Our staff security awareness articles provide insights and advice on how to successfully implement security awareness initiatives in your organisation.

Now, more than ever, securing your data is about improving the awareness and astuteness of your staff regarding phishing and other similar scams. This can be a challenge because, let’s face it, behavioural change and human factors are not usually the IT department’s greatest strength.

Phishing attacks cost time, reputation and money – and the opportunities to penetrate your organisation increase with size.

What you need to know about Business Email Compromise (BEC) attacks


Business Email Compromise (BEC) attacks are increasing at an alarming rate and look set to continue as a favoured method of cyberattack in the future. In this blog article, Shearwater’s social engineering and phishing expert, Damian Grace, provides guidance on what you can do TODAY to reduce your organisation’s risk.

In a concerning trend, Australia ranked second in the world (at 27.4%) for reports of attempted BEC attacks in the first half of 2017, (1) and reports to the ACSC’s, Australian Cybercrime Online Reporting Network (ACORN) during 2016-17, attributed losses of A$20 million to BEC attacks. This increase of 230% from the $8.6 million during 2015-16 “likely represents only a small percentage of total activity, as both misreporting and underreporting occurs.” say the ACSC in their 2017 Threat Report (2)

What draws cybercriminals to target Australian organisations in this way? Australia’s large number of online transactions, early adoption of emerging technologies and use of software favoured for exploitation by cybercriminals has a role to play, but it is mainly due to the fact that BEC attacks offer a great ROI for cybercriminals; providing high returns – with attacks originating from overseas currently having a low chance of prosecution.

What is a BEC attack?

A Business Email Compromise (BEC) is a form of spear (targeted) phishing that aims to trick employees (generally in finance or HR) into transferring funds into a ‘new’ business bank account (belonging to the cybercriminal) or sharing sensitive information at the request of a cybercriminal impersonating a senior executive.

Cybercriminals use social engineering and/or hacking techniques to compromise legitimate email accounts or spoof (create fake) emails to make them appear to be from a high-level employee, co-worker or supplier. The most commonly spoofed positions are the CEO and managing director, targeting the CFO and finance director (3)

The five common types of BEC attack are:

CEO Fraud

A scammer impersonates the CEO (or high ranking executives) then sends scam emails trying to get an employee to transfer funds or confidential information.

Attorney Impersonation

A scammer impersonates a law firm, or someone from a law firm, usually requesting that funds be transferred into an account to settle an ‘overdue bill’.

Fake Billing

A scammer hacks into the email account of a business that has a relationship with a supplier. They then impersonate the supplier and request that ‘unpaid bills’ be paid to a ‘new’ account.

Accont Compromise

A scammer hacks into the email account of an employee (usually Finance) and contacts customers on the contact list stating a problem with a payment and requesting that payments are made to a ‘new’ account.

Data Theft

A scammer impersonates targeted employees (usually HR) and then sends out requests to employees and executives requesting personal information verification or updates.

Cybercriminals use both a low quality (basic research), high quantity approach, bombarding an organisation with multiple spear phishing emails in the hope that a link will be clicked, and also a high quality (highly researched), low quantity approach, where it is much harder for employees to spot the difference between real and counterfeit emails and the more likely the email will pass spam filters and whitelisting.

A cybercriminal researches their targets using company websites, LinkedIn and social media to learn the names, work titles, email addresses and interests of their targets. Once they’ve compromised their target employee’s email account “they’ll generally wait and observe email communications for at least a month before initiating the attack,” say Shearwater’s Incident Response Team, based on their findings when providing post-attack security hardening services. They’ll look for upcoming travel and events, suppliers and regular financial transactions, the arrival of new starters and key decision makers taking leave in their target department.

BEC & Social Media
Cybercriminals research their targets using social media, in preparation for a BEC attack..

BEC attacks are dangerously effective because they are socially engineered – designed to leverage human nature. They will be addressed from a senior colleague or a supplier, may appear to cc other employees or be a forwarded email, will request actions within the target employee’s normal range of duties and will often display knowledge of confidential company information – all designed to reduce suspicion. Attacks are usually initiated when key decision makers are away from the office, at an inconvenient or busy time and the request is always ‘urgent’ and ‘important’.

There are 2 mechanisms for the delivery of a BEC attack.

Email spoofing

A range of tactics are used to make an email appear to be from a trusted source or colleague:

  • Using the email header – to make the message appear to have originated from a trusted source
  • Using an email address that is almost identical to the address they are impersonating
  • Using an almost identical domain name (that the cybercriminal has purchased and configured to look like the company domain.)

A spoofed email may contain a link that will install malware, leading to account compromise.

Account compromise

The attacker’s aim is to gain access to their target employee’s email account. This is commonly achieved using a phishing email which includes a link to install malware, phone-based vishing, or USB drop to trick victims into divulging login credentials or installing malware or keyloggers into their computers or devices. Once compromised, the attacker will monitor the account for opportunities for exploitation; using the account for further research and to send emails to target employees, taking steps to ensure that the legitimate owner of the account is unaware.

