Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


04:45 PM
Connect Directly

How to Catch a Phish: Where Employee Awareness Falls Short

Advanced phishing techniques and poor user behaviors that exacerbate the threat of successful attacks.

Teaching employees how to spot malicious emails is one of many steps toward keeping phishing attacks at bay. As attackers adopt more advanced techniques, it's imperative teams also learn how the behavior inside and outside their inboxes can put a business at risk.

For the fourth annual "Beyond the Phish" report, Proofpoint researchers pulled data from nearly 130 million responses submitted to its Security Education Platform between Jan. 1, 2018, and Feb 28, 2019. It's tough to compare the newest 2019 results with previous years because this time employees were quizzed on a newly expanded range of more advanced cybersecurity topics.

Simulated phishing attacks are handy for evaluating a portion of users' weaknesses but don't fully reflect how well employees understand phishing. After all, you can't get a sense of someone's password hygiene, mobile device security, or confidential data security by seeing whether or not they fall for a fake phishing attack. Instead, they have to answer questions.

"We obviously do look at phishing but also take a broader look at the cybersecurity landscape and behaviors that influence cybersecurity posture," says Gretel Egan, security awareness and training strategist at Proofpoint. "Beyond email are behaviors and risk that influence cybersecurity for an organization."

This year, users answered 22% of questions incorrectly, on average, across 14 subjects – up from 19% in Proofpoint's 2018 analysis. Given the expansion of assessment programs and addition of tougher questions, Egan says the uptick isn't a surprise. The decline doesn't indicate a lack of awareness, she says; it's a sign some organizations are starting to challenge people.

"It points to the complexity of these topics and the nuances around phishing, around data protection, and around understanding some compliance directives related to cybersecurity," she explains. "It's bigger than one decision inside of an email."

Categories with the greatest percentage of wrong answers included "identifying phishing threats" (25%), "protecting data throughout its lifecycle" (25%), "compliance-related cybersecurity directives" (24%), and "protecting mobile devices and information" (24%). Those with the most correct answers? "avoiding ransomware attacks" (11%), "passwords and account authentication" (12%), and "unintentional and malicious insider threats" (13%).

Users struggled to answer questions about mobile device encryption, securing personally identifiable information (PII), technical safeguards in blocking social engineering attacks, distinguishing public from private data, and responding to a suspected physical security breach.

There was also good news, researchers found: Employees demonstrated mastery in questions on identifying potentially risky communication channels, physical security safeguards while traveling, recognizing ransomware and malicious pop-ups, and risks linked to Bluetooth pairing.

Egan describes how users' actions can unknowingly put their employers at risk and exacerbate the phishing threat. Some overshare information on social media, for example: A post saying "my boss is out of town this week" may seem benign but can be valuable intel for an attacker.

"We also see users struggling to understand how their actions on local devices can impact the security of corporate data and sometimes personal data," she continues. People have been educated on how to use devices from a functional standpoint but not a secure one. For example, letting family members use corporate devices and using the same device for personal and business matters are both common behaviors that can put sensitive information at risk.

Attackers Get Sophishticated
The need to educate employees on secure behavior grows stronger as cybercriminals adopt sophisticated phishing tactics, as researchers found in INKY's "2019 Special Phishing Report."

"The evolution of attackers' techniques is really quite striking," says Inky CEO Dave Baggett.

"In terms of trends we see, we're seeing a ton of brand forgery emails whose goal is credential harvesting," he continues. Attackers often disguise emails as coming from legitimate Microsoft or Amazon accounts, trying to get users to enter credentials on a fake login page. With usernames and passwords, they attempt logging into banking websites or webmail accounts.

Many people are still under the impression phishing is intrinsically complicated, he adds, and it often isn't. In terms of a brand forgery, for example, "it's incredibly easy," Baggett says. More advanced actors know how secure email gateways (SEGs) work and how to bypass them.

One of these subtle tactics is "hidden text," a specific way for attackers to sneak malicious code into an email, Baggett says. Most email is now designed using HTML, which is complex and difficult to properly interpret, making it tough for software to determine what users will see. This gives attackers new opportunities to slip malicious content through security systems.

SEGs often look for specific brand names or text that could indicate an email is brand spoofing. Cybercriminals can bypass this by inserting random small, white-text letters between the letters or phrases that are visible to users. Adding gibberish text, which is invisible to security systems and end users, will let phishing emails slip past SEGs and into unsuspecting users' inboxes.

Some attackers craft emails to appear more conversational and forego the use of attachments or links in order to bypass SEGs. Security tools with traditional spam filtering techniques will likely allow a casual message from an attacker pretending to impersonate a CEO or vendor.

Related Content:


Black Hat USA returns to Las Vegas with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions, and service providers in the Business Hall. Click for information on the conference and to register.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
7/19/2019 | 7:46:19 AM
phishing simulation isn't enough
As much as I believed in phishing simulations, I have had a change of mind after years of seeing and doing phishing assesments myself - nothing changes especially when only one user needs to fall victim to phishing. I'm more of the view that users need not worry about phishing - the person in HR is duty bound as her job to click links and open documents. It's infosec's job to sort out phishing on a technology level.
Overcoming the Challenge of Shorter Certificate Lifespans
Mike Cooper, Founder & CEO of Revocent,  10/15/2020
7 Tips for Choosing Security Metrics That Matter
Ericka Chickowski, Contributing Writer,  10/19/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-10-22
The FileImporter extension in MediaWiki through 1.35.0 was not properly attributing various user actions to a specific user's IP address. Instead, for various actions, it would report the IP address of an internal Wikimedia Foundation server by omitting X-Forwarded-For data. This resulted in an inab...
PUBLISHED: 2020-10-22
The Cosmos Skin for MediaWiki through 1.35.0 has stored XSS because MediaWiki messages were not being properly escaped. This is related to wfMessage and Html::rawElement, as demonstrated by CosmosSocialProfile::getUserGroups.
PUBLISHED: 2020-10-22
In Python 3 through 3.9.0, the Lib/test/multibytecodec_support.py CJK codec tests call eval() on content retrieved via HTTP.
PUBLISHED: 2020-10-21
WSO2 API Manager 3.1.0 and earlier has reflected XSS on the "publisher" component's admin interface. More precisely, it is possible to inject an XSS payload into the owner POST parameter, which does not filter user inputs. By putting an XSS payload in place of a valid Owner Name, a modal b...
PUBLISHED: 2020-10-21
Adobe InDesign version 15.1.2 (and earlier) is affected by a memory corruption vulnerability due to insecure handling of a malicious .indd file, potentially resulting in arbitrary code execution in the context of the current user. User interaction is required to exploit this vulnerability.