[Podcast] De psychologie van phishing
Phishing is een van de grootste veiligheidsproblemen van vandaag. Het is dé tactiek geworden voor opportunistische cybercriminelen, state-sponsored hackers en iedereen daartussenin. Het is eenvoudig en effectief en wellicht is het juist daarom zo’n bron van frustratie voor bedrijven geworden. Kayleigh O’Donovan maakt deel uit van het Phishd-team van MWR Infosecurity, dat in 2018 door F-Secure werd overgenomen, en ze ziet erop toe de phishing-industrie van binnen en buiten te kennen. In aflevering 25 van Cyber Security Sauna vertelt ze onder andere hoe phishers op emotie inspelen om je te laten klikken, hoe je een phishing-e-mail kunt herkennen en hoe phishing-simulatie bedrijven kan helpen hun klikratio’s te verlagen.
Luister hier of lees verder voor het transcript. En vergeet niet je te abonneren en een review achter te laten!
ALLE AFLEVERINGEN | VOLG ONS OP TWITTER
Janne: Welcome to the show, Kayleigh.
Kayleigh: Thanks, Janne.
So the point of phishing is to get people to give information, credentials or other sensitive information or get them to take an action, run a payload or something like that. Is that about right?
Yeah. I would say that it’s any fraudulent attempt to get something from somebody that you shouldn’t be getting. So whether that be payment, credentials, access. I think typically it used to always be around email, but now you have all subtypes of phishing. So vishing, smishing – voice phishing, SMS phishing – and also social media phishing as well.
That’s a thing?
Yeah. A big thing at the moment is if you put something on something like Twitter, Facebook, Instagram even, defaming a company or putting a controversial statement, somebody has to click that link from marketing or PR to do some investigative work to find out why that’s come about.
Mmm, so catching somebody at that organization because they have to click on that link.
Yeah, exactly. And also their defences are probably going to be down a little bit. Because they see something on Twitter saying something bad about their organization, security probably isn’t at the forefront of their mind. It’s finding out why has that person tweeted that.
But there’s also other people in organizations that are more at the forefront of phishing. For example in HR, people have to click on the resumes that they get, and sales people have to click on the request for proposal that they get.
Yes, definitely. And that would definitely be part of the reconnaissance that a sophisticated attacker would do, would be to try to find an example document such as maybe an invoice or a purchase order, or look for CVs that would look similar to something that an HR person would open to help them look more convincing in that type of attack.
You’re talking about fairly sophisticated attacks here, and I guess most of us when we think about phishing, we think about the 419 scams of days gone by. Is that still happening, or is it all this sophisticated stuff?
In terms of sophistication, emails are definitely getting more sophisticated, and will continue to develop. In terms of spam emails, I think they’ve increased in quantity. But it depends on the type of organization and the industry. Particularly the region. We find different regions have different levels of susceptibility to spam emails.
Okay, but enough people are still falling for those to make it worthwhile for the attackers.
Yes, definitely.
So some of the phishing we’re getting these days is more polished and more convincing than just the basic Nigerian letters. How would you spot that, then? The better ones.
I think the better ones, you need to really apply some scrutiny as to the intention of the sender. So you can look at things like, is this particularly urgent and why is it urgent? So if you all of a sudden receive and email saying “Please pay this immediately” when normally you have 30-day payment terms, that to me would be a red flag. Even if it appears to come from the same vendor or the same supplier you’re used to dealing with. If the urgency has ramped up, that could be an indication that it’s something suspicious.
Another point could be if it’s come from somebody more senior. If you’re used to dealing with a particular vendor, and then all of a sudden somebody very senior from that vendor gets in touch with you and asks for a payment to a different account, whilst it may seem like “Oh, this is business as usual, we usually pay these guys,” I think you just need to apply some scrutiny and maybe follow it up with a phone call just to be sure that that is the person that they say it is.
Sometimes you see legitimate letters from companies saying that “This is our new bank account now” and that information is on their actual invoice. And I’m looking at that, and I’m like, that is phishy as heck. So is there some onus on these companies to do better, and not appear as phishy as they’re currently doing?
I think so. I think that we need to find the balance really, between what’s practical as a business and what’s secure behaviour. And that can be quite a fine balance to have. In my experience when we’ve changed bank details and things like that, people do tend to double check to make sure that’s okay. So I think that there’s a dual responsibility on both parties to act with due diligence. So to inform somebody that bank details are going to change in the future, and potentially do that through two mediums. So maybe send an email, but also, you know we still have post. You could send a postal letter explaining to somebody. Follow up with a phone call. And then, I think it’s on the responsibility of the person actually paying that invoice to then confirm before any payments are sent that those are in fact the correct details.