What you can do TODAY to protect your organisation


An effective defence from BEC attacks requires a proactive, three-pronged approach, focusing on:

  1. Employee training
  2. Updating business policies and procedures
  3. Selecting and configuring technology

1. Employee training

Ensure that ALL employees within your organisation receive the latest phishing prevention training. For a fast and effective solution, offering an excellent ROI, seek a third-party provider that can deliver a proven, scalable, cloud-based solution that incorporates engaging cybersecurity training and phishing simulations and reporting to benchmark and provide ongoing risk reduction. As BEC attacks generally target CEO, CFO, HR and finance roles, it is imperative that training is prioritised for these roles.

In the interim, advise employees of the tell-tale-signs of a basic BEC attack email. Look out for a combination of:

  • A request to change bank account details, make a money transfer or provide confidential information
  • A request that is urgent and requests secrecy.
  • An email signature that is missing, incomplete or incorrect
  • Poor grammar or spelling

If employees receive an email with these characteristics, they should:

  • Check the address in the ‘from’ field (is it really from who they think)
  • Check with the sender either face-to-face or by phone (using the company directory, NOT the contact details within the email)
  • Not open any attachments or click on any links
  • Notify their IT department.

Phriendly Phishing Training
Ensure that ALL employees receive the latest phishing prevention training.

2. Update policies and procedures

The following updates to your organisation’s policies and procedures will help to reduce your BEC attack risk and help you to correctly manage phishing emails that reach employee inboxes.

  • You may choose to make it mandatory that requests for transferring funds, payment changes or providing confidential information:

    • Are not made via email, and/or
    • Require a 2-step, or more, verification process, with written approval for large amounts and confirmation face-to-face or via telephone (using an internal phone book, NOT a number in the email)
  • Create/update policies and procedures for the safe handling of suspicious emails.
  • Create/update policies and procedures for communicating with suppliers.
  • Promote file sharing on your organisation’s internal networks to reduce the need to email files.

Ensure that ALL employees are made aware of these changes.

3. Select and configure technology

The following technology solutions will help to reduce your BEC attack risk by blocking or quarantining suspicious emails before they reach employee email inboxes and flagging higher risk emails or content to alert users.

Multi-factor authentication

  • Implement multi-factor authentication for both employee workstations and remote access, to make it harder for cybercriminals to compromise employee email inboxes.

Domains

  • Ensure your organisation publishes SenderID/SPF records for their domain and that checks are conducted on emails claiming to be sent from this domain. Request that your suppliers do the same.
  • Register domains that vary slightly from your organisation’s actual domain to prevent cybercriminals from being able to do this.
  • Implement/correctly configure Domain-based Message Authentication, Reporting and Conformance (DMARC) to enhance Sender Policy Framework (SPF) and/or Domain Keys Identified Mail (DKIM) to enable 2 email authentication technologies on all emails, to identify the sender of a message and:

    • Block SPF hard fails (emails verified as not originating from the domain they claim to originate from)
    • Block DKIM verification fails – log and investigate and inform the spoofed organisation
    • Quarantine and flag to users any SenderID/SPF soft fails

Flags and alerts

  • Flag external emails e.g. add [EXT] to the start of the subject
  • Set alerts on the creation of mail forwarding rules, or unusually high outbound email volumes.
  • Flag emails with extensions that are similar to your corporate email

Software and logging

  • Ensure that antivirus software is up-to-date and correctly configured.
  • Keep blacklisting and whitelisting up-to-date
  • Provide users with the ability to report suspicious emails to IT (e.g. with free outlook add-ins like S.C.A.M. Reporter)
  • Ensure that logging is switched on for the email content filter and email servers and that logs are regularly audited. If your organisation is the victim of a successful cyberattack, these logs will enable faster detection and remediation work.

Environments

  • Provide a safe environment for the IT security team to investigate suspicious emails.
  • Provide the ability for file sharing on your organisation’s internal networks to reduce the need to email documents.

If your organisation is high risk, the ACSC recommends the following to reduce the likelihood of a user clicking on a malicious link or opening a spoofed attachment(4):

  • Convert attachments to PDF (and quarantine originals)
  • Whitelist attachments based on file typing to identify and block spoofed attachments
  • Block encrypted attachments
  • Disable macros and JavaScript content and quarantine originals
  • Replace active web addresses in an email’s body with non-active versions. The user must then copy and paste the URL and will have the opportunity to detect a difference between the displayed and actual URL.
  • You may also wish to block any non-authorised third-party email services.

The three-pronged approach above provides general recommendations for reducing your organisation’s risk in relation to BEC attacks. For a more tailored approach, contact your cybersecurity partner to enquire about cybersecurity and information security risk assessment services.

