IT departments — like my very own — try to stop phishing emails reaching end users through a variety of technologies, but it is a never-ending battle to fight determined scammers and criminals who are constantly refining and improving their techniques.
At the end of the day, the last defence is always the end user's own astuteness and vigilance. This is why education is so vitally important.
I've been thinking on this problem for some time. What's the best way to train staff about phishing? Should it be in the company induction process? Is a single slide as I've seen companies do really achieving anything? How do you refresh the memory of long-standing staff?
I'd considered making my own phishing test; after all, why pay $5000 when I could send off my own barrage of tricky emails? Slap on a few logos, make a call to action: "Warning! This bad thing will happen unless you click here right now!" and send it off.
Yet, what does this really achieve? It helps measure how many people you can trick with an email deliberately crafted to trick, but it doesn't really teach those people how they were supposed to know better and as a result cannot ultimately lead to a decrease in risk because there is no education.
Phriendly Phishing says it's different, and I was keen to understand why. Before I tested the product I spoke to Damian Grace, and he was passionate about making a change in security awareness training.
Phriendly Phishing emerged, Grace said, when he lamented the lack of an effective training solution to help regular folk understand phishing attacks.
Grace was head of Ethical Hacking at Shearwater Solutions, an Australian security consulting firm, who used to perform standard phishing consulting just like I described above. They'd create the cleverest possible phishing email and send it to as many people within the target organisation as possible.
Yet, Grace reflected, he and the team at Shearwater were unsatisfied with these results. "People don't like being tricked," he told iTWire. "It can have a negative effect on the company."
Instead, he explained, he had a vision for phishing awareness training where people would want to be involved, where they'd be empowered to recognise phishing attempts and deal with them appropriately, both in their business and personal life.
"People aren't getting the education they require," Grace said. He looked at how awareness training was being performed. Some customers said they run an annual awareness campaign about phishing and expected better results, but yet these results never came: staff still kept falling for phishing emails.
I can relate from my own experience; I've seen phishing training which is just dull, and lifeless, and ultimately simply an academic paragraph on a slide during an induction – merely words to be glossed over, for the new staff member to say "Ok" to, neither the trainer nor staff member really understanding what the slide says.
During this review, Grace noted key points he felt would make an effective training system and went to market seeking a solution that met these criteria. Yet, no suitable education system existed which would give the user some way to really enjoy the experience and understand it, and provide solid anti-phishing skills. Instead, the option followed the same path of trick the user and put them offside.
Knowing there was a better way, and finding no existing option, Shearwater built it. Thus Phriendly Phishing was born.
A core principle from the start was to treat people with respect. There's often a perception that IT thinks of users as simply "dumb users" while in reality many security leaders Grace spoke to were passionate about making positive changes that benefited the organisation and staff alike and were seeking a product to help with this.
They wanted a product that took users on a journey of growing and learning, rather than simply tricking them with a one-off phishing email. This mindset, Grace says, is key to Phriendly Phishing's philosophy and approach.
It's not difficult to see why phishing works. It offers a big return to scammers, to criminals, for little investment. Many emails are purely opportunistic and work simply on massive volumes. Like sales calls, scams are a numbers game. Send a scam to a million people. Even if 90% are filtered out that's still 100,000 people who see it. Of those, the scammers bet there's a certain number who will click the link. Phishing isn't going away. It's easy, and it's profitable – and that's why it is essential any business invest in phishing education for its staff.
Among products I looked at, Phriendly Phishing stood out with these claims of respecting staff and helping them truly understand, through their own personal journey, how phishing risks an organisation's health, as well as arming people with real skills to identify and act on phishing emails.
The platform further seeks to measure how successful the training was, and to confirm to stakeholders' risk has been reduced.
I engaged Phriendly Phishing to see it myself on my business, a national publicly-listed company with 70 locations and almost 1000 staff. With a compressed two-week timeframe in mind, we ran this across 50 staff, which included the chief executive, senior managers, receptionists and a mixture of others.
Phriendly Phishing does its work in three phases. The first sets a baseline, informing the organisational risk to phishing as it stands, before any training. By necessity this is the “send a simulated phishing message to all users” approach to see who clicks, yet with two differences to the traditional approach by every other vendor.
For one, the results are anonymised. You'll know how many people clicked, even how many times people clicked, but not who. Secondly, if someone does click they are simply taken to a benign Google search page, leading them to believe the email failed, not that they did anything wrong. It's non-intrusive and isn't there to embarrass the user, but purely to gather a baseline.