Yeah, I know, I’m suspicious as heck. I just called my power company the other day about an email like this. I was like, “Is this you guys?” So what happens when you fall for one of these phishing emails? What is it that the attackers are trying to get you to do?
Generally it can be anything from, like we’ve talked about financial gain. So it could be something like changing a number in an invoice, like an account number, so that they can transfer funds directly off to themselves. It could be to get access to your email address book and then send out a convincing phishing email to the contacts that you have in your email address book. So that could be clients, that could be co-workers, that could be suppliers. That could reach all three of those different types of people just from your address book alone. There’s also the opportunity for them to move laterally from the point of attack to their target. Whether that could be to take intellectual property, financial gain, or just to disrupt services, phishing is usually the first point of entry.
Right. I guess with like more spammy phishing, we’re talking about credential harvesting or getting it to run some code on your machine, and that’s also happening on the more sophisticated ones, but also they’re trying to get you to take direct action, like do something outside the computer realm, like process a payment or whatever you do in your daily work.
Yeah, definitely. It could be sending over information. Some interesting ones that I’ve seen before are again, there’s address book compromises where perhaps particularly if you work in an agency like marketing, where you might have a lot of different companies in your address book, if somebody can get access to your mailbox and then send out all of those people a phishing email, you then have sort of a waterfall effect where you’ve opened up one account, and then you’ve moved across lots of different emails.
Okay, so one of the goals for the attacker is maybe to use you as a vector for further attacks.
Definitely. And supply chain attacks are very real, and very current right now.
That’s an interesting point, the supply chain attacks. I guess no company would want to become an attack vector against their suppliers or customers or stakeholders like that. So what could you do to make sure that doesn’t happen?
Of course. Well, that comes down to two points really. Well, three. Obviously there’s the technical side of it and having all the right technical controls in place, and following the predict, prevent, detect, respond framework that we always recommend. Then secondly, there’s the security awareness and security culture piece. And that’s making security part of the fabric of how you work, encouraging people to question, and giving them the confidence and the tools to do so. And thirdly, I think it is again having those processes in place, to ask that question and spot what’s out of the ordinary.
A lot of people seem to think that they’re wise to phishing emails and can catch them. Is that really the case, is that what we’re finding?
I think people are definitely more aware of phishing emails. We know that we’re vulnerable to them, we know that they’re a massive threat, and we know that we should be careful what we click on. But to say that anyone is immune from a phishing email, I think would be incorrect. With the right amount of time, anybody can be phished. You could send out three or four emails building up to the right sophisticated phishing email. But obviously that’s in those more sophisticated attacks. In terms of those more spammy emails and those less sophisticated attacks, people are also susceptible to them as well. Because unless we’re 100% focused all of the time, you know, there is opportunity for error. I know.
We phish ourselves internally, and I’ve been caught before in one of our simulated attacks. And I think that I’m quite aware of phishing emails – that’s what I live and I breathe every day. So I don’t think that anybody really is immune to them. I think it would be naive to think that you couldn’t be phished.
Right. No, I know I’ve fallen victim to one of our own phishes as well. And it was one of those moments where at the moment that I clicked on the link, I was like, “Oh man, I shouldn’t have done that.” Because I was catching myself feeling all those emotions that the attackers are trying to get. I was feeling a sense of urgency, I was feeling like I’m missing out on an opportunity. So all those things that are red flags, I was feeling them. But I still clicked on that link, because it was just a bad moment for me.
Yeah, definitely. When I clicked, I saw something that said there was something wrong with something. I instantly panicked and started clicking it to open it, and realized it’s not opening. So I continued to click the button. And I phoned my colleague, who the email had originated from, and started leaving a voice mail, and it started with, “Hey, I’m clicking this link – Oh, I’ve been phished!” (Laughing) I put down the phone. And it’s really embarrassing when you work in the phishing department of your company and they say “Kayleigh O’Donovan clicked 15 times.” (Laughing) But it was that initial fear that something had gone wrong. And it’s very emotive. And I didn’t think. I just didn’t think.
And people say, “Oh, phishing emails only go through to stupid people.” And I just don’t believe that at all. I think that when you’re in that sort of emotional crisis, or you think that you’re getting something or you’re not getting something, sometimes common sense goes out of the window and you act with emotion.
