15 lessons about phishing
Maybe you've experienced it yourself. Get a test email from your IT colleagues to check whether you are alert or click on everything indiscriminately. Organizations are keen to combat phishing. And rightly so, because it works. In this longread we go deeper into phishing, awareness and we also tell you how not to do it.
Insurers pay a lot of attention to phishing awareness. Not without reason. Phishing threatens the cybersecurity of companies. Or, in other words: phishing works. That is why it is important to make people aware and to train them. But how do you go about it? And what are the pitfalls? In this longread we share the experiences of three members of the Covenant. With the intention of inspiring and helping others. Because 'security shared is security amplified'.
What is phishing?
Let's start at the beginning. Phishing is a common concept. But what is it? And what does it cost? The Digital Trust Center of the Ministry of Economic Affairs explains on a special page that phishing is a form of internet fraud in which cybercriminals want to steal your personal data or passwords.
12.8 million
In 2020, the banks reported that phishing in the payment system cost no less than 12.8 million euros that year. And then it only concerns private individuals who have been scammed by fake bank employees.
The total cost to businesses has never been calculated, but we know from the press that the follow-up damage can be high and high amounts are regularly paid for ransomware . In addition, companies also suffer from reputational, downtime damage, research and repair costs.
Phishing does not directly lead to having to pay for ransomware, but via phishing systems are often infected with malware (wrong code): the ransomware is paid to render that malware harmless again.
Lesson 1
Basis must be right
All in all, phishing causes so much misery that awareness among employees is increasingly part of a broader cybersecurity approach. But everyone understands that it does not make much sense to alert staff to phishing if the basics are not in order.
The very first action is therefore to ensure proper password management. It almost goes without saying, but go and count the people who have a password that consists of the numbers one through ten. You are shocked by how many there are left.
In addition, the company's e-mail settings must be in order. By the way, don't just think of e-mail: SMS and WhatsApp are also channels for phishing.
And finally, it is useful to patch the software in time (that is, updating the software to an improved version). After all, you don't want to bother your staff with all kinds of messages if you don't have the technical basis in order?
Lesson 1 is that your own technical basis must be correct.
SMS and WhatsApp are also channels for phishing!
Lesson 2
Start at the beginning
If the technique is in order, you can get started. Where do you start? Just at the beginning. If new employees are hired, you can immediately inform them about your cybersecurity approach. That is also the time to teach employees the basics with a short training. For example, via e-learning at a time that suits the employee, but it works even better if you involve the IT department. New people can then be physically instructed. The message comes in more powerfully and, moreover, it can be better connected to the experience of the individual. You can even explain that cybersecurity awareness also comes in handy in private: no one wants their identity or credit card details to be stolen.
Cybersecurity also works privately: no one wants their credit card to be stolen!
Lesson 3
Don't forget about physical safety
Cybersecurity alone, of course, does not make sense. You can prevent a lot with good security, but if there is no access security in the office or the desks are full of sensitive documents, things can still go wrong. Therefore, make sure that employees close their screen before they leave the office (or their desk). In addition, it is smart to clean up the desks before departure, so that USB sticks of unknown origin can not just be used. And, it's an open door, but don't just give strangers access to your building and let employees address someone who is unfamiliar or exhibits strange behavior.
It should NOT be that way!
You may think we're exaggerating, but these are two 'real' examples of how NOT to do it:
Lesson 4
The power of repetition
We kicked it off at the beginning of this longread: the fake phishing email. You get a message in your mail and all the IT helpdesk wants is to test. Do you click on the wrong link? Or do you report neatly to the Helpdesk that you have received a suspicious e-mail?
The drug is widely used, but what exactly should you pay attention to? One of the most important criteria is repetition. Although a one-off test is better than no test at all, the strength is mainly in the repetition. Of course you have to be careful that you do not constantly send fake emails, because then a certain fatigue occurs, but above all keep explaining why awareness is so important.
In addition, make sure that the explanation is not only given by the IT department, but also by the (higher) management. Good awareness is a shared responsibility.
Keep explaining why that awareness is so important!
Lesson 5
Provide variety
Repetition can quickly get boring, so make sure you have some variation. For example, join the rating system at the end of the year to entice people to click. Or use a name of board / management in spoofed e-mail addresses.
During the corona pandemic, there were phishing emails in circulation that tricked people into clicking because they might have been infected? The message 'your mailbox is almost full' is also a good way to encourage people to take action.
Need more creativity? In cyber security month, an insurer has launched a competition among its staff. The question was: write the best phishing email. Of course, the winning mail (see box for an example) will be used in a subsequent campaign.
However, the 'profit' lies in the fact that you ask the staff to put themselves in the shoes of a hacker. In this way, the message also comes to the fore in a different way.
Reminder: Now set up your two-stage identification once to use SharePoint
Dear colleague,
In August 2022, through previous announcements, we asked you once to set up two-stage identification verification for using SharePoint. We see that this has not yet happened. You can set up the verification easily and securely, via our intranet page. In any case, do this before November 1, 2022. In connection with information security, an additional verification step must be set up.
Please note: this button can only be used by the recipient of the email.
What happens if you don't set up two-stage authentication?
If your two-stage identifier isn't set up, SharePoint for intranet and for the business documents that are relevant to you may no longer be immediately accessible after November 1. This can have major consequences for the work you are currently doing. Especially if the Service Desk is overloaded by these requests. Of course we want to prevent this. Thank you for your cooperation.
