Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


04:45 PM
Connect Directly

How to Catch a Phish: Where Employee Awareness Falls Short

Advanced phishing techniques and poor user behaviors that exacerbate the threat of successful attacks.

Teaching employees how to spot malicious emails is one of many steps toward keeping phishing attacks at bay. As attackers adopt more advanced techniques, it's imperative teams also learn how the behavior inside and outside their inboxes can put a business at risk.

For the fourth annual "Beyond the Phish" report, Proofpoint researchers pulled data from nearly 130 million responses submitted to its Security Education Platform between Jan. 1, 2018, and Feb 28, 2019. It's tough to compare the newest 2019 results with previous years because this time employees were quizzed on a newly expanded range of more advanced cybersecurity topics.

Simulated phishing attacks are handy for evaluating a portion of users' weaknesses but don't fully reflect how well employees understand phishing. After all, you can't get a sense of someone's password hygiene, mobile device security, or confidential data security by seeing whether or not they fall for a fake phishing attack. Instead, they have to answer questions.

"We obviously do look at phishing but also take a broader look at the cybersecurity landscape and behaviors that influence cybersecurity posture," says Gretel Egan, security awareness and training strategist at Proofpoint. "Beyond email are behaviors and risk that influence cybersecurity for an organization."

This year, users answered 22% of questions incorrectly, on average, across 14 subjects – up from 19% in Proofpoint's 2018 analysis. Given the expansion of assessment programs and addition of tougher questions, Egan says the uptick isn't a surprise. The decline doesn't indicate a lack of awareness, she says; it's a sign some organizations are starting to challenge people.

"It points to the complexity of these topics and the nuances around phishing, around data protection, and around understanding some compliance directives related to cybersecurity," she explains. "It's bigger than one decision inside of an email."

Categories with the greatest percentage of wrong answers included "identifying phishing threats" (25%), "protecting data throughout its lifecycle" (25%), "compliance-related cybersecurity directives" (24%), and "protecting mobile devices and information" (24%). Those with the most correct answers? "avoiding ransomware attacks" (11%), "passwords and account authentication" (12%), and "unintentional and malicious insider threats" (13%).

Users struggled to answer questions about mobile device encryption, securing personally identifiable information (PII), technical safeguards in blocking social engineering attacks, distinguishing public from private data, and responding to a suspected physical security breach.

There was also good news, researchers found: Employees demonstrated mastery in questions on identifying potentially risky communication channels, physical security safeguards while traveling, recognizing ransomware and malicious pop-ups, and risks linked to Bluetooth pairing.

Egan describes how users' actions can unknowingly put their employers at risk and exacerbate the phishing threat. Some overshare information on social media, for example: A post saying "my boss is out of town this week" may seem benign but can be valuable intel for an attacker.

"We also see users struggling to understand how their actions on local devices can impact the security of corporate data and sometimes personal data," she continues. People have been educated on how to use devices from a functional standpoint but not a secure one. For example, letting family members use corporate devices and using the same device for personal and business matters are both common behaviors that can put sensitive information at risk.

Attackers Get Sophishticated
The need to educate employees on secure behavior grows stronger as cybercriminals adopt sophisticated phishing tactics, as researchers found in INKY's "2019 Special Phishing Report."

"The evolution of attackers' techniques is really quite striking," says Inky CEO Dave Baggett.

"In terms of trends we see, we're seeing a ton of brand forgery emails whose goal is credential harvesting," he continues. Attackers often disguise emails as coming from legitimate Microsoft or Amazon accounts, trying to get users to enter credentials on a fake login page. With usernames and passwords, they attempt logging into banking websites or webmail accounts.

Many people are still under the impression phishing is intrinsically complicated, he adds, and it often isn't. In terms of a brand forgery, for example, "it's incredibly easy," Baggett says. More advanced actors know how secure email gateways (SEGs) work and how to bypass them.

One of these subtle tactics is "hidden text," a specific way for attackers to sneak malicious code into an email, Baggett says. Most email is now designed using HTML, which is complex and difficult to properly interpret, making it tough for software to determine what users will see. This gives attackers new opportunities to slip malicious content through security systems.

SEGs often look for specific brand names or text that could indicate an email is brand spoofing. Cybercriminals can bypass this by inserting random small, white-text letters between the letters or phrases that are visible to users. Adding gibberish text, which is invisible to security systems and end users, will let phishing emails slip past SEGs and into unsuspecting users' inboxes.

Some attackers craft emails to appear more conversational and forego the use of attachments or links in order to bypass SEGs. Security tools with traditional spam filtering techniques will likely allow a casual message from an attacker pretending to impersonate a CEO or vendor.

Related Content:


Black Hat USA returns to Las Vegas with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions, and service providers in the Business Hall. Click for information on the conference and to register.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
7/19/2019 | 7:46:19 AM
phishing simulation isn't enough
As much as I believed in phishing simulations, I have had a change of mind after years of seeing and doing phishing assesments myself - nothing changes especially when only one user needs to fall victim to phishing. I'm more of the view that users need not worry about phishing - the person in HR is duty bound as her job to click links and open documents. It's infosec's job to sort out phishing on a technology level.
For Cybersecurity to Be Proactive, Terrains Must Be Mapped
Craig Harber, Chief Technology Officer at Fidelis Cybersecurity,  10/8/2019
A Realistic Threat Model for the Masses
Lysa Myers, Security Researcher, ESET,  10/9/2019
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
2019 Online Malware and Threats
2019 Online Malware and Threats
As cyberattacks become more frequent and more sophisticated, enterprise security teams are under unprecedented pressure to respond. Is your organization ready?
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-10-15
safer-eval before 1.3.4 are vulnerable to Arbitrary Code Execution. A payload using constructor properties can escape the sandbox and execute arbitrary code.
PUBLISHED: 2019-10-15
safer-eval before 1.3.2 are vulnerable to Arbitrary Code Execution. A payload using constructor properties can escape the sandbox and execute arbitrary code.
PUBLISHED: 2019-10-15
In the DoorDash application through 11.5.2 for Android, the username and password are stored in the log during authentication, and may be available to attackers via logcat.
PUBLISHED: 2019-10-15
Glue Smart Lock 2.7.8 devices do not properly block guest access in certain situations where the network connection is unavailable.
PUBLISHED: 2019-10-15
Connect2id Nimbus JOSE+JWT before v7.9 can throw various uncaught exceptions while parsing a JWT, which could result in an application crash (potential information disclosure) or a potential authentication bypass.