Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


04:45 PM
Connect Directly

How to Catch a Phish: Where Employee Awareness Falls Short

Advanced phishing techniques and poor user behaviors that exacerbate the threat of successful attacks.

Teaching employees how to spot malicious emails is one of many steps toward keeping phishing attacks at bay. As attackers adopt more advanced techniques, it's imperative teams also learn how the behavior inside and outside their inboxes can put a business at risk.

For the fourth annual "Beyond the Phish" report, Proofpoint researchers pulled data from nearly 130 million responses submitted to its Security Education Platform between Jan. 1, 2018, and Feb 28, 2019. It's tough to compare the newest 2019 results with previous years because this time employees were quizzed on a newly expanded range of more advanced cybersecurity topics.

Simulated phishing attacks are handy for evaluating a portion of users' weaknesses but don't fully reflect how well employees understand phishing. After all, you can't get a sense of someone's password hygiene, mobile device security, or confidential data security by seeing whether or not they fall for a fake phishing attack. Instead, they have to answer questions.

"We obviously do look at phishing but also take a broader look at the cybersecurity landscape and behaviors that influence cybersecurity posture," says Gretel Egan, security awareness and training strategist at Proofpoint. "Beyond email are behaviors and risk that influence cybersecurity for an organization."

This year, users answered 22% of questions incorrectly, on average, across 14 subjects – up from 19% in Proofpoint's 2018 analysis. Given the expansion of assessment programs and addition of tougher questions, Egan says the uptick isn't a surprise. The decline doesn't indicate a lack of awareness, she says; it's a sign some organizations are starting to challenge people.

"It points to the complexity of these topics and the nuances around phishing, around data protection, and around understanding some compliance directives related to cybersecurity," she explains. "It's bigger than one decision inside of an email."

Categories with the greatest percentage of wrong answers included "identifying phishing threats" (25%), "protecting data throughout its lifecycle" (25%), "compliance-related cybersecurity directives" (24%), and "protecting mobile devices and information" (24%). Those with the most correct answers? "avoiding ransomware attacks" (11%), "passwords and account authentication" (12%), and "unintentional and malicious insider threats" (13%).

Users struggled to answer questions about mobile device encryption, securing personally identifiable information (PII), technical safeguards in blocking social engineering attacks, distinguishing public from private data, and responding to a suspected physical security breach.

There was also good news, researchers found: Employees demonstrated mastery in questions on identifying potentially risky communication channels, physical security safeguards while traveling, recognizing ransomware and malicious pop-ups, and risks linked to Bluetooth pairing.

Egan describes how users' actions can unknowingly put their employers at risk and exacerbate the phishing threat. Some overshare information on social media, for example: A post saying "my boss is out of town this week" may seem benign but can be valuable intel for an attacker.

"We also see users struggling to understand how their actions on local devices can impact the security of corporate data and sometimes personal data," she continues. People have been educated on how to use devices from a functional standpoint but not a secure one. For example, letting family members use corporate devices and using the same device for personal and business matters are both common behaviors that can put sensitive information at risk.

Attackers Get Sophishticated
The need to educate employees on secure behavior grows stronger as cybercriminals adopt sophisticated phishing tactics, as researchers found in INKY's "2019 Special Phishing Report."

"The evolution of attackers' techniques is really quite striking," says Inky CEO Dave Baggett.

"In terms of trends we see, we're seeing a ton of brand forgery emails whose goal is credential harvesting," he continues. Attackers often disguise emails as coming from legitimate Microsoft or Amazon accounts, trying to get users to enter credentials on a fake login page. With usernames and passwords, they attempt logging into banking websites or webmail accounts.

Many people are still under the impression phishing is intrinsically complicated, he adds, and it often isn't. In terms of a brand forgery, for example, "it's incredibly easy," Baggett says. More advanced actors know how secure email gateways (SEGs) work and how to bypass them.

One of these subtle tactics is "hidden text," a specific way for attackers to sneak malicious code into an email, Baggett says. Most email is now designed using HTML, which is complex and difficult to properly interpret, making it tough for software to determine what users will see. This gives attackers new opportunities to slip malicious content through security systems.

SEGs often look for specific brand names or text that could indicate an email is brand spoofing. Cybercriminals can bypass this by inserting random small, white-text letters between the letters or phrases that are visible to users. Adding gibberish text, which is invisible to security systems and end users, will let phishing emails slip past SEGs and into unsuspecting users' inboxes.

Some attackers craft emails to appear more conversational and forego the use of attachments or links in order to bypass SEGs. Security tools with traditional spam filtering techniques will likely allow a casual message from an attacker pretending to impersonate a CEO or vendor.

Related Content:


Black Hat USA returns to Las Vegas with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions, and service providers in the Business Hall. Click for information on the conference and to register.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
7/19/2019 | 7:46:19 AM
phishing simulation isn't enough
As much as I believed in phishing simulations, I have had a change of mind after years of seeing and doing phishing assesments myself - nothing changes especially when only one user needs to fall victim to phishing. I'm more of the view that users need not worry about phishing - the person in HR is duty bound as her job to click links and open documents. It's infosec's job to sort out phishing on a technology level.
A Startup With NSA Roots Wants Silently Disarming Cyberattacks on the Wire to Become the Norm
Kelly Jackson Higgins, Executive Editor at Dark Reading,  5/11/2021
Cybersecurity: What Is Truly Essential?
Joshua Goldfarb, Director of Product Management at F5,  5/12/2021
3 Cybersecurity Myths to Bust
Etay Maor, Sr. Director Security Strategy at Cato Networks,  5/11/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: Google Maps is taking "interactive" to a whole new level!
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-05-17
Cross Site Scripting (XSS) in emlog v6.0.0 allows remote attackers to execute arbitrary code by adding a crafted script as a link to a new blog post.
PUBLISHED: 2021-05-17
Cross Site Request Forgery (CSRF) in Pluck CMS v4.7.9 allows remote attackers to execute arbitrary code and delete a specific article via the component " /admin.php?action=page."
PUBLISHED: 2021-05-17
Cross Site Request Forgery (CSRF) in Pluck CMS v4.7.9 allows remote attackers to execute arbitrary code and delete specific images via the component " /admin.php?action=images."
PUBLISHED: 2021-05-17
A heap based buffer overflow vulnerability exists in GNU LibreDWG 0.10 via read_2004_section_handles ../../src/decode.c:2637.
PUBLISHED: 2021-05-17
A heap based buffer overflow vulnerability exists in GNU LibreDWG 0.10 via read_2004_section_revhistory ../../src/decode.c:3051.