SharePoint team
'Your mailbox is full' always encourages action!
Lesson 6
Share the results
It is interesting and relevant to share the results. For example, you can stimulate motivation by letting you know which departments or groups are doing better than average.
However, if that information leaks out, it can also be useful for malicious parties. Therefore, share the information at such a level of abstraction that it cannot be misused.
You may be able to share more information with certain groups (board/management etc.), but individual feedback is always welcome. Immediately report to people who clicked on a wrong link how they could have recognized the phishing email.
Always report to people what they did wrong!
Lesson 7
Pick up the phone
Stating the obvious, but also pick up the phone. If a hacker really wants to get in, he not only sends generic phishing messages, but also tries to 'get in' via a telephone conversation.
You can of course also stage this, by having someone call a helpdesk or call center. Then you can test whether it is possible to steal a password from someone or to click on a wrong link.
In this case, we no longer speak of phishing, but of social engineering.
A hacker doesn't just send generic phishing messages!
Lesson 8
Stay alert to psychology
While testing phishing, via emails or over the phone, is wise, it can also go wrong. If it is possible to get an employee to click on the wrong link, they can develop feelings of guilt about it. Therefore, be aware of psychological effects and failure experiences.
For example, a call center employee once succeeded in stealing her secret data. After the interview, it was not immediately told that it was an exercise, because the test was still ongoing. The testers also wanted to know whether the employee would report the incident afterwards. Afterwards, the employee had the feeling that something had happened that was not quite right, but she did not immediately report this. She did discuss the incident with her partner in the evening. She was awake that night and didn't contact the IT department until the next day. It ended well with her, but be aware of these kinds of effects. And set up the process in such a way that the chance of this is minimal.
Pay attention to the psyche of the employees!
Lesson 9
Stay away from private email
For an employer, it is of course not allowed to snoop in the private mail of employees. However, in the event of a successful fake hack, it can happen that data is extracted from an employee, which can also be used to gain access to private mail. This can raise fears among staff members that their private messages are not safe. It is therefore important that you have crystal clarity in advance, that this is not allowed.
In addition, it is important that the board/management is behind the exercise. In case of doubt, it may be wise to ask the Works Council for approval.
Lesson 10
Measure the effects
If you measure the effects of a phishing campaign and therefore know, you can continue to do so in a subsequent campaign. Departments that do 'badly', for example, can be bombarded more often with information. And employees who, despite repeated interventions, continue to click on wrong links, you may be able to ask for the reasons for this.
There are departments within insurers where people have to process large numbers of e-mails on a daily basis. The workload can create a greater risk and perhaps it is a good idea to sit down with the relevant manager.
High work pressure can lead to a greater risk!
Lesson 11
Use a partner
The IT department of an insurer can easily carry out phishing campaigns themselves, but they take a lot of time and attention. There are also parties that provide these services and sometimes it can be more cost-effective to work with such a party than to burden its own IT department with this.
Let a company try to get admin rights on the server!
Lesson 12
Ask for a rescue team
In the meantime, the message may be clear. Phishing awareness training is definitely useful, but a real hacker will use more resources to get in. To stage this, it may be good to ask a specialized service provider to do a 'redteam' exercise. For example, let such a cybersecurity company try to get admin rights on your server.
For example, a Fox IT employee impersonated an intern, who failed to upload the RESUME to the organization. After several attempts by the HR department to solve the problem, they acted outside all procedures. Then the hacker came in and after not too long, he did indeed get admin rights on a server. All in all, it only took two weeks.
The lesson that the insurer could draw from this was that standard procedures are very important. As long as people stick to it, it's fine. But when in doubt, it is wiser to contact the IT department than to find a solution yourself outside the procedures.
Lesson 13
Don't just trust on response
A hacker fights without gloves. By that we mean that you can still make the phishing emails so good, a hacker can always do better. After all, he does not have to follow the rules. Therefore, do not blindly trust good response. It does not mean that it is safe (at most safer than before).
A company will never, as a test, draw up a phishing email stating that director x is having an extramarital affair. Or that the supervisory authority has made a decision about director y. Such emails deliver a high click rate, but also damage the reputation of the company or staff members.
A hacker has no message about that: he has more resources than the IT department.
A hacker fights without gloves!
Lesson 14
Notifications rather than clicks
More important than a low percentage of wrong clicks is a high percentage of reports of suspicious emails. A low percentage of wrong clicks seems nice, but it doesn't say much. Maybe the phishing email wasn't good enough.
Therefore, do not stare blindly at figures and percentages. They are helpful in tweaking your approach, but do not guarantee real safety. In addition, it's more important to make sure people report suspicious emails and other situations quickly than just making sure they never click on a wrong link.
There's always someone going for the axe. And if someone has reported the wrong link, you can prevent or limit the consequences of that one error click. Therefore, encourage people to report suspicious situations and links.
Lesson 15
Finally
The insurance industry is also working together to improve cyber resilience. We do this in various contexts, but an important attraction is the Insurance ISAC: the Information Sharing and Analysis Centre.
ISAC has been active for years and is in talks with DNB, among others, about cyber controls.
The secretariat of ISAC has recently been established at the Association. Do you see something that you think we can do better or differently as a sector? Please contact the secretary: j.schaffers@verzekeraars.nl.
All lessons in this longread come from some ISAC members. We sincerely hope that they encourage others to provide even better security.
Was this article useful?