by Paul Ducklin Sophos Phish Threat, in its own words, is a phishing attack simulator – it lets your IT department send realistic-looking fake phi
Sophos Phish Threat, in its own words, is a phishing attack simulator – it lets your IT department send realistic-looking fake phishes to your own staff so that if they do slip up, and click through…
…it’s not the crooks on the other end.
The crooks are testing you all the time, so you might as well test yourself and get one step ahead.
(Don’t panic – this isn’t a product infomercial, just some intriguing statistics that have emerged from users of the product so far this year.)
You can knit your own scam templates to construct your own fake phishes, but the product includes an extensive collection of customisable templates of its own that we update regularly.
The idea is to to track the look and feel of real-world scams of all types, all the way from Scary Warnings of Imminent Doom to low-key messages saying little more than Please see the attached file.
History teaches us that email tricks can work surprisingly well with no text in the message body at all. One of the most prevalent email viruses of all time was HAPPY99, also known as Ska, which came out just over 20 years ago at the start of 1999. The email consisted only of an attachment – there was no subject line or message, so the only visible text in the email was the name of the attachment,
HAPPY99.EXE. If you opened it, a New Year’s fireworks display appeared, though the animation was cover for the virus infecting your computer and then spreading to everyone you emailed thereafter. Ironically, the lack of any explanatory text at all meant that the email was much less suspicious than if the subject line had contained words in a language the recipient wouldn’t have expected.
HAPPY99 as a filename all on its own had a timely and global appeal that almost certainly tricked millions more people into clicking it than if it had included any sort of marketing pitch.
Searching for the
Well, the Phish Threat team asked themselves, “Which phishing templates give the best, or perhaps more accurately, the worst results?”
Are business email users more likely to fall for sticks or carrots? For threats or free offers? For explicit instructions or helpful suggestions? For “you must” or “you might like”?
The answers covered a broad range of phishing themes, but had a common thread: not one of them was a threat.
Most of them dealt with issues that were mundane and undramatic, while at the same time apparently being interesting, important, or both.
Nothing on this list was truly urgent or terrifying, and they all sounded likely and uncomplicated enough to be worth getting out of the way quickly.
The Top (or Bottom) Ten
- Rules of conduct. This purported to be a letter from HR outlining the company’s new Rules of Conduct. With global interest in increasing worksplace diversity and reducing harrassment, many companies are revising their employment guidelines. Most staff know that they’re supposed to read new guidelines, and that the HR team is obliged to chase them until they do, so clicking through here feels like a task you might as well get out of the way.
- Delayed year-end tax summary. This notified staff that their tax docmentation wouldn’t arrive when they expected. Whether your country calls it a W-2, a P60, an IRP 5 or a Payment Summary, it’s one of those “necessary evils” that staff know they need, so they might as well find out how long the delay will be.
- Scheduled server maintenance. We were surprised that this was #3, because we rather cynically assumed that most people would be inclined to ignore IT messages of this sort, on the grounds that they couldn’t do anything about them anyway. In retrospect, however, now that so many people are working from home, we suspect that people like to know when outages are likely so they can schedule their own lives around them.
- Task assigned to you. In this message, the Phish Threat user gets to pick a project schedulding system that their own company uses (e.g. JIRA, Asana), so that the email doesn’t stand out as obviously bogus. Although that makes this a semi-targeted phish, you should assume that the business tools used in your company are widely known and easy for crooks to figure out, perhaps even automatically.
- New email system test. Who doesn’t want to be helpful, if all it takes is one quick click?
- Vacation policy update. Thanks to coronavirus lockdown and quarantine, booking and taking vaction leave is a tricky issue these days. Many companies are adapting their vacation policies accordingly – and who wants to risk missing out on time off?
- Car lights on. In this message, the building manager was apparently being cheerily helpful by reporting a car with its lights turned on. In real life, you might be suspicious that they posted a picture instead of just typing in the vehicle tag – but it occurred to us that many states and provinces in North America don’t supply front plates any more, so a photo taken from the front of the vehicle probably wouldn’t show the tag (registration number) anyway.
- Courier service failed delivery. This is a tried and tested trick that crooks have used for years. It’s especially believable these days thanks to the surge in home deliveries due to coronavirus. In fact, you may be expecting a delivery yourself right now – and in most cases it’s the vendor who decides which courier company to use, so you might not know who is doing the drop.
- Secure document. This purported to be a “secured document” from the HR team, giving a plausible reason for making you take an unusual route to view it. This trick is widely used by phishing crooks as reason to convince you to enter passwords where you wouldn’t usually have to, or to adjust the security settings on your computer – ostensibly for the sake of improving security, but in reality to reduce it.
- Social Media Message. This one was a simulated LinkedIn notification promising that “You have unread messages from Joseph”. LinkedIn seems to be enjoying a surge in popularity right now, which is not surprising considering how many people have lost their jobs or had their working hours cut because of the coronvirus downturn. It’s tempting to click through, for fear of missing out, and scammers are happy to capitalise on that.
What to do?
- Think before you click. Even if the message looks innocent at first sight, are there any scam giveaways that are obvious if you take the time to check? Examples include: spelling mistakes you doubt the sender would make, terminology that isn’t how your company would say it, software tools your company doesn’t use, and behaviour such as altering security settings you have explicitly been warned not to change.
- Check with the sender if you aren’t sure. But never check by replying to the email to ask if it’s genuine – you will get the answer “Yes” either way, because a legitimate sender would tell the truth but a crook would lie. Use a corporate directory accessible via trustworthy means to find a way to get in touch with a colleague you think has been impersonated.
- Take a careful look at links before you click. Many phishing emails contain text and images that are error-free. But the crooks often have to rely on temporary cloud servers or hacked websites to host their phishing web pages, and the subterfuge often shows up in the domain name they want you to visit. Don’t be tricked because a server name looks “close enough” – crooks often register near-miss names such as
yourc0mpany(zero for the letter O) or
yourcompany-site, using misspellings, similar-looking characters or added text.
- Report suspicious emails to your security team. Get in the habit of doing this every time, even though it feels like a thankless task. Phishing crooks don’t send their emails just to one person at a time, so if you’re the first in the company to spot a new scam, an early warning will let your IT department warn everyone else who might have received it too.
By the way, if you’re in the security team and you don’t have a quick and easy way for your staff to report potential cybersecurity problems such as suspicious phone calls or dodgy emails, why not set up an easy-to-remember internal email address today, and get used to monitoring it?
It doesn’t take much encouragement to turn your entire workforce into the eyes and ears of the security team.
After all, when it comes to cybersecurity, an injury to one really is is an injury to all.