Oh, absolutely. It’s about finding the buttons to push on you as a person and getting you at that weak moment when you’re not thinking clear, and you’re maybe in a hurry or something, and that’s the one that gets by then.
Definitely. We’ve done some research around people who click phishing emails around lunchtime. And we found when people are hungry or they’ve just eaten, they’re more susceptible to phishing emails. I think that’s because people are thinking about going for lunch, or when they come back from lunch maybe their attention isn’t really –
Food coma.
Yeah, exactly, food coma. It’s a real thing. Their attention isn’t really where it should be. And attackers even when they’re not using sophisticated methods, it’s almost like market research, finding out when are people most likely to click. It’s not exactly something that requires a lot of resource to do that.
Yeah, I mean, phishing is a volume business, so the attackers can do like A/B testing to see what works, and what times work and so forth.
Oh, definitely. I mean, this is my opinion and I wouldn’t say it’s fact, but I would expect that any research that we can do around what people are clicking and what they’re not, the other side are doing it too.
Right. So how different is phishing between different industries or verticals? Is there something that one industry faces that another might not?
I think that the major phishing attempts are things like Dropbox, go on Microsoft Online, enter credentials. They’re quite similar across organizations. But I think that the susceptibility to different emails changes across industry. So you mentioned earlier about HR getting a lot of external documents. I think that companies who work with a lot of different external providers or contractors will generally be more susceptible to malicious attachments. So for example, if you’re a PR company working with lots of freelance contractors, you might get a disproportionate amount of emails with attachments. And that would make you more susceptible to opening an attachment that perhaps you shouldn’t have.
But is that about what will work against you, or do the attackers know that as well, and you’re more likely to be targeted by that sort of phishing email?
Yes, that’s a really good point. It is what you’re more susceptible to. But I think that attackers will work that out quite quickly. We also find things like anything with something for free, you find people will always click on. So even when we work with large financial organizations with high earners, law firms, you know, really well-paid individuals, and you offer them a free can of Coke, and they will always click. There’ll always be a high percentage of click rates on things like that.
So yes, there are subtle nuances between industries, and obviously we tailor all of our work toward that when we work in Phishd. But there are some things that just are universally working.
I guess you don’t get rich by passing up free cans of Coke. What about the consistency of phishing? Are we seeing like amounts of phishing across different industries and verticals, or are there some industries that get hit more?
Financial services and legal services.
Why legal?
Mergers and acquisitions and intellectual property.
Tons of money.
Yeah. You know, corporate espionage is a real thing. People want to find out what companies are buying what, and what price it’s going for. That information is obviously very valuable to certain individuals and certain groups.
Most companies probably are making a profit, so all those companies are handling some amount of money, so are they getting hit as well? I’m thinking about the departments that handle those monies.
Yeah, definitely, departments that handle money. So finance departments are always key to be hit. Information also, so people’s names, addresses, email addresses, anything like that. That’s really valuable at the moment. I mean, in the UK we see lots of public sector organizations being hit, and as we know, public sector isn’t exactly a money hole to be farming from. But the information that people can glean from that is worth millions.
Speaking of information and people who have it, you would think that network administrators or people like that would be a juicy target because they have the keys to the kingdom. But are attackers sort of wary of approaching people like that because they think they might be more savvy?
I think that when it comes to technical people, they’re just as susceptible to phishing emails as regular people. We automatically assume that because somebody’s technical that they’re going to be less susceptible to phishing emails. But phishing emails in themselves are a form of social engineering. It’s more psychological than technical.
One of the things that we’ve done previously is we’ve done reconnaissance against people and found out from LinkedIn what their job titles are, what they’re responsible for, so when they have things like “I’m responsible for XYZ networks. By the way, I also love doing charity bike rides.” That’s really good for us. Because we can then think, “Okay, I’m going to create a scenario around a charity bike ride, in Birmingham where this person is from, and send it through to them.” And they open it up. And they’re not expecting it to be anything malicious, it’s an interest of theirs, it’s in the region where they live, and they’re not thinking about how all of this information is publicly available.
Right, yeah. What are some of the things that we share about ourselves online that makes it easier for somebody to phish us?
We give up all kinds of information online. Most people now have, things like Facebook may be private, but things like Twitter, we use to communicate to the world, right? So we’re not hiding our information on that. Things like Instagram show your location. I mean, you might not even have location services turned on, but you could be tagged in something that one of perhaps your friends or your family has tagged you in a particular location, which might show that you have an interest in for example bowling. Which would make it really easy for us to send you a coupon for bowling.
