Simulated phishing

Last updated

Simulated phishing or a phishing test is where deceptive emails, similar to malicious emails, are sent by an organization to their own staff to gauge their response to phishing and similar email attacks. The emails themselves are often a form of training, but such testing is normally done in conjunction with prior training; and often followed up with more training elements. This is especially the case for those who "fail" by opening email attachments, clicking on included weblinks, or entering credentials.

Contents

Rationale

There is wide acceptance within the IT security field that technical measures alone cannot stop all malicious email attacks, and that good training of staff is necessary.[ citation needed ] [1] Simulated phishing allows the direct measurement of staff compliance, and when run regularly, can measure progress in user behavior. Phishing simulation is recommended by various official agencies, who often provide guidelines for designing such policies. [2] Phishing simulations are sometime compared to fire drills in giving staff regular practice in correct behaviour. [3]

Ethics

Such campaigns need to be authorised at an appropriate level [4] and carried out professionally. [5] If such a technique is used carelessly, it may breach laws, attract lawsuits, and antagonise or traumatise staff.

However, if employees are advised of a change to policy such that "the company reserves the right to send deceptive 'simulated phishing' email to staff from time to time to gauge staff security awareness and compliance", and training and guidance has been given in advance, then such problems should not occur. Some organisations may choose to require users to give their consent by opting in, [6] and others may allow staff the option to opt out. [7]

The standard advice is that "failing" staff not be shamed in any way, but it is appropriate and reasonable to provide supportive followup training. [8] [9] [10]

Some techniques which might be effective and in use by malicious actors are normally avoided in simulated phishing for ethical or legal reasons. These would include emails with content likely to cause distress to the recipient or the use of third-party trademarks, [5] [8] although it is also sometimes argued that this is covered by fair use. [11]

Methods

Such testing can be done in a number of ways.

Because organisations generally have a set of multi-layered defences in place to prevent actual malicious phishing, simulations often require some whitelisting to be put in place at email gateways, anti-virus software and web proxies to allow email to reach user desktops and devices and to be acted upon.

Frequency

Most advice is that testing should be done several times per year, to give staff practice in responding correctly, and to provide management feedback on the progress in staff identifying and reporting potentially dangerous email.

See also

Related Research Articles

<span class="mw-page-title-main">Computer security</span> Protection of computer systems from information disclosure, theft or damage

Computer security, cybersecurity, digital security or information technology security is the protection of computer systems and networks from attacks by malicious actors that may result in unauthorized information disclosure, theft of, or damage to hardware, software, or data, as well as from the disruption or misdirection of the services they provide.

<span class="mw-page-title-main">Simulation</span> Imitation of the operation of a real-world process or system over time

A simulation is an imitative representation of a process or system that could exist in the real world. In this broad sense, simulation can often be used interchangeably with model. Sometimes a clear distinction between the two terms is made, in which simulations require the use of models; the model represents the key characteristics or behaviors of the selected system or process, whereas the simulation represents the evolution of the model over time. Another way to distinguish between the terms is to define simulation as experimentation with the help of a model. This definition includes time-independent simulations. Often, computers are used to execute the simulation.

<span class="mw-page-title-main">Cybercrime</span> Type of crime based in computer networks

Cybercrime encompasses a wide range of criminal activities that are carried out using digital devices and/or networks. These crimes involve the use of technology to commit fraud, identity theft, data breaches, computer viruses, scams, and expanded upon in other malicious acts. Cybercriminals exploit vulnerabilities in computer systems and networks to gain unauthorized access, steal sensitive information, disrupt services, and cause financial or reputational harm to individuals, organizations, and governments.

<span class="mw-page-title-main">Phishing</span> Form of social engineering

Phishing is a form of social engineering and scam where attackers deceive people into revealing sensitive information or installing malware such as ransomware. Phishing attacks have become increasingly sophisticated and often transparently mirror the site being targeted, allowing the attacker to observe everything while the victim is navigating the site, and transverse any additional security boundaries with the victim. As of 2020, it is the most common type of cybercrime, with the FBI's Internet Crime Complaint Center reporting more incidents of phishing than any other type of computer crime.

<span class="mw-page-title-main">Botnet</span> Collection of compromised internet-connected devices controlled by a third party

A botnet is a group of Internet-connected devices, each of which runs one or more bots. Botnets can be used to perform Distributed Denial-of-Service (DDoS) attacks, steal data, send spam, and allow the attacker to access the device and its connection. The owner can control the botnet using command and control (C&C) software. The word "botnet" is a portmanteau of the words "robot" and "network". The term is usually used with a negative or malicious connotation.

Netcraft is an Internet services company based in London, England. The company provides cybercrime disruption services across a range of industries.

Internet security is a branch of computer security. It encompasses the Internet, browser security, web site security, and network security as it applies to other applications or operating systems as a whole. Its objective is to establish rules and measures to use against attacks over the Internet. The Internet is an inherently insecure channel for information exchange, with high risk of intrusion or fraud, such as phishing, online viruses, trojans, ransomware and worms.

A spoofed URL involves one website masquerading as another, often leveraging vulnerabilities in web browser technology to facilitate a malicious computer attack. These attacks are particularly effective against computers that lack up-to- security patches. Alternatively, some spoofed URLs are crafted for satirical purposes.

Website spoofing is the act of creating a website with the intention of misleading readers that the website has been created by a different person or organization. Normally, the spoof website will adopt the design of the target website, and it sometimes has a similar URL. A more sophisticated attack results in an attacker creating a "shadow copy" of the World Wide Web by having all of the victim's traffic go through the attacker's machine, causing the attacker to obtain the victim's sensitive information.

