My first experience with email was in 1987 whilst working for a major UK bank. I was part of a team implementing an ‘office automation’ suite of products called All-in-1, developed by the Digital Equipment Corporation (DEC). It included what they called electronic messaging and was accessed on a dumb terminal, connected to a network of DEC VAX minicomputers. It was very rudimentary, although at the time it was a real revelation! This was a closed system for a select group of people within a single organisation – not very good for wider communication, and being proprietary, you had to have a similar system to communicate. The major upside was that it was incredibly secure. Users knew how to send a secure email, and could work away safely in the knowledge that their messages would not be intercepted, that their identities were not being compromised and that there was no outside malefactor about to launch an attack. In fact, cyber-crime was not really a thing in the 80s!
Fast forward to today, and the landscape is very different. Email is no longer for the select few – it’s for everyone. Email has become the default method of written communication for almost everyone at work or at home. Recently, we’ve seen the trend of chat based, instant messaging apps that sit alongside traditional methods of communication.
This explosion of electronic messaging has presented a fantastic opportunity to the cybercrime community. You’re probably familiar with the terminology of cybercrime – for example, hacking, email phishing, spear phishing, ransom attacks, denial of service and so on. But did you know that 91% of successful data breaches start with spear phishing? That’s to say that criminals don’t always rely on the sending of one type of phishing email to thousands of people, but target a small number of people in specific organisations. They do their background work of discovering who talks to who on a regular basis – for example, the finance departments of suppliers and customers. This way, they can identify the names of the key people and craft a specific message – for example, to an invoice clerk or to notify them of a change of bank account details. The source email address would be incorrect, but only with a slight change, in a way that wouldn’t be noticed. To the clerk, it looks like a legitimate request and they unwittingly send thousands of pounds to the scammer. In fact, if the hackers are able to access the company’s email systems, they could even send a message from someone’s actual email address.
Most phishing emails can be caught and filtered using software such as Microsoft’s Advanced Threat Protection, or The Email Laundry. However, messages such as the example above wouldn’t necessarily be picked up. They look normal and don’t arouse any suspicions. So, you can see how people can easily fall for these attacks.
What we need is for people to learn to identify a good email from a suspicious email. The suspicious emails are getting very convincing. For example, I frequently get one from what appears to be Sony asking me to update my password. Although it looks like it has come from Sony, I know that they would never send a message like this, so I don’t click on the link. Unfortunately, many people do! This is the key point about end users being the last line of defence. All the sophisticated systems, while necessary, will not block all the malicious attacks.
So, what’s the answer? More information? Education? What’s the best way to prevent clicking on or replying to a bad email?
Whilst the sharing of information is always a good idea, it’s not the only answer. People are bombarded with information on a daily basis, with only a small proportion of this actually being absorbed. What information doesn’t do is change behaviour. What we need is for people, by default, to make smarter decisions. Training is needed to achieve this – for example, on how to send a secure email – but having everyone in the office for a one-off session will not be effective either. Behavioural change tends to happen when there is an ongoing program of easily digestible and relevant training. You could draw the comparison of going to the gym once and expecting an instant result. Regular and frequent exercise will build strength and ‘motor memory’ and change your lifestyle, and it’s the same with how our brains assimilate information.
The second method of reinforcing behaviour is regular testing. Testing that is random, unannounced and looks like a phishing email. This is an extremely effective way to measure a company’s ‘Phish Prone Percentage’.
Our partner Knowbe4, who produce this training and testing software, did a major report that showed 37.9% of users in SMEs failed the phishing tests and clicked on the links in the emails. Following a series of training and awareness over 12 months, they showed an 87% improvement in results! Clear evidence of the methodology and content used. Since hackers are always devising new ways to access data and people in more innovative ways, it’s essential that training and testing is a constant program.