Contact Us




Change Locale

Phishing Defense: Let’s Get Personal

Uncategorized | Posted on August 28, 2018 by schap

We all know phish aren’t just sent to corporate email accounts, yet this is what we hear about most often in the news. The reason, at least in part, is because headlines highlighting millions of dollars lost or millions of accounts compromised make for better news than “Man Has Personal Savings Account Drained After Clicking Malicious Link.”

As a company with over 50% of the Fortune 100 as customers, Cofense™ focuses on threats to the enterprise. We do, however, take a unique approach by enabling users to act as human sensors, report suspicious emails, and help disrupt unfolding attacks. There is an individual, or personal, aspect to our programs.

It’s smart business to educate users on protecting their personal data. Consider the advantages: employees learn to safeguard themselves against consumer phishes; they apply those lessons when they receive similar emails at work; and with a personal interest in anti-phishing, they take it more seriously.

When Phishing Hits Home

While visiting clients in Texas this past March, I had the opportunity to connect with a friend and former co-worker who moved to the area some time ago. After years of renting, he was excited to become a first-time homeowner. During the closing process he received an email with a link containing wiring instructions for his mortgage down payment. You can probably guess where this is going: it was a phishing email. It was a reasonably well-crafted attack which used a URL one character off from the legitimate domain (typo-squatting, a common tactic used by malicious actors) and was sent at a time when such instructions were expected as part of the home buying process.

My friend is an artist, game designer, and very technically savvy, but this potential $20K mistake, while not the sort that makes headlines, could have cost him his first home. This example demonstrates that anyone is vulnerable to an attack, given the right combination of motivator, timing, and context.

When It’s Personal, It Matters

In Cofense PhishMe™ Managed Service, we are often asked by clients how they can get their users more engaged in the awareness and reporting process, and thus in the broader process of disrupting phishing attacks. It has been long observed in human psychology that many people don’t truly care about an issue until it affects them personally. How do you think my friend felt when he thought he might lose the home he’d spent months trying to find, not to mention a significant amount of savings? The global issue of phishing became a personal problem.

Cofense research indicates that employees are most susceptible to phishing emails that target them as consumers. Our 2017 Phishing Resiliency and Defense Report noted that the most effective phishing emails (in simulation training) aren’t really about business at all. Headers like “Free Coffee!” or “Office Party Pics!” are hard to resist because they’re fun and personal. Among Cofense customers, the susceptibility rate for these emails can range from 15-25%.

Thus, it’s imperative to remind your users that the skills they’re learning have applications both inside and outside the office— and could mean the difference between being a victim and keeping information safe.

This can help bridge the gap between the concept of users and consumers since in most cases they are truly one and the same. If you want your employees to take threats in the workplace seriously, it would be smart to remind them they face similar threats at home, and the same indicators which help them distinguish legitimate emails from phishing attempts apply regardless of where and when the message is received. If you do, the next time a user gets a phony e-card at work, he or she will be more likely to report it so your SOC can investigate and, if needed, take quick action.

If your employees are vigilant in the workplace, they’ll be more resilient in their personal lives. The opposite is true as well. Everybody wins.

Learn how Cofense uses human intelligence and technology to stop attacks in progress—watch this short video.

Vigilance, Like Phishing Attacks, Needs to Be 24/7 

In our 2017 Phishing Resiliency and Defense Report, CofenseTM noted a curious trend. The most effective phishing emails (in simulation training) aren’t really about business at all. Headers like “Free Coffee!” or “Office Party Pics!” are hard to resist because they’re fun and personal. Among Cofense customers, the susceptibility rate for these emails can range from 15-25%.

Adding more personal scenarios to your awareness training helps. Your users become accustomed to reporting “friendlier” emails, which helps incident responders stop attacks in progress faster. Here’s another way to build resiliency: teach users to be vigilant at home as well as work.

This article was originally published here.

Related Articles

In 2019, Softchoice’s Innovation Executive Forum (IEF) toured North American cities once again and learned first-hand how IT leaders are driving transformation and delivering outcomes in their organizations. In this new Digital Transformation Trends report, we bring you the Top 10 highlights from our roundtable discussions in Atlanta, Denver, and Toronto. These insights were shared by groups […]

Culture | January 20, 2020 by Karen Scott

Our Commitment   At Softchoice, we are committed to providing an engaging and inclusive environment where every employee can bring their whole self to work. Softchoice believes in creating an environment where all employees – regardless of gender, age, sexual orientation, race, religion or cultural background – feel accepted and supported to succeed. And I recognize that this […]

If the last 12 months have taught us anything about digital transformation leaders, it’s this: cybersecurity is a central concern. And it’s going to get harder before it gets easier. As we toured North America with the Innovation Executive Forum, cybersecurity came up in multiple contexts, across multiple industries, across a whole gamut of departments, […]