One of the regular exercises I carried out as a former Agency Chief Information Security Officer in an statutory board was to conduct regular phishing exercises. For the uninitiated, phishing is defined by Meta.AI as:
“… a type of cybercrime in which attackers send fraudulent communications, such as emails, texts, or messages, that appear to come from a legitimate source. These messages aim to trick victims into providing sensitive information like passwords, credit card numbers, or personal data.”
For those who in the IT security or cybersecurity fields, you know that the weakest link in the multiple layers of defence is you and I: the human being. I believe the volume of phishing attacks over email and messenging platforms is because it has a relatively higher chance of success than using sophisticated technical attacks against the firewalls, networks or cloud applications.
I got involved in IT security in 2000 to 2005 and hence during that era, we had a term known as “script kiddies”. This refers to hackers who were not technically proficient in the underlying internet technologies and networking but were smart enough to download attack scripts and run some linux tools or even Windows-based tools to attempt to penetrate systems and networks.
Today, you do not even need to know basic linxu to set up a computer (on prem or virtual cloud) with kali attack tools to attempt to hack a target system or network or end-point. You can use AI tools to craft convincing phishing email messages or business email compromise emails and then direct the target to do an action that will trigger a remote access trojan tool that allows you full access to their computer. The most technical part is setting up the destination where you want to target victim to go to or what information e.g. login ID and password credentials you need the victim to furnish for your attack to be successful.
From my experience in running phishing attacks, it is not always the most junior or technically not-savvy staff that can get phished. Department heads, IT staff and even members of my own IT security team have been successfully phished before. Even I myself had failed phishing exercises prior to me taking up the ACISO role.
Thus, what I learnt from administering and then counselling those who failed phishing exercises consecutively was the following:
- Speed is the enemy of security – the faster you click and clear the email, the more susceptible you are
- People tend to respond to threats and time sensitivity in the phishing message
- Those who came back from leave and were clearing email backlogs were more susceptible
It tends to affect people who are in a rush to clear their emails as they tend to focus on clearing their emails then seeing if they are bona fide which takes time to read and digest properly.
My heuristic to help them reduce the risk of being phished was to slow things down, to check with IT security for emails they have a suspicion or to just ignore emails especially from unsolicited folks or folks you do not regularly work with. Ignoring email works because work matters are real and the people chasing you for work matters typically will try alternative ways to contact you.
I wish you the very best in your next phishing exercise conducted by your organization.
Leave a Reply