References

How to Make Sure your Phishing Awareness Initiatives Are Successful


Every organisation fosters a unique environment – the differences can be large and many.

Some have a strong culture of continuous learning, others not so much.

That being said, regardless of the structure and culture of your organisation, when it comes to phishing awareness initiatives there are key players that need to be included in your conversations to make sure you are successful in creating a security awareness culture.

In most mid-to-large organisations, the four key stakeholders that you will need to support your initiatives are:

  • Upper Management
  • Learning and Development Team
  • IT Security, and
  • Human Resources

A sure way to get on the bad side of these influential stakeholders is to loop them in at the last possible minute with something along the lines of “Oh, FYI – we’re starting a phishing awareness campaign next Monday. Thought you’d like to know!”

This is a sure-fire way to get them offside and have them push back against the initiative.

Bringing these influential parties into the conversation early and often, and arming yourself with the information they require, will help you nullify any objections.

Security awareness and, in particular phishing awareness, is so important in the modern workplace that we need to give it every chance to succeed. So how can you get these different groups across the line? After running phishing awareness campaigns for over 150,000 people covering almost every demographic, I have pulled together my personal cheat-sheet on tackling the hard questions with these key influencers.

 

 

 

 

 

 

 

 

 

 

 

 

Upper Management

Upper Management is by nature extremely interested in metrics, especially when it covers organisational risk and improvement over time. It is this combination of staff enrichment with hard evidence where we can appeal to Upper Management’s business goals.

I often hear that phishing is now among the top three risks discussed at a Board level, so having key on-going metrics that you can present to senior decision makers can be a door-opener to getting your project on the agenda.

When dealing with Upper Management, I recommend finding a balance between the data (such as phishing assessment results, click-through rates and training completion rates) and staff aspects. That is, while the data can spell out the situation in black and white, don’t underestimate the value senior decision makers place on a program that supports staff along the way with engaging content and a nurturing training environment.

Learning and Development (L&D) teams

The internal L&D team should have a better understanding of your staff learning culture than anyone else. As the L&D team are usually concerned with the training material itself, be prepared to answer questions like:

  • Does the training suit our environment and culture?
  • What are the learning outcomes, and will the learning material deliver those outcomes?

In most cases, L&D teams don’t typically have concerns over phishing simulation and assessment activities, but they are more concerned with the structure and quality of the training components.

The last thing you want to do is give the impression that you’re trying to go over the L&D team’s head. So, to bring this team along the journey, give them access to the training material as soon as possible, and provide an opportunity for them to take some ownership of the program. Blindsiding them and bringing them into the conversation late is a certain recipe for disaster.

IT Security

In many cases, IT Security teams approach phishing assessments in a certain way; that is, create a super hard phishing email and send it to as many people as possible with a goal to trick and deceive large swathes of the audience.

Fortunately, this old method is having less appeal to many stakeholders. As training and technology has improved, we have a better (and more effective) way of doing phishing assessments and awareness training using smart automation simulations that adapt to the user’s level of understanding.

IT Security teams are notoriously short of time and short-staffed, which is why you can score some easy wins by appealing to their desire to hit objectives using smart automation without compromising their outputs. From a ROI perspective, phishing campaigns are not often the best use of the IT Security’s time – this is where automation comes in. When you discuss your phishing campaign, you have the perfect opportunity to show how it’s possible to have the best of both worlds – effective phishing education and automation all at once.

Another way to win over these key decision makers is to offer access to this automation system – so that if they have a great phishing email they want to add to the campaigns, they can. Similarly, explain that if they are having a busy few months and have no time, the system should continue to run without their input. Giving IT Security the power to influence while still doing right by your staff is a great win/win.

 

 

Human Resources (HR)

HR acts as the advocate and conduit for your workforce, and as such, they are typically concerned with how users are going to be treated and how they will be made to feel during engagements. It shouldn’t come as a surprise; security teams have a history of performing phishing assessments that are far from respectful to the end user. In many cases, staff are often left feeling tricked, confused, and outright unhappy with the whole experience.

The biggest concern I see from HR is around transparency. HR often insists on telling users in advance about training and workplace changes. However, for phishing campaigns, telling staff upfront defeats the purpose of doing a phishing baseline – resulting in a warped gauge of the environmental risk and creating misleading data.

But there is an opportunity for a compromise.

If HR’s main concern is that staff are not being given a chance to be educated and warned before being tested by a simulated phishing email, there is a way to resolve this pain point. First, you can ease concerns by making sure that your simulated phishing emails look no different to the authentic phishing emails staff may receive any other day of the year – so be sure to make your simulations realistically undetectable. Second, make sure that your risk assessment baseline emails are anonymised and communicate that to HR. By removing the connections between the simulated phishing emails and your organisation, as well as anonymising the results, you can alleviate HR’s concerns and ensure users don’t feel tricked.

