Simulating phishing to raise user awareness

By Maria Sole Scollo, IT security expert at Consortium GARR

Even if phishing has been for many years now a well-known illegal practice, asking people for their sensitive information is still the most effective way for cyber criminals to get them. A good part of the spam we receive is still today sent by compromised addresses through phishing campaigns, which more often than not are customised to better fit the intended target, and still today security experts are asked about the possible countermeasures against them.

From