For the administrator it's a different story; the baseline is vital and even sobering. Remember, it informs the risk to your organisation if a malicious phishing attack occurred right at that very second.
In my case, of the 50 staff, nine people clicked the link. One person clicked twice – I had 10 clicks from nine people out of 50 messages. That’s a risk of 18%. If this was a real phishing attack, I’d have an outbreak on my hands. Imagine nine people in different locations executing a malicious payload at the same time.
The second phase follows on, and this is the education delivery which is a major distinctive of the product. Administrators can see who is yet to take training, along with individual progress and other metrics. I'll come back to the training momentarily.
Lastly, phase three sends periodic real-life phishing assessments to test your users remain alert after the training and that they absorbed its message. These assessments are graded in difficulty, from difficulty one which would be a fairly obvious and unsophisticated phishing scam, to difficulty ten which is very sophisticated and delivers phishing emails from registered domains that appear to be reputable domains. This time around the results are not anonymised and you will know who needs their training reinforced.
During this phase, not one staff member clicked any links during my test. My risk plummeted from nine people out of 50, or 18%, to zero out of 50 or 0%. That's impressive, though results will understandably vary. My test was in a compressed timeframe so the phishing assessments followed very closely from the training. While 0% would be wonderful for anyone to see, the important measure is the value ultimately trends downwards, even if it may rise and fall along the way.
At any point during the three phases, admins can monitor dashboards and run reports to keep abreast of progress and effectiveness. Each staff member is on their own journey.
The training component is so vitally important. Your staff cannot make a difference to your organisation's risk if they do not actually understand how to identify a phishing email or what to do about it.
Phishing training can’t be technical; it must serve a wide audience, targeted to non-technical people in a way that supports learning.
I really liked Phriendly Phishing's training, with its acronym “S.C.A.M.” – users come to learn this means check the Sender, check the Content, check the Action, and Manage the email appropriately. S.C.A.M. also conveniently references the names of four cutesy characters who will help along the journey such as a slimy sender, a con man, an English teacher and a straight-by-the-book character. It’s entertaining, it’s gamified with achievements, and importantly, it’s memorable. You get tested after each module with a short multiple choice quiz, and receive an award for passing.
The training was superb and my users absolutely loved it too. I was especially pleased the training impresses these concepts don’t simply apply to the business, but also to home life. The bad guys will send phishing scams and ransomware to individual folk just as they will big business. I think understanding this helps get people more personally invested.
I asked my users for genuine feedback. They had these things to say:
“I enjoyed completing this training. Even with some knowledge around Phishing and what to look out for I certainly learnt some new things. Definitely a useful tool for keeping it front of mind. I would recommend for the entire management team if it hasn’t already been offered to them.”
“I’ve just completed the training and learnt a couple of things I wasn’t aware of before … I think it would be very useful for anyone who accesses emails at work (or at home).”
“I gave it a go, it was very easy to use and covered off well the fundamentals of avoiding a phishing scam.”
“I think this would be a great program to offer as reception training – specifically to those bigger locations who employ staff that are solely on reception and responsible for incoming emails. And, of course, managers.”
Ongoing assessments follow training to ensure the lessons were understood and to gently assist staff who need more help or practice. The fake phishing attempts become more sophisticated as staff learn, and importantly, as staff demonstrate their abilities to recognise the hallmarks of fake emails, like hovering over a link to show the address it goes to and what may indicate an untrustworthy link.
During my time with Phriendly Phishing I found it's most certainly not a one-off “trick your users and report on it” test like the industry norm. Instead, it sets a higher standard, measuring ongoing organisational risk to phishing, while leading individuals on their own journey of phishing awareness.
In the admin console, I could group users in zones, I could report on who had started or finished the training, I could import users, I could do a great many things,
There's more to come with plans to add further innovations. A just-released product is the S.C.A.M Reporter Outlook Add-in, to allow you and your staff the capability of reporting a spam email in one click.
Phriendly Phishing is available as an annual subscription in units of 100 users, with no setup fees. User counts can be reassigned over time as staff come and go, and campaigns can be suspended as needed such as Christmas breaks.
During my time with Phriendly Phishing the benefits of running it as an ongoing training and assessment programme for existing staff and new starters were evident.
Phishing is a real risk, and phishing education and assessment is something that cannot be neglected. Phriendly Phishing is a product you could realistically embed into your company on-boarding or induction process, defending your assets in a way which delights your users.