In the past few years, we have seen phishing claim the scalps of major companies, including Google, Facebook, BBC, CNN, and even The White House.
Despite millions being spent on security products, this simple to execute attack vector reaps massive rewards. Appliances and self-hosted software are looking for network attacks, but the actual threat to most organisations is the front door (i.e. email phishing).
The repercussions of the attacks have been huge too – from seriously damaged credibility to literal drops in stock prices
No easy fixes
Two factor authentication, email encryption, spam filters, anti-virus solutions may have a place in corporate security, but are fundamentally incapable of solving this problem. (A simple existence-proof of this would be the Phishing attacks that compromised RSA and Google. Both are companies with a deep security capability, both highly technical staff, and both lost their crown jewels through phishing). These days, even if you batten down the hatches on corporate resources, you need to protect against Phishing (since getting the iCloud or DropBox credentials of your execs will probably yield some joy to attackers).
Build Phishing Antibodies
Dan Tentler who handles security for Twitter, has done talks at a number of international conference on how twitter has built “phishing antibodies” using solution like Phish5. His thesis is that like some sorts of medical conditions, where complete prevention is impossible, the solution becomes a controlled build up of antibodies. He then outlines how they “vaccinate against phishing” in the same way that real world vaccinations work, ie. by artificially “making people sick for a while”. This analogy holds true, and the results are current clients show the positive benefits of this course of action.
Is someone out to get you?
Thanks to the mainstream press coverage of high profile phishing attacks, most people today are aware that phishing exists, but campaigns are still decisively successful. Why?
Because even though people know that phishing happens, most never believe that it will happen to them.
Repeated drills with Phish5, and followup education makes staff viscerally aware of how easily phishing mails can slip by and breeds a culture of awareness and reporting. This education is priceless when the real incident occurs. These repeated campaiagns and the solid metrics behind it allow you to set up incentive campaigns that have also been shown to yield good results.
For organisations that already conduct anti-phishing training either online or in classrooms, Phish5 gives you an opportunity to a) measure the effectiveness of your training and b) provide realworld examples and exercises that can easily be integrated with your current training regime. Phish5’s ability to identify at a glance users who have been successfully phished over multiple campaigns allows you to isolate and educate staff who need the most help (without wasting time and resources boring staff who already “get it”).
We hold as little client information as is reasonably required to run the service. We collect email addresses of customer users, but do not collect passwords (even when submitted to the phishing pages).
Browser Security Checks
Watering hole attacks have hit the headlines recently. Victims are lured to sites that contain browser malware that then compromise and infect the victim (normally using known attacks against the victims web browser).
With a simple tick box, your Phish5 campaign will also do browser security checks. This means that with no extra effort, you will get a detailed report on which users are running out of date, and vulnerable web browsers. From browser versions to vulnerable plugins, you will be able to quickly hone in on what needs to be worked on first to protect your users best.
We have been at dozens of clients who have spent untold amounts of money in AV subscriptions and security software and services, who have still been Phished trivially. In the wake of such incidents, with the CFO or CEO’s emails exposed on the Internet, every single one of them would have paid in mountains of gold to have gone back 2 days, to have run an internal campaign educating their C-Suite.