With human factors involved in more than 80 percent of security breaches at organisations, security awareness training, and phishing simulations have become vital measures. However, ticking these compliance checkboxes has merely kept security breaches at an unacceptable status quo.
Phishing has been around since 1995 when hackers started impersonating AOL staff on AOL Instant Messenger to trick people into giving out their passwords. It has been going strong ever since, moving to email, social media networks, gaming, and now corporate messaging apps such as Microsoft Teams.
New Phishing Techniques
Up until recently, two main forms of phishing existed, standard e-criminal ‘spray and pray’ attacks which aim to get one in a million emails clicked on, or more targeted spear-phishing attacks using reconnaissance techniques to craft emails directly at a single user with both psychological and personal lures.
These emails use product (trusted brand), price (something free or a money giveaway), place (in one’s email and not the junk folder), and promotion (a reason to click, with a sense of urgency or authority that provokes error mechanisms).
New, smarter phishing powered by AI using Large Language Models such as Worm GPT is now in effect. This makes the e-criminal mass phishing attackers harder to spot because of their bad spelling and grammar. It can also reply convincingly to users.
Anti-phishing solutions in turn become less effective. Phishing-as-a-Service (PaaS) is also being taken to new levels by platforms such as ‘Greatness’ which primarily attacks Microsoft 365 customers with advanced session cookie stealing capabilities and its ability to automatically mimic the target’s branded MS 365 login pages.
Combatting the New Phishing
The desired outcomes of anti-phishing solutions should be understood.
- To encourage better security behaviours in your staff.
- To provide ongoing positive movement to help them improve over time.
- To be able to track this movement and adjust training to get the best outcomes.
- Stop users from clicking on stuff they should not.
UK-based cybersecurity company, OutThink, refers to this as Human Lateral Movement and uses the understanding of how these connections form as a critical aspect of its human risk management solutions. It targets security training where it is most needed, to bring down the risk scores of the highest-risk individuals within an organisation.
FUEL has partnered with OutThink to be able to offer its cutting-edge human risk management solutions to our clients. To find out more, please contact us at firstname.lastname@example.org