A particular one is LinkedIn. I mean, there’s no security risk for being on LinkedIn and having your job title on there and talking about what you do, but if you go into too much depth about what your roles and responsibilities are, it’s very easy to emulate you and perhaps tell other members of staff, “I’m responsible for this, please send this money across to me,” or “Please send this data over to me.” And it’s also easy to see what you have access to. Particularly if you’re technical, and you say “I have access to XYZ systems,” great. You’ve now got a big target on your back.
The amount of information that we can find out online in just a couple of hours about people is incredible. If you look at, you know, online dating, you can even reverse image search people’s profile pictures now. And start going onto their social media profiles. And if you can’t access their social media profiles, you can access their friends and their family and build a whole picture of what this person is like. It would be very easy to almost reinvent yourself as this person, or use that as an approach to trick that person and appeal to those things we talked about earlier, around urgency, authority or scarcity, et cetera.
Yeah, and I know attackers sometimes use privileged information to sort of get under your radar. So I might get an email from somebody saying “Hey, I don’t know if you remember me from school, but we went to the same classes,” and then I’m like, “Okay, yeah, I guess maybe I remember this person a little bit,” but I should stop and just realize that this is public information. Anybody can find out where I went to school.
Yeah, 100%. You can easily find out what people’s, I guess, hot buttons are. What’s going to get a reaction out of somebody. We as a society like to formulate our cultures in little groups of people. If you support the same, I’m going to say hockey team here, because I feel like rugby team might not be so relevant. (Laughing)
Not in Finland.
If you support the same hockey team, you’ll automatically have some sort of unity with somebody. And that already may lower your defences and make you more susceptible to talking to that person and giving away key information. And on the face of it, that’s probably not a bad thing. You know, we need to interact with other people, that’s what we thrive off and that’s how we’ve built society. But we just need to be, I guess vigilant to does something here not feel right? And really just look past at what the intention of these communications are.
Yeah. So if I wanted to craft a phishing email that someone would be sure to fall for, like you mentioned a couple red flags already, what would be my checklist of things to do to make sure that it’s as convincing, as effective as possible?
Okay, so there’s three main areas that we would look at when we build it. It’s a really interesting concept, and I think one day it would be really cool if we could actually get this up and going as a build-a-phish, so that people can actually see how we do this.
With our customers.
Yeah, I think that would be cool. We can look at scare tactics, we can look at gain tactics, and we can look at believability. So when we go into scare tactics, we’re looking at urgency or authority, or a combination of the two. So urgency may be something like – it could be something good, like “You’ve worked here for three years. You get one day extra annual leave this year. But you have to let us know by the end of the week. Log into this portal.” So that’s positive urgency. It could be authority. It could be “Send me over this money now. I’m a very senior person within this organization.”
Right. I don’t want to keep them waiting.
Exactly. It could be gain tactics. There’s things like scarcity. So, we have a limited amount of X. Register here for yours. So that’s where things like the free can of Coke come in. Click this link for your free can of Coke, only 50 available. All of a sudden, even if you didn’t want a can of Coke, there’s only 50 available, right?
Let me grab one of those.
Everybody wants what they can’t have. Then there’s believability. So, is it similar to something that you’ve already seen? Does it have the same branding on it? Does it follow the same format? One of the things that’s really interesting is, if somebody has already had access to another employee’s inbox, they might even be able to emulate the language used. You know, like the way people speak. They might say “Hey dude,” or you know, the way they sign off. Someone might be able to actually emulate that.
So I think those are really the key factors that go into creating a phish. And you could sort of look at it from two perspectives. Did you want to go down the more spammy route and create something that people are just going to click on without thinking? Or do you want to go down a more sophisticated route, where you really want to engage that system two thinking of somebody working: “Actually, these are the actions I need to do to make sure that I don’t get into trouble.”
Hmm. So those are some of the things I should be looking out for as an email user, if I’m feeling that sense of urgency, if I’m feeling that this is something I need to react to right now, if I’m feeling that it’s coming from a place of power, or I’m being offered something free and fun.
Yeah, yeah. Anything that just feels a little bit like there’s being pressure put on you. You know, sometimes you watch a TV commercial and you feel, “I’m really being sold to here,” or you see a really poignant piece of marketing. I think that you just need to put yourself in that position where you’re actually going to scrutinize, what is the intention of this? And does that intention check out?
