By Nathaniel C. Gravel, CISA, CISM, CRISC
The number one cause of cybersecurity breaches in the U.S. is human error. Statistics show that 70% of all cyber intrusions are caused by somebody clicking on the wrong link, downloading an infected attachment, or responding to an email that looked legitimate but was a deception. Collectively known as “phishing,” fraudulent emails have grown in scope and sophistication to the point where virtually anybody is prone to fall victim to their treachery.
A 2021 data breach investigation report prepared by Verizon described six types of phishing attacks:
- Deceptive phishing – A cybercriminal impersonates a recognized sender to steal personal data and login credentials, typically by asking the recipient to verify account information, change a password, or make a payment.
- Spear phishing – Aimed at a specific individual, this ploy uses personal information to convince victims to share their data. The information is collected by researching the user’s social media, online shopping records, or other available data.
- Whaling – This attempts to trick company officers (CEO, CFO, COO) into revealing sensitive information such as bank accounts or payroll data. Executives who are “too busy” to attend cybersecurity training are most vulnerable.
- Vishing – This is voice phishing, where a scammer presents themselves as a legitimate authority like the IRS or bank officer, working to create a sense of urgency or fear to convince a victim to share information.
- Smishing – This refers to “SMS phishing” via text messaging, and often appears to be from a legitimate source and includes a link offering a free prize or discount coupon.
- Pharming – A sophisticated method of phishing that installs malicious code onto the victim’s computer which sends them to a fraudulent website where their login credentials are harvested.
Any or all phishing methods may be used repeatedly to capture a moment of weakness or inattention when a potential victim can be tricked into clicking a link, downloading a file, or sharing private information. The best defense? Being informed and alert for any message that appears that it may be unusual, unexpected, or untrue. That level of vigilance takes practice, which is why simulated phishing is such an important component of your organization’s cybersecurity training.
What is simulated phishing?
Quite simply, simulated phishing is a planned harmless phishing attack aimed at testing the alertness and awareness of employees and management team members. Everyone should already be receiving regular training and updates on the latest phishing methods, which are continually being updated and fine-tuned by cyber criminals. Simulated phishing shows you how well that training is working.
The simulated phishing process involves sending messages to random individuals, at random times, and tracking their response. Did they download the attached PDF? Send a reply message that included personal data? Click on a suspicious link? Or did their cyber training kick in, allowing them to recognize and report an attempted attack?
To be most effective, simulated phishing should be conducted by an outsourced third party who cannot be influenced to manipulate the results. The simulated phishing service provider both schedules the “attacks” and monitors responses, reporting back on their success rate and – a critical component – identifying individuals who failed to recognize a spoofed email or message.
The object of simulated phishing is not to punish individuals who were fooled into making an error in judgment. Instead, it is aimed at bolstering your cybersecurity defense by identifying weaknesses and correcting mistakes in situations without a negative outcome. It is also important to have third-party documentation of your simulated phishing program and its results as part of your organization’s “proof of effort” when it comes to cybersecurity.
I titled this article “How Simulated Phishing Can Save Your Business.” That is not an exaggeration: half of all small- and medium-size businesses who experience a cyberattack go out of business within six months. The best defense against the most likely threat vector is making sure your people are trained, aware and vigilant against fraudulent emails, dangerous text messages and scam phone calls. Letting your guard down just once could result in a data breach or system intrusion that could be costly.
Nathaniel Gravel is a cybersecurity expert and consultant with Gray, Gray & Gray, LLP, a consulting, accounting and business advisory firm based in Canton, MA. He can be reached at ngravel@gggllp.com.