I’m a bit surprised by some aggressive corporate anti-phishing policies which say they will fire anyone for one accidental phishing offense. Send me the names and email addresses of the people who create those policies and I’ll successfully phish them. Anyone can be phished.
The goal of every anti-phishing policy should be to significantly decrease the likelihood that the organization and its members can be successfully phished. You want to promote a culture of healthy skepticism. KnowBe4 customers frequently go from 30% to 2% “phish prone” rates in a year. I challenge you to find a decrease in cybersecurity risk that huge from any other single thing that you can do. But to demand perfection seems implausible, especially when they themselves can be successfully phished.
I’ve had many people over two decades tell me they couldn’t be phished as they chided others for falling prey to some phishing attack. I then ask them to give me two weeks to see if I can successfully phish them. I’ve never failed to be successful. Never. My email inbox is full of sour-faced apologies. Anyone can be tricked into clicking on a link. We are just human.
When I was a professional penetration tester, my favorite corporate phishing trick was to send all employees an email pretending to be from the CFO that claimed that the company was going to soon announce that they were merging with their second closest competitor (it takes me a few minutes to figure out who that is). The memo is full of words and terms like synergy, mutual commitment, competitive pressures, market alignment, and empowerment. You know, like all those corporate memos full of blather. Then, I end the email with the following, “Please click on the attached spreadsheet to see if your department and position is still supported in the new combined organization.” Employees could not open the spreadsheet fast enough. It contained scripting which required that the user to enable it. They always did. I oftentimes started to get my first backdoor trojans installed and passwords returned in under 60 seconds of sending in. My “conversion” rates were over 60%. It worked so often that I got bored of using it.
I get that leaders who rarely to never get phished want to super-motivate those “super clickers” who seem to click on everything. But firing someone for a first offense is a little harsh…at least for most industries and organizations. At KnowBe4, we believe in more carrot and less stick. It’s OK to have negative consequences for frequent clickers, some people won’t change their behavior any other way. But we also know that you’ll move your company faster and have happier employees if you encourage better cybersecurity behaviors by using proactive motivations, like friendly competitions, corporate recognition, gift cards, and pizza parties.
If you know of someone who thinks they cannot be phished, let me know. Send an email to be at email@example.com. I’ll send you back some ideas that I have successfully used to phish the biggest skeptics over my career. I can send you one idea that works against nearly everyone and is very easy to pull off. Just make sure you have their written permission first and do not use the successful phish to harm the “victim” in any way. To do so would be illegal and unethical.
How do I know that anyone can be successfully phished? Because I used to be that guy. In my 32 years in computer security I have never been successfully phished (of course, that I know of). When I came to KnowBe4, I knew they were going to test phish me pretty frequently. It’s what I do. I was determined that I would not ever fall prey to a simulated phishing attack. And on day two they got me. I’m far more humble now.
What did they do to successfully phish me? When I came to KnowBe4, I had just finished writing my Data-Driven Computer Security Defense book. Out of my 11 published books I consider it my magnum opus. It captures what mistakes most people make in computer security and I think everyone should read it. Our CEO read it and decided to hire me.
In it, I explain how social engineering and phishing is responsible for 70% to 90% of all malicious data breaches. Nothing else is even close. Unpatched software, the second closest root cause issue, is only responsible for 20% to 40% of hacks. Everything else you can think of only accounts for 1% of all hacks.
The simulated phishing email arrived in my inbox as an email purporting to be from my CEO. It was a broadcast email to our entire company. In it, it touted a new survey that said that unpatched software was the number one problem, and I could click on the provided link to see the underlying survey data details. I was incensed that someone was claiming that unpatched software was number one. I clicked on the link so fast that I completely missed that if I had hovered over it for just a second I could have read that the URL link said, “ThisisafakeURLtotestyou”. Yep, that’s all it took. Humble pie all around. Since then, I’ve been successfully phished a second time. I’ll just chock that one up to the fact that I’m super busy. Haha.
To end this blog post I want to say that anyone can make up any anti-phishing policy that they want. Heck, any policy is better than no policy. But if you make up a policy that includes the punishment that one failed phishing attempt will (not can) lead to employment termination, let’s do a little test.