We get sent a lot of phishing emails.
In fact, we have a whole Outlook inbox filled with them, after my colleagues dutifully report them to our IT team.
The more we get, the more I’ve thought, “Damn, someone put some thought into this.”
I mean, not a massive amount of thought in some instances. Some clunkers do still come through. I don’t see how cybercriminals could think an attached PDF simply labeled “INVOICE” could fool anyone.
Despite their malicious intent, the ingenuity of (most of) these emails should not go to waste. If you’re responsible for your organization’s security awareness program, real-life phishing emails can be a free and easy way to spread a little knowledge to your colleagues.
Before we dive in to how this could work, a caveat: Get input (and maybe even permission) from your IT team before you begin playing around with live phishing attempts. At the very least, your IT people will likely have a separate inbox or holding area specifically for suspected phishy emails. Ask about getting access to this holding area (if one exists) and any other safety precautions that should be taken. Shameless plug: Our own Phishing Simulator comes with a Find-A-Phish plugin for Outlook that allows employees to report suspected phishing emails with the click of a button. Contact us to see it in action.
So, here are four tips for making the most out of the bad guys attempts at breaking in.
Phish of the Month
As much as we hate to give cybercriminals any credit, they can be crafty. One phishing attempt that came in to our company was the talk of the water cooler for a good month or two. It started with the line, “I don’t know why you unethical f–kers think you can get away with this.”
Hell of an introduction, right? It went on to ask why the recipient had not paid an invoice attached to the email. Surprise, surprise: the “invoice” turned out to contain a ransomware payload, safely quarantined once our IT team got a hold of the email.
Emails like this are perfect fodder to show just how ingenious the bad guys can be. Consider capturing the best example each month and sharing it on a department-wide or company-wide basis. If you use the popular messaging app Slack, for example, try creating an individual channel for phishing attempts seen in the wild. Screenshots only, obviously. Attaching actual phishing emails to the channel is just asking for trouble. Or go old school and print out the month’s best phishing attempt and pin it to a common message board in the office.
No matter the method, an important piece is to point out what about a given email makes it phishy. Loaded with typos? Sketchy looking attachment? Weird-looking from address? Any and all of these should be pointed out as signs to look for. If you need some pointers, check out our easy-to-share infographic for spotting some of the most common phishing tactics.
Phish on Display
Admit it. You don’t exactly look forward to those quarterly company meetings, do you? Reports on KPIs and new hires are interesting to a point, but most sets of eyes tend to migrate down to their phones before too long.
But what if your employees looked forward to each quarterly meeting because of your presentations on the latest phishing attempt? If you don’t have the bandwidth for a “Phish of the Month,” consider taking some time once a quarter to display a notable phishing attempt aimed at your company. Again, the point should be to call out what makes it a phishing attempt.
And don’t be afraid to have fun with it! Poke some fun at an attempt that was funny just because it was so obvious. Even the stupidest phishing emails coming through must still be tricking some people, or the bad guys wouldn’t be using them. The more noteworthy and memorable the lessons, the more likely your employees and colleagues are to remember them.
Have you heard of the term bug bounty? In the cybersecurity world, a bug bounty is money paid by a given organization to a programmer or other computer expert for discovering and reporting a potentially serious system flaw. Google, for instance, calls their bug bounty initiative the “Vulnerability Reward Program” and paid $2.9 million in total bounties in 2017.
Bug bounties work because people love getting rewarded for stuff. It’s true of programmers getting paid tens of thousands of dollars for discovering network-ending defects, and it’s true of your employees and colleagues. So why not offer rewards for reporting suspicious-looking emails?
What we’re imagining is a simple rewards program. Figure out what kind of rewards your company is willing to offer. Awesome parking space? Some sort of gift card? Work with what you have here, even if you have to get a little creative.
After setting up the reward, the process would, ideally, be simple. If one of your colleagues or employees gets an email they think might be a phishing attempt, tell them to send it to a specific address, such as someone in your IT department. (We’d recommend getting IT’s go-ahead before announcing this to your entire company. Believe us, your IT people get enough email as it is.)
Review the emails sent to this address at the end of the month to see who successfully reported the most phishing attempts. Depending on how popular it becomes, you might consider doing a lottery among the top reporters. Another idea is a public leader board updated every month. If there’s anything (most) people love more than winning stuff, it’s being recognized for winning stuff. With something like this in place, you’ll have a workforce full of expert phishing reporters in no time.
The Fast and the Phishiest
While we’re on the subject of leaderboards, why not really get your employees’ and colleagues’ competitive spirits in gear?
Imagine a group of employees all in the same room with real suspicious-looking emails projected on the wall or a shared screen. Each team is given a set time to scrutinize the email in question to look for what exactly makes it phishy. The team that successfully identifies the most features in the shortest amount of time wins!
The public leaderboard possibilities here could even encourage some (hopefully friendly) competition between departments. Do your marketing people know more than your IT team about what makes a phishy email phishy? Which department will top them all? While the most logistics-heavy suggestion mentioned here, a live competition has the potential to bring the threat of phishing emails to the forefront of your organization in a unique and engaging way.
Phish is Only One Part of The Menu
As fun as we think these ideas would be to implement, we are not recommending these taking the place of real awareness program. Each one of these elements would ideally fit into a larger awareness initiative with multiple touch points throughout the year.
Plus, despite the headlines phishing makes, malware-carrying-emails are not the only cyberthreat out here. We hope, though, that the ideas presented here inspire you to let your creativity run wild when it comes to employee awareness.