I’m actually realizing that most of the time when I’m reading emails, I’m fairly neutral about them. Like the topics might matter to me in my work, but I don’t get excited or worried or nervous. But I guess when I do, maybe I should take a step back and think about like, why is this happening?
Yeah. And I think, then you can check yourself. You can look at some of the more detailed questions, like is this somebody who works for my organization? Can I find them in an org chart? Can I phone the company this is allegedly coming from, and check that this is the right email? Is it coming to the right URL?
And I guess that’s where simulated phishing will help you, in building that awareness and making sure that you’re in the habit of checking these things when you get emails. How successful is simulated phishing? Do companies notice a decrease in infections after they use phishing services for a while?
Simulated phishing is the most effective way to keep people vigilant. We know this because when we start doing campaigns with people and testing them, the report rate increases dramatically.
So people are reporting phishing emails that they get both from the simulation and actual phishing.
Yeah. So I think last year we increased report rates for our clients by 1400%.
That is a lot.
That’s a lot. And one time someone said to me, “We don’t have any phishing, because nobody reports them.” Which is completely the wrong answer. That means that you are getting phished, just people don’t know how to report them and they’re not reporting them. So I like to think of doing phishing simulations as it keeps people on their toes, but it’s also like a fire drill for the real thing. It lets people practice what they should be doing, and makes sure that they know how to report things when they don’t quite check out.
I like what you were saying about the reporting part, because we were just doing an attack simulation on a company, and as a part of that we were doing phishing. We were hitting some of their employees. Some of them were reporting it, but none of the ones who actually clicked on our phish were reporting that they clicked on the phish. So when the IT services got the ticket that there’s phishing happening, they actually just dismissed that ticket because they hadn’t received any reports of people clicking on the phish. Whereas if they had received the reports they would’ve behaved differently. So both having people report phishing in the first place, and also telling your organization what they did then, is crucial.
Yeah, definitely. We encourage a positive feedback loop. So when somebody reports a phishing email, it’s really important that they get feedback that actually something’s happened with this. So even if it’s “Thanks for reporting, this time it wasn’t a phishing email, but do the same again next time” or it’s a “Actually this was a phishing email, well done, you stopped it in its tracks,” it’s really important that at some point the person who’s reported it gets some sort of feedback. Otherwise we find that people just report emails, and they feel like they go into a black hole and they don’t really know what’s happening, which means that after a certain amount of time, they’ll just stop doing it.
This is something we’ve looked at Phishd in some of our behavioural science side, and our protection motivation theory, which isn’t particularly new, it’s been around for quite a long time, but it’s the act of “When I do something, something happens, and it works, and I find out about it, and I’m more likely to do it again.”
That engagement, that two-way dialogue about the reporting is something that’s important. What are some of the other metrics or approaches into simulated phishing that people should take?
I think it’s all about context. We hear a lot about click rates, and I think three years ago, we probably measured phishing susceptibility purely by click rates, whereas now it needs to get a little bit more analytical, and apply some context and the wider picture. So we need to look at things like, what were the tell-tale signs that that was a phishing email? How could the average Joe spot that? So you need some sort of framework for grading how sophisticated emails are.
Right. So it’s not just about like, you failed 60% of the time. It’s like, you fail a little bit more when you should be looking at the subject line than when there’s homoglyphs in the email address.
Definitely, 100%. It should be almost like, “This was an easy to very easy phishing email, and only 10% of people clicked.” But then it should be, this was a very difficult email, and 40% of people clicked. But we can track an improvement there. Because the difficulty level of phishing email number two was much higher than email number one. We’re not looking to just sort of tick a box and say, “This amount of people clicked an email.” We’re looking to actually say “This amount of people know how to spot a fairly sophisticated email phish.”
Right. That also allows you to sort of train different people, different groups in your organization at different levels. To make sure that the guys who are on the front lines, whose job is more risky for phishing, they’re at a higher level than maybe somebody else, elsewhere in the organization.
Yeah, 100%. We can do targeted training against people who are more likely to be targets, but we can also do it according to a knowledge gap or an action gap. So by taking an initial baseline and finding out where people actually sit on the ability to spot a phishing email, we can identify KPI’s for specific user groups, and then deploy training to those user groups which is tailored to them.
Right. So you can actually train people to improve in the specific areas where they’re sort of lagging behind, where they’re having a hard time catching the telltale signs.
