I recently met with PhishMe, a company specialising in technology designed to help companies deal with spear phishing attacks via user education from a simulated spear phish. Its executive vice president Jim Hansen said that spear phishing attacks are often "fast, cheap and easy and very efficient".
In comparison to leaving an infected USB stick in the hope of someone finding it and plugging it into their computer, Hansen said that spear phishing requires more time, reconnaissance and methodology, but with people 'leaking' data via social networks it is easy for an attacker to pull this information together and then use it against us.
Hansen said: “There is nothing advanced about spear phishing. They spend money on it, they get data on people, as there is unknowing data everywhere, which makes it interesting. A Google search can help you learn a lot.”
The company PhishMe was launched four years ago from a consulting group and Hansen said that its 150-strong customer base means it has been used by more than three million people around the world. “It is scalable and simple,” he said.
“It is a Software-as-a-Service (SaaS) on boxes in the data centre and customers send the messages themselves to build their own tests and launch them. They modify it, personalise it and send it.”
The concept is that the IT team build a message from a template and send it to all or a group of users and gauge the level of expertise to a spear phishing attack by the failure rate.
He said that a typical failure rate is 58 per cent, but it can be as high as 80 per cent or as low as ten per cent. He said: “It is an exact scenario like the RSA attack, it is a natural human response even if it is a minor one, you can capture it through leaving points. They learn through the response and this can lead to a behavioural change.
“People need repetitive training, that is the key theme. Humans are familiar with typical behaviour but you have to keep training them, as if you don't you see the failure rate go back up.”
The statistics after a test show granular details on who failed and how long users spent looking at the test. Hansen said: “As a CISO, how can you tell how good your security awareness is? There is no one size fits all, we let the customer come up with the solution and we feel it is bad practice to run through this without the approval of the IT department.”
With negative headlines caused by straightforward spear phishing, it pays to have your staff trained in spotting and deleting something that may be well tailored, but is ultimately dangerous.