Only Phools Phall Phor Phishing!

Teamwork and user respect help security more than fear and humiliationReading Time: 5 minutes

Think of some of the great teams in history – especially teams that you’ve had a chance to watch and enjoy during your lifetime – what is the common thread?  Yes, there are talented and hard-working individuals, but is the whole team equally talented at the exact same things? No.  There is mutual respect on that team and there is usually a leader who is exceptionally good to finding and bringing out the good in every member of the team so that they play at a higher level than they would on their own.  I might be referring to Russell Wilson here (Go Hawks!).  Our work organizations are a team, as well, and user respect is one of the best ways that we in the security world can use to help keep that team functioning as a strong security unit.  Unfortunately, since I’ve been in the cybersecurity industry, I have seen the opposite happening.  Technical teams think that the users are stupid, and their stupidity creates more work for them and they are always stuck cleaning up the messes left behind.  And this attitude takes a team that is trying to work together and turns it into a group of individuals who would rather hide their mistakes instead of being chastised for them!  If you have this or a similar opinion (openly or secretly) I hope to change your mind and convince you that there is a better way!

In this article I’m talking specifically about phishing in this blog because that is the place where most users will fall victim.  Over the years, phishing attacks have evolved and gotten much better (I think we can all agree on that), but our opinions of the people who fall victim to a phishing attack have not changed and that lack of user respect by security teams is actually degrading to the security fabric, the Kevlar, of an organization.  In order to make a stronger team we need to address and correct that mentality.

First, let’s explore the opinion in question – are there only a segment of people who will fall victim to a phishing attack?  Should user respect be something we give in every situation?  I humbly suggest that anyone and everyone could fall for a phishing attack (yes, even you).  I once had the privilege of meeting with a security team and as we showed them the PhishCloud product the director commented that he wished he’d had our tool a few months previously.  It turned out that he had fallen for a phishing simulation that he had ordered for his organization a few months earlier and was very embarrassed.  “But”, he said in his defense, “I really wanted those tickets!”  It made me realize that as much as technical people try to suppress the “social” in our beings, we are still social beings and we have all of the emotions that come along with being human.  At the root, phishing is social engineering, and the more an attacker learns about you and the things you are thinking about, the more of a target you are.  And detecting a phishing attack isn’t as easy as it used to be!  With a subscription to Grammarly, even Igor from Eastern Europe can put together an email that doesn’t have all of the hallmark red-flags from 5-years ago.  And with shortened links and link wrapping, only the most skilled can really see where that link is taking you, not to mention some of the complex JavaScript re-direct logic that PhishCloud researchers have found on innocuous landing pages that only sends the target to the malicious site and everyone else goes to Google.

But the complexities that we on the technical side understand doesn’t stop us from arm-chair quarterbacking after the fact.  I’ve seen some post-click diagnosis of the email that a user has fallen victim to and after an hour of research and documenting, the security team has highlighted the things they found as indicators that it was a phishing attack if they had dug a little deeper. This attitude disregards any sense of user respect and instead inflates the ego of the researcher. But if it took the researcher an hour to figure that all out, how long would it take a non-technical person to figure it out?  And how do they get their job done if they need to take 2-hours to find out if this:

fake quickbooks invoice
can you spot the phish – invoice

Is a real invoice to be paid or not?  Or whether this:

fake O365 request
can you spot the phish – o365

Is a real message from Microsoft requesting credential updates?  Both of these were real phishing attempts found by PhishCloud customers that, without digging at least two steps below the surface, passed all of the normal checks that we tell users to look for.

What is the solution then? Well, unfortunately, there is no silver bullet for phishing just like there is no way to write 100% bug-free code on the first pass.  There is a lot of training, tools that help and preventative measures that make it less likely that someone gets phished, but nothing that protects 100%.  And the point of this message is not to give you a solution, but rather to get you to realize that there is no solution and that pointing fingers and chastising someone for making a mistake when something does go wrong doesn’t help improve your defense through teamwork.  Trying to use fear as a motivator to do the right thing only lasts for a while and it has a negative effect on so many other pieces of where an employee engages and improves the overall organization that it doesn’t make sense when you look at the big picture.  And, in most cases, the person who fell for the phishing attack already feels horrible!

I suggest a different tactic – it’s time to embrace SuGaR training.  That is the Sh*t Got Real training – specifically the understanding that people are much more attuned to learning about something when it really affected their life.  Turn the event into a lesson learned and make the victim part of the solution.  At Amazon we had a Correction of Error (COE) process.  It played multiple roles when implemented correctly in taking a negative result and turning that into a lesson learned for all affected parties.  It also generated solutions to help prevent that same mistake from happening again in the future. In my opinion, one of the best attributes of this process was the fact that if you were part of the mistake, you were able to face up to the mistake you made and fix it.  You didn’t just create problems for other people, but rather took ownership for the mistake and then people with the right skills came along-side and helped fix the problem.  That made you feel like you are part of the team, a valuable asset to the company worthy of engaging and hence, a stronger strand in Kevlar protecting the security of the organization.

So, next time someone in your organization clicks on something they shouldn’t have.  Instead of asking, “why would you click on that, idiot?”  Take step back and recognize that this person didn’t fall for phishing on purpose and they aren’t trying to make your job more difficult.  Rather, because they brought it to you, they are in a uniquely humble position to learn more now than they were when they took the mandatory training a month ago.  Help them like you would a friend and use the opportunity to make them a more educated, stronger part of your security network.

Try PhishCloud today and see the difference

  • Free 14-day trial
  • No credit card needed
  • Easy setup