approach evolved? I believe some of us have, but as a profession, I am worried that our Information Security Awareness campaigns are too narrow, too IT-focused, and just plain boring(!) (Sorry).

 

Cyber Psychology

Back in 2000, scammers knew that sending an email that played into our curiosity, our need for validation and human connection. They understood how to push our buttons in order to get us to press theirs!

Cyber criminals are using psychology and knowledge of human behaviour against us, and they’ve been doing it for a long time. Scammers know that people want to leave the office on a Friday, on time, so that they can start their weekends. They know that people are often a little tired from the excesses of the weekend, on a Monday morning. 

So phishing emails are often sent on a Friday afternoon with a message of “This must be completed today or else… [insert pressure point]”. phishing emails are also often sent on a Monday morning with a similar call-to-action. The scammers know that we are distracted with an inbox that is full from the previous week, so we are more likely to scan-read the document and move on.

As Information Security specialists, we need to recognise that we can’t continue with the usual “Don’t click the link. Have a think!” type messages. We need to engage with our users and go further with our education.

 

Phish and Chips

Lets be honest; Security is no laughing matter. But that doesn’t mean it can’t be fun! It doesn’t mean you can’t be creative. In fact, I believe that is exactly what we need to do and be. Cyber criminals understand how to invoke emotion (anger, fear, lust, loathing, greed) so why don’t we? If we can inspire our teams by using a multi-layered approach to training and awareness, then we are turning them into advocates and supporters of security, rather than passive bystanders.

It’s impossible to go into all the things you should be doing now to raise your game in terms of security awareness. But if you’re one of those organisations that runs ‘awareness weeks’, a couple of times per annum, I can tell you now that you’re not doing enough. You’re barely ‘ticking a box’ if you’re doing this. So what should you be doing to combat all these phishing emails? Here’s my ‘to do’; list (most lists go to 10. Mine goes to 11);

 

1. Think of Security Training & Awareness as a campaign that is completed monthly

2. Work with the marketing team to develop a brand and a campaign image for security

3. Identify the benefits security can bring to each function (HR, IT, Finance etc)

4. Meet with each function and find out what worries them about security and talk about the benefits

5. Develop objectives for your campaign – What will success look like?

6. Include phishing simulations in your campaign (see below)

7. Identify “Cyber Champions”. Like ‘Fire Marshalls’ these are people you will speak to on a regular basis, and they become your advocates across the organisation

8. Create a range of materials you can use throughout the year; Posters, Wallpapers, Free-stuff (mugs, mouse mats, water bottles etc), videos, articles etc

9. Run competitions and quizzes

10. Speak to people about their families online safety. Give advice about changing home router passwords, or advice about e-safety for children. If you can get people to think about security at home, then they’re more likely to replicate this behaviour in the workspace.

11. Be passionate about this topic; If you’re not excited and interested, then how do you expect your people to be?

 

Phishing Simulations

Engaging with companies (like Cyberfort) to conduct a phishing exercise on your staff is a great idea if approached well. What you do NOT want to do is to embarrass or shame people into compliance. Therefore if you are going to run a phishing exercise, please ask yourself what you are trying to achieve. If you’re going to do this once-a-year, then it’s not raising awareness; It’s a measure. This is fine because you can say “At the start of X we had a click-through of 80%. But six months on, and we have a click-through of just 20%.”

Using a phishing simulation in this way is great, but if you communicate that “We had 80% of people clicking on an exercise. You all must do better!”, then the likelihood is that you’ll annoy a lot of people and turn them off what you’re trying to do. There is a lot more to this topic, but trust me; phishing exercises are great – just be careful how you communicate the results!

 

Conclusion

I started out this blog by talking about phishing, but along the way, I brought you to a different place – Training and Awareness.  In some ways this is the essence of a true phishing attack; You thought you were getting one thing, but over time you ended up someplace else.

But in reality, the reason you’ve read this article is to learn how to combat phishing attacks. The answer to that isn’t in the technology we use; it’s in the people we train. Our people are our greatest allies and our last line of defence. We hire brilliant people, but people are complicated animals, with drives, desires and emotions that we need to take into account when designing our approach to cybersecurity and data protection.

There is no sign of the proliferation of phishing emails slowing down. Technology can’t keep up, so we need to arm our people with the skills and knowledge they need to become our army of Cyber Champions.