And lastly, but most importantly – The Staff

While your staff don’t need to be consulted upfront, in many ways your staff are the most important to win over. When it’s time to let them know about the initiative (typically just before the training starts), it’s important to frame the conversation or notification in a certain way to get maximum participation and personal buy-in.

Sadly, we often see this approach used in staff training: “Company X dictates that everyone must do this mandatory training by 12pm tomorrow!”. While it is a slight exaggeration, it probably captures the sentiment best. Nobody likes being told what to do, especially when they have no interest in it.

A better approach is to show the user how phishing has become such a huge issue. Not just for them, but for their kids, their parents, and their spouses. People are far less concerned about your organisation than they are about themselves and their family.

If you can show them how they can be the protector of their own domain with training that’s practical and interesting, you’ll see a new level of engagement and better results.

Don’t forget that many staff members have a fear of technical training. This fear, justified or not, needs to be addressed upfront. So, let users know that the training with be a fun and engaging experience, and make sure your training keeps the information at an appropriate and relaxed level.

Phishing awareness training is one of the most important areas of IT security in organisations today. By having a strategy, you can get the organisation moving together in a frictionless way. With a little extra thought, you’ll improve your risk profile and your staff will actually thank you for it – not to mention proving to stakeholders that your training is a complete success.


Understand your organisation’s phishing risk and train your staff to identify and manage phishing emails with our phishing awareness training and simulation solution. 

 

5 Tips for Successful Anti-Phishing Training for your Staff


I hear from potential clients all the time how they repeatedly get compromised by phishing-born attacks such as Ransomware. Often, they tell me they follow the age-old adage of telling their staff “Don’t click on links!” or by sending out notifications of current attacks, but they don’t really address the root of the problem – which is, lack of effective education.

So, if telling them “don’t click on links” doesn’t work, what can you do?

Here are a few of the key things you need to do to get users to become part of the solution, rather than part of the problem.

1.  Give them a reason to care – Most staff members don’t really care about the organisation they work for. They might be great at their job and take a keen interest in the company affairs – but ask them to do some awareness training in something they have no interest in and you’ll hear crickets.

There are gimmicks that can be used to get short term buy-in for the training program; but if you want a lasting effect, tie the communication back to how this problem affects their families and people they care about. When you give your staff the opportunity to become a protector of something they care about, not just your organisation, engagement becomes voluntary and much more compelling. This is when the real magic happens.

When they are asking to get a copy of the training for their kids, partners, and parents – you know you are on the right path.

2.  Treat staff with the respect they deserve – Spend enough time in IT circles and you’ll hear things like “dumb users”, “the users are stupid”, or “you can’t teach them anything”. This elitist thinking is one of the reasons IT departments in many organisations have a poor internal reputation.

It’s time we started looking at staff for who they are: specialists in their fields, which may not be IT. They would likely run rings around you and me in their area of expertise, but they just aren’t technologists. This is where you can fill in those gaps and teach them something new.

Take the time to treat the users with the respect they deserve across all communications, touch points, and testing regimes.

3.  Tricking is not training – Nobody likes to be tricked or conned, and your staff are no different.

Old-school phishing assessments can easily get your users offside and make those running the program feel superior because they fooled so many people. What other training techniques can you think of that take this approach and actually work?!

A proper anti-phishing program should never be about deception, it’s about providing staff the opportunity to learn and grow. In many cases it will take baby steps. You can’t teach advanced math by sending out advanced equations every month or so, you need to start with the basics and build it from there. Phishing is the same for many people, it can be extremely technical to a non-technical person. Humiliating your staff before they have even had the chance to learn from their mistakes is not the answer.


Take the time to treat the users with the respect they deserve across all communications, touch points, and testing regimes.

4.  Understand the audience – Users in most organisations are often non-technical people. In some cases, they are put off technical training because the past ‘old-fashioned’, dry, boring, and technical modules have left them feeling down or completely out of their depth.

We need to empathise and understand that each one of your staff members is starting off with a different level of expertise, capability and understanding of phishing and technology. A successful training program will need to cater to this and allow users to advance at their own pace.

5.  It’s not an overnight fix I’m sure by now you are seeing that phishing education is quite a tough subject for many people to become proficient at. To get a non-technical audience to understand how to detect phishing can require a fundamental change in their understanding and thinking.

Throughout training, your audience is learning new skills and techniques that they may have never used before, and as with any skill it takes time to learn it, become capable, and have it ingrained into everyday use. You need to devise a program that takes users on a journey from where they are now, right through to becoming a phishing expert. It will take training, practice and patience as there are no quick fixes, but the payout at the end will be worth it.


Understand your organisation’s phishing risk and train your staff to identify and manage phishing emails with our phishing awareness training and simulation solution.