Increasing Phishing Awareness

By Tyler W.

February 27, 2021

Increasing Phishing Awareness

Don't let yourself become a statistic, improve your skills to identify a phishing attempt and attack. There are numerous services to help you on your way.

Do you know what a phishing attack looks like, and do you not what to do in case you have been successfully phished? The best security is education! Phishing is the most popular attack method to commence a cyber attack, because it preys on human curiosity or error. In fact 38% of business data breaches are caused by human error, and 67% of successful cyber attacks in Australia reported as stemming from phishing, compromised employee credentials or ransomware. As a result it is extremely important that you and your team are aware of how to identify a phishing attack. The higher you are in your career the more you need to be able to identify these attacks (referred to as spear phishing; when a particular person is a solely attacked) as the information that can be stolen, and the risks of a successful breach are higher.

Thankfully there are various tools and service providers that can assist in the education and identification of phishing attacks. These simulations are something every business, regardless of size, can and should participate in. Some of the most common software and service providers for your simulated phishing attacks and education are:

• Knowbe4 – is a company that specialises in running various phishing simulation attacks, and general digital security awareness training. They charge per seat, and for the smallest organisations you could be paying as little as $18 per seat, and $9 per seat for your much larger corporations.
• Windows have recently entered the security awareness space, providing a tool to organisations on the E5 or Microsoft defender for Office Plan 2. Microsoft provides this tool for free to these plans to allow you to run an attack simulation within your organisations for the purpose of education. This is a great alternative to the above, if you cannot satisfy the minumum number or seats required.
• A local option is phriendlyphishing.com which is a phsihing simulation tool designed by Australians. You do need to contact this firm direct for pricing, however, is a product from local reputable firm CyberCx.
• If you are particularly computer savvy you can also build your own tool, using my personal favourites Gophish and KingPhisher. Both of these are open source tools available from Github and deployed from within your own systems and be used to simulate attacks from many email sources.

** obviously Cyberwise can assist in your phishing training, education and attack simulations too.

Given the volume of solutions available, and the fact that there is guaranteed to be one to fit your budget (as some are free!), there is no reason as to why you should not be introducing this awareness training to your organisation.

If you are able to put yourself and your staff in a position to identify suspicious emails, and improve your overall digital security awareness the consequences are only positive. With the volume of attempted attacks it is almost inevitable that we will run a foul of one of these attacks, and be phished. Having an awareness of what a suspicious emails looks like (which sometimes is not suspicious at all) will protect your data, decrease insurance costs and provide your customers with greater confidence in your systems.

Remember, never click on links within emails when directing you to a website to ‘log in’ go direct by typing in the URL direct in to your browser. Always check the full sender email address to ensure it is from an expected and reputable domain (you can normally identify a phishing domain relatively easily). Ensure any website you are entering data into is a “https” prefix so you can be certain the data being entered is secure and encrypted.

I am hoping that these tools will provide you assistance in increasing your security awareness and deploying a phishing simulation attack in your business or place of employment. Remember, it is about education and awareness so if someone is successfully phished, treat it as a learning experience, a chance to rectify mistakes. A ‘stick’ approach is not advisable as this rarely results in employee engagement and improved behaviour. If you require any assistance in the deployment of these phishing exercises for any reason, including being time poor, please do reach out and we can assist in the attack simulation and education of your stakeholders.

Stay safe.