Tag: phishing

Phishing emails continue to be one of the most common attack vectors used by cyber criminals, in attacking individual and organisations, and in attacking schools colleges and other educational organisations.   In schools, where things are increasingly busy, it is important that staff and students have had appropriate training and other resources provided in order to build their awareness and hopefully make them better at identifying such phishing emails.   The challenge though is how do we know if our phishing awareness programme is actually working?

I was originally very reluctant to make use of phishing awareness tests, where a fake phishing email is sent out to assess how many staff would fall for a phishing email plus how many staff might report receipt of a phishing email.    I felt at the time that it was a little unethical in trying to entrap people who work for my school.    I was also worried people would feel it unfair and adding to workload at a time when everyone is already busy.      It wasn’t until an IT conference event where I got discussing the issue with someone working within the police force that my view changed.    The catalyst for this change being this point; would I rather identify how susceptible the school is to phishing emails and how good individuals are in relation to reporting malicious emails due to a real phishing email, and the likely compromise of user accounts, or would I prefer to gain this information through a safe test where I would be able to respond and do something about the findings.It didnt take me long to realise I was better off testing awareness on my own terms rather than waiting for a cyber criminal.

Since this change of views I have set about regular phishing awareness tests on small groups of users, refining the approach and the follow up messaging and training materials as a result of the findings.    Tests might be targeted on certain areas or departments based on recent events or based on trends we are seeing in the types of phishing emails being seen or reported.    Follow up training might focus on the users who were tested or might take the data from a test and share it with all staff to highlight specific concerns or areas for improvement.   In some cases individuals have felt unfairly treated or “entrapped” however generally have been more understanding when my changed reasoning has been explained to them.  The main aim is for the testing and the related awareness development programme to be dynamic in nature, constantly changing in response to the external context and the internal awareness levels and habits as identified from the test data.

Phishing awareness testing doesn’t improve cyber security or users phishing awareness however it can provide a snapshot of where we are at a particular moment of time and in relation to a specific style or type of phishing email.   This, when used in combination with dynamic training materials, can be powerful in building up user awareness of phishing emails, of how to identify them and of what to do when things go wrong and you fall for a phish.   Where phishing tests are conducted regularly, with the appropriate follow up training, communication and awareness development, it can also go to help develop a culture of cyber security and this, ultimately, is what we really need to achieve.

Phishing emails change over time as cyber criminals seek to change their approaches to improve their success rates and achieve better outcomes.    That means that the type of phishing emails schools and their staff have to contend with have changed over time.  As such I would like to share some observations on the changes I have observed.

Lets go a few years, but not too many, so maybe 6 – 10 years.   At this point I remember receiving phishing emails however finding them reasonably easy to recognise.    The below for example was an Apple based phishing email.

The identifiers are reasonably clear in the spelling and grammatical errors and in the lack of branding, not to mention the email address.   I note it conveys a sense of urgency, an important tool in a cyber criminal’s arsenal, however it relies, due to being from a known organisation, on being believable, which to most users I don’t believe it was.  That’s not to say that some people wouldn’t fall for it, as we are all susceptible to errors or momentary lapses in concentration.

Fast forward a few years and the cyber criminals got much better at making their phishing emails believable, branding their email appropriately and even copying the styles of common productivity suites and other commonly used tools.    The below are just two examples:

Although these malicious emails were successful for a while, the issue here is that they have become common and therefore users in general are more cautious around them.  Again some people will click on links, etc, but most now either ignore or treat with great care.   Now the common nature of these type of emails may be part of the story as to why I don’t believe we fall for these emails quite as often, however I also acknowledge that phishing awareness training materials have increasingly focused on these types of emails, building up an awareness of the need for care.   So where next for phishing?

More recently I believe I have seen an increase in very simple emails rather than the branded type.   The simple emails are more akin to the emails from 10yrs ago although are actually even simpler and basic.   Being simple and basic they remove the grammar and spelling errors as they contain limited text.    They also tend to be made to appear to come from known individuals such as colleagues so remove the issue of branding.    Additionally, they are, due to their simplicity, different from the big, branded phishing emails so they are less likely to set off users phishing “spider-senses”.   The below is just one example:

Here the limited information allows users themselves to mentally fill in the blanks as to why this particular colleague might be contacting them and what this might relate to, and you would be surprised just how many of us can come up with a valid reason for a random colleague, friend or other acquaintance to reach out in this way.    It goes right back to the psychology of urgency and also FOMO (Fear of missing out), using this rather than technology to seek to entrap users, a technique that cyber criminals have tended to be good at.  In the above case the telling indicators of a phishing email continue to be the email address itself, and the need to look beyond the display name, and also the unexpected nature of the email, which should also be seen as an alarm bell.

For me looking back it would appear that phishing emails evolved from basic emails to more complex and convincing branded constructions.   They are however now “de-evolving” back to simplicity, taking advantage of psychology and also of the ever busier worlds we live in, and in education, given the pandemic, I don’t believe things have ever been busier.

I also think it is important to acknowledge that first sentence of this post, regarding cyber criminals “changing their approaches” and seeking to “achieve better outcomes” would be at home in an email or document from a corporation or other organisation seeking to improve its success.   Cyber criminals are behaving in an almost business like manner and given this we can only expect their approaches to continual change and adjust as technology, user awareness and user training develops.    For the foreseeable future I suspect we will be continually engaged in a game of phishing “whack-a-mole”.

So, what do we do about this?

I continue to believe that user awareness is the key.    The more users are aware and vigilant the better.   Additionally, users need to be clear on how to report concerns or incidents, and the culture needs to be such that users feel safe in reporting when they get it wrong.   My view is we are all likely to get it wrong at some point, if we havent already!  

Cyber security and data protection awareness cant be seen as a static program, a set training package or a yearly training session.   It is dynamic, ever changing and ongoing, much in the same way the attacks are; We need to see it this way and to seek to deal with it with similarly dynamic and constantly evolving approach.