Using Phishing as a Learning Tool
If you work for an organization with an in-house IT department, there is a high chance you have been subject to a practice phishing email they devised which comes with remedial training should you fail to detect it. The reason for this is because attackers know that phishing works (see our most recent article on the MGM Breach), many have experience working in IT departments, and they understand their inner workings in general. On the other end of the spectrum, those charged with protecting the integrity of an organization’s information systems know that practice phishing paired with remedial training also works.
When attackers select a target (in this case assume any person within an organization), the target does not need specialized access to sensitive material to be a valuable one; the target can just be one of many in a chain of victims that successively build up to a larger score. The general idea, for both an attacker and an IT department, when constructing a practice phish is to either shock the target into compliance (with something akin to “suspicious activity detected on this account, click here to clear all of this up by entering your Microsoft credentials”), or rely on the victim being mentally checked out enough that they follow a link not thinking about what they just clicked on. There is a battle for the attention spans of anyone who has an organizational e-mail address.
Phishing Attack Precautions
With that being said, what are we – those with organizational e-mail addresses – to do about it? Should we be paranoid of everything that lands in our inbox? Yes, we should be. It is a misconception that attackers always “steal” access or “break-in” to a system. In an alarming number of cases, attackers are handed the keys and let in the front door. None of us want to be the person who hands a cyber-criminal access, so it is important to keep a few things in mind as you go about your workday.
The e-mail address may be real, recognized, and trusted, but that doesn’t mean it came from the person who owns the account.
- Are they asking for something they shouldn’t be?
- Does the writing style sound like them?
- Is there a warning banner showing an internal e-mail address is coming from an external source?
Microsoft and Google are the most impersonated brands by attackers and scammers.
- Is the e-mail address asking for account information?
- Does the e-mail address actually belong to the domain it claims to come from?
- Are they asking for something they should in theory already have?
Falling for a Phishing Attack
If someone accidentally falls for a phish and clicks and/or enters information, what then? Well, bad news doesn’t get better with time. Most IT departments have a user agreement that contains policies or procedures which instruct a user on immediate actions to take if they suspect they have been involved in malicious activity; it is crucial to follow these policies/procedures as soon as one suspects they have been phished. As stated earlier, no one wants to be the one who “fell for it,” so fear of consequences can sometimes prevent an employee from reporting incidents. It is important to remember, though, that an attacker will not protect the employee or the employee’s identity if it serves their purpose.
Some general advice to follow to mitigate damage if information has been given up or there is suspicion that malware has been downloaded is to alert the IT security department. Keep the appropriate contact information on a phone or alternative device and use that device to inform the IT security team of what transpired. Be transparent and honest about the experience because the details can make all the difference.
McKonly & Asbury can assist your company in managing cybersecurity threats by performing a SOC 2 engagement or a SOC for Cybersecurity engagement to identify whether effective processes and controls are in place and provide you with recommendations to detect, respond to, mitigate, and recover from phishing and other cybersecurity events. We can answer any questions and help you determine if a SOC 2 or SOC for Cybersecurity report would be useful for your company. Be sure to visit our firm’s SOC, Cybersecurity, Forensic Examination, and Information Technology pages, and don’t hesitate to contact our team regarding our services.
About the Author
Mike joined McKonly & Asbury in 2022 and is currently a Senior Consultant with the firm. He is a member of the firm’s Internal Audit Segment, servicing clients in government and commercial segments.