Yes, definitely. So if we sent out for example an email with a spoofed email address and somebody didn’t pick that up, we would then be able to measure how many users didn’t pick up that email, the fact that it was a spoofed email address. And then we would be able to roll out a training module that would specifically address that.
So instead of the training being generic, like “Be aware of phishing,” you’re actually saying like, “Here’s a thing that phishers will do, make sure you’re looking at that.”
Yes, exactly that.
So as an employee of an organization, it seems to me that the risk is more toward the company I work for and not me personally. Do you think that’s a factor in why people might not take phishing too seriously?
That’s a really interesting question. I think traditionally, cyber security has been sectioned off as, “This is not my problem. This is IT’s problem, this is security’s problem. I think that’s really changing.
If we look at health and safety maybe 20, 30 years ago, people didn’t really take it all too seriously. It was a hindrance to people’s jobs. Nobody wanted to watch a 30-minute demonstration of how to use a ladder correctly, or how to lift a box correctly. Now we’re in 2019 and we have standing desks to make sure that we don’t ruin our posture, we have ergonomic mice. We see it as our right to have PP, and so it should be. We should have steel toe boots and hard hats where required, and an organizations should take responsibility for the health and safety of its employees. And I think that we’ve asserted that as civilians.
And I think this is really what’s happening now with cyber security. I think the introduction of GDPR and the media frenzy of recent breaches and last year’s ransomware attacks have really brought to light that people are demanding that organizations take cyber security seriously, and protect their data. Whether that be from the viewpoint of an employee or as a customer, we don’t want our data being leaked.
The one contention to that is sometimes people will say “What does it matter if somebody has my data?” And identity fraud, you know, is a thing and it’s important, but also it’s the point of these people trying to make you do things that you shouldn’t be doing. They’re trying to make you transfer large sums of money to unauthorized people. Which opens up then a whole can of worms, of who’s responsible for that? Is that the negligence of the company that didn’t address your needs, and train you to spot online fraud? Or is that your responsibility as an individual to not take due care and diligence when performing your job?
Right, so there might be a personal liability as well.
Yeah, maybe. I think that this is definitely a topic up for debate as to whether somebody would be personally liable if it was really obvious that this was an online fraud, and you acted in that way.
So it’s in the best interest of the employees to demand that awareness training and demand tools like password managers, demand multifactor authentication, to sort of keep themselves safe from that litigation.
Definitely. And also you know, it’s important that organizations protect the information about employees. You know, there’s sensitive information kept on file, people’s home addresses. You know, if you received an email from somebody externally to the company with your home address in it, how would that make you feel?
What about the war stories, when things go wrong? Do you have any cool war stories to share?
Oh, gosh. We get told stories ranging from somebody sending out an email looking like a CEO, asking the receptionist to run down to the nearest WHSmith, which is a news agent retailer in the UK, and buy 1000 pounds of iTunes vouchers, immediately scratch them all off in the shop, and take photographs of them and send them through to him.
And people do that?
And people do that. (Laughing)
That is awesome.
And that is definitely not a business as usual action.
I would not think so.
So that must’ve been some pretty persuasive language and I guess, using a scare tactic there. Using the authority of somebody very senior telling somebody to do that. Then there’s the more subtle ones where, I mean, sales people can be quite easily targeted, and somebody changing an account number on an invoice and asking for a rebate. That’s always a quite tricky one to spot because the email comes from a legitimate person, the invoice looks completely legitimate, it’s just the account number that is different.
I guess there’s two sorts of things that boggle my mind, and one is the more simple ones and people still falling for those, is kind of amazing. But also the more nefarious ones, where for an example an attacker gets inside your organization’s email system, and is able to impersonate a sender. For example, looking at emails you and I sent between ourselves like six months ago, and then reply to the latest one and say, “Oh, by the way, here’s a link related to this.” And you’re bound to click on that because this was an actual conversation we had. So you know it’s me that sent the previous emails, why not this one as well?
Yeah, I mean, that would be something that I think would be almost impossible to spot. And that’s where it’s really important to look at the other parts that complement security awareness training, and that’s detection and response.
Yeah, absolutely. Absolutely. All right, I guess that’s it. Thanks for being on the show.
Thank you very much.
That was our show for today. I hope you enjoyed it. Make sure you subscribe to the podcast, and you can reach us with questions and comments on Twitter through F-Secure@CyberSauna. Thanks for listening.
Categorieën