Internet safety, also known as online safety, cyber safety and electronic safety (e-safety), refers to the policies, practices and processes that reduce the harms to people that are enabled by the (mis)use of information technology.

Trellix is a privately held cybersecurity company that was founded in 2022. It has been involved in the detection and prevention of major cybersecurity attacks. It provides hardware, software, and services to investigate cybersecurity attacks, protect against malicious software, and analyze IT security risks.

<span class="mw-page-title-main">Internet Security Awareness Training</span>

Internet Security Awareness Training (ISAT) is the training given to members of an organization regarding the protection of various information assets of that organization. ISAT is a subset of general security awareness training (SAT).

SmartScreen is a cloud-based anti-phishing and anti-malware component included in several Microsoft products:

The following outline is provided as an overview of and topical guide to computer security:

Endpoint security or endpoint protection is an approach to the protection of computer networks that are remotely bridged to client devices. The connection of endpoint devices such as laptops, tablets, mobile phones, Internet-of-things devices, and other wireless devices to corporate networks creates attack paths for security threats. Endpoint security attempts to ensure that such devices follow a definite level of compliance to standards.

Numbered Panda is a cyber espionage group believed to be linked with the Chinese military. The group typically targets organizations in East Asia. These organizations include, but are not limited to, media outlets, high-tech companies, and governments. Numbered Panda is believed to have been operating since 2009. However, the group is also credited with a 2012 data breach at the New York Times. One of the group's typical techniques is to send PDF files loaded with malware via spear phishing campaigns. The decoy documents are typically written in traditional Chinese, which is widely used in Taiwan, and the targets are largely associated with Taiwanese interests. Numbered Panda appears to be actively seeking out cybersecurity research relating to the malware they use. After an Arbor Networks report on the group, FireEye noticed a change in the group's techniques to avoid future detection.

Charming Kitten, also called APT35, Phosphorus or Mint Sandstorm, Ajax Security, and NewsBeef, is an Iranian government cyberwarfare group, described by several companies and government officials as an advanced persistent threat.

Internet security awareness or Cyber security awareness refers to how much end-users know about the cyber security threats their networks face, the risks they introduce and mitigating security best practices to guide their behavior. End users are considered the weakest link and the primary vulnerability within a network. Since end-users are a major vulnerability, technical means to improve security are not enough. Organizations could also seek to reduce the risk of the human element. This could be accomplished by providing security best practice guidance for end users' awareness of cyber security. Employees could be taught about common threats and how to avoid or mitigate them.

The Lincoln Adaptable Real-time Information Assurance Testbed (LARIAT) is a physical computing platform developed by the MIT Lincoln Laboratory as a testbed for network security applications. Use of the platform is restricted to the United States military, though some academic organizations can also use the platform under certain conditions.

References

  1. Jampen, Daniel; Gür, Gürkan; Sutter, Thomas; Tellenbach, Bernhard (2020-08-09). "Don't click: towards an effective anti-phishing training. A comparative literature review". Human-centric Computing and Information Sciences. 10 (1). doi: 10.1186/s13673-020-00237-7 . hdl: 11475/20346 . ISSN   2192-1962.
  2. "Designing Phishing Simulations" (PDF). Center for the Protection of National Infrastructure. Retrieved 12 September 2018.
  3. Fischbein, Jonathan. "Council Post: 2021 Cyber New Year's Resolutions". Forbes. Retrieved 2021-10-03.
  4. Kovacs, Eduard (23 August 2018). "Attack on DNC Part of Simulated Phishing Test". Security Week. Retrieved 12 September 2018.
  5. 1 2 Cheng, Joey (18 March 2014). "Out-of-control Army phishing test results in new guidelines". DefenseSystems. Retrieved 12 September 2018.
  6. "Simulated Phishing". Berkeley Lab. Retrieved 12 September 2018.
  7. "Simulated Phishing Email Campaign". UC Santa Cruz. Retrieved 12 September 2018.
  8. 1 2 Prendergast, Tom. "Is all fair in simulated phishing?". www.csoonline.com. Retrieved 9 September 2018.
  9. Meijdam, Katrien. "Phishing as a Service: Designing an ethical way of mimicking targeted phishing attacks to train employees" . Retrieved 10 September 2018.
  10. R, Kate. "The Trouble with Phishing". National Cyber Security Centre. GCHQ. Retrieved 12 September 2018.
  11. Calarco, Daniel. "Stop Phishing with Bad Fake Bait". EDUCAUSEreview. Retrieved 12 September 2018.
  12. Salla, Sebastian. "free phishing test campaigns". CanIPhish. Retrieved 10 October 2022.
  13. Korolov, Maria. "10 companies that can help you fight phishing". CSO Online. Retrieved 12 September 2018.
  14. e.g GoPhish, King Phisher, The SocialEngineer Toolkit
  15. Pauli, Darren (4 February 2016). "Go phish your own staff: Dev builds open-source fool-testing tool". The Register. Retrieved 12 September 2018.
  16. "Phishing campaign simulators". Phishing Countermeasures. Retrieved 12 September 2018.
  17. Ghosh, Debraj. "GA of Attack Simulator For Office 365 Threat Intelligence". Microsoft Tech Community. Retrieved 12 September 2018.
  18. Lardinois, Frederic. "Microsoft launches a phishing attack simulator and other security tools". TechCrunch. Retrieved 12 September 2018.
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.