Ethical Phishing Campaigns to Raise Security Awareness
Phishing scams are a major problem for businesses of all sizes. Estimates concerning phishing attacks vary. For example, one article by Smallbiztrends.com states that “1 in 99 emails is a phishing attack.” Meanwhile, data cited by Digital Information World states that, in 2017 alone, Kaspersky Labs’ “software alerted users to about possible phishing scams more than 246.23 million times.”
In today’s video, I sit down with Steve Goodman and Sean Jacobs to talk about the dangers of phishing, and a real-world example of an ethical phishing campaign that can help raise awareness.
Watch Us Discuss an Example of an Ethical Phishing Campaign
The Problem with Just Warning People
Steve starts off the video by talking about how “We’ve been telling people until we’re blue in the face: ‘Hey, you gotta watch out for these phishing scams.’ And, we even developed a course for people to go to and we’ve even made a short video for people.” Yet, despite frequent warnings and the availability of training resources, people still fall victim to phishing schemes.
In fact, as Steve says in the video, even if you managed to teach everyone in an organization about phishing scams, “15 percent [of them] would still click on a phishing email.”
Because simple warnings, and even specialized training sessions, are all too often forgotten or ignored, it’s important to drive home the dangers of phishing to everyone in an organization. So, instead of saying “phishing is bad” and calling it a day, the Protected Trust team decided to provide an example of just how insidious phishing can be. This way, people could see how they might fall victim to a phishing attack, and what they can do to counter such attempts.
How Does Phishing Work?
Phishing scams come in many forms—and they continue to evolve as attackers refine their tools and tactics. Gone are the days of the laughably-obvious “Nigerian Prince” phishing scams that once plagued AOL users. Nowadays, phishers are much subtler and more insidious in their attacks.
The basics of a phishing attack is that the attacker is trying to trick their target into taking some kind of action. This can include downloading malicious software, visiting fake malware-laden websites, surrendering user credentials (and/or other sensitive information), or approving fake invoices—among many other possible goals. Many phishing attacks are delivered via email, though they can also be delivered through text messages, social media, or by phone—virtually any communication channel could be a vector for a phishing attempt.
Some attackers use mass email messages to try to find one person in an organization who’s susceptible to phishing. Others gather a lot of information about an organization before they strike—using the info to craft a highly-targeted attack that is more likely to successfully fool someone. Worse yet, once someone manages to steal some credentials, they can use them to carry out further attacks while posing as that person.
The Office 365 Quarantine Phishing Example
In the video, Sean Jacobs highlights a few examples of actual phishing attacks that he has encountered when working with some of Protected Trust’s clients—which he then turned into simulated phishing attempts. One of these examples is centered around a phishing attempt made to capture a target’s Microsoft Office 365 account credentials by leveraging a quarantine notification feature:
“There’s a feature in Office 365 that lets you send quarantine notifications to users. Whenever you have an email that is sent to you that gets quarantined, an administrator and your tenant can set things up so that you get quarantine notifications on a regular basis. That basically tells you what items have been sent to you that get [quarantined]. The first example here is a quarantine notification that didn’t come from Microsoft.”
Sean then walks through the example, with screenshots being shown in the video that highlight each stage of the phishing email’s strategy. Basically, a fake quarantine message would be sent to the target—Sean, in this case—letting him know that an email sent from Ingram (me) got quarantined. The content of the quarantine email mirrors the style of one of the legitimate communications in an effort to appear real.
Sean points out that although an email from me getting quarantined would be “kind of suspicious… Looking at that subject, New 2020 Pay Scale, I’m kind of interested in what that is. So, I might just click on that link.” This is what a lot of targeted phishing attacks do. They collect enough information about a company to compose a message that sounds like it could be legitimate, and then take advantage of the target’s curiosity to get them to click/respond/download/etc.
In this example, Sean created a simulated phishing site that runs on a private server he created that looks like the legitimate Office 365 login page. However, there were a few differences. For example, the address bar didn’t say “Microsoft.com,” it was an IP address—in many cases, the domain name at the top might read very similarly to the real site, but had two letters transposed (such as saying Microsotf.com instead of Microsoft.com). Also, the form asked for both email address and password at the same time (the actual page only asks for email address, then sends you to another page to enter your email).
If that had been a real phishing attack, and the victim had entered their user credentials, the phishing page would have captured that info. After getting the login, the page might have forwarded the user to the real Microsoft Office 365 login page to allay suspicion—making victims think that they might have just entered their password wrong when they’re asked to log in again.
These phishing attacks are a real and constant danger for modern businesses. If you want to learn more about phishing from real-world examples, check out the video. Or, you can contact us with any questions you might have about how you can counter phishing attacks.