Phishing training programs need to be focused on educating employees rather than on shaming them, according to David Spark and Allan Alford, co-hosts of the Defense in Depth podcast. On the CyberWire’s Hacking Humans podcast, Spark and Alford said most people don’t have an adequate understanding of social engineering tactics.
“I think it's minimal at most,” Spark said. “I mean, honestly, most people hear little tidbits here and there. But I think the most common thing that is happening is the spearphishing attacks where people know the people to go after within an organization to be able to get the money.”
Alford emphasized that phishing emails have grown much harder to spot, and employees need to be taught to take the circumstances into account rather than just looking for visible warning signs in an email.
“One of the things I always do is I warn them, you know, what are the key signs that it's a bad email?” Alford said. “It used to be in the olden days, you know, oh, oh, bad grammar, and, you know, it's obviously somebody that's scamming me - you know, give money now please. And they don't even spell ‘please’ right, and they don't use a period....Now it's so much more sophisticated, and so you have to get into the psychological tricks that the bad guys use and incorporate that and get those lessons on the table in your training, right? A false sense of urgency, appealing to your sense of curiosity, appealing to your sense of greed.”
The best way to fight social engineering attacks is being aware of the tactics used by fraudsters, according to Alford.
“Training and awareness are key,” Alford said. “Opening people's eyes to what can happen, sharing those stories, telling them and passing them on. Every shop I've been in the bad thing has happened in one way or another. Somebody always manages to pull off some sort of scam or trick, and somebody always falls for it. So you collect those stories and share them and spread them, and you create training programs specifically around those, right? Anti-phishing training is pretty common practice.”
Spark pointed out that the purpose of phishing simulations isn’t to make employees feel stupid; it needs to be a learning experience. Alford agreed, saying that you shouldn’t expect your employees to spot all of your simulated phishing emails.
“If the goal is truly to educate and train and teach, then, like David said, let that super crafty one out the door, but don't expect that you're going to get some miraculous resistance to it,” Alford said. “You know, make it a learning lesson - hey, you fell for a good one; don't feel so bad. But why was this a good one, and what should you do next time? And just walk them through it, and give them support, and give them guidance, and keep these as examples to help just get it ingrained in people's minds.”
There’s no single solution to preventing phishing attacks, but new-school security awareness training can drastically improve your employees’ ability to resist these attacks.
The CyberWire has the story: https://thecyberwire.com/podcasts/cw-podcasts-hh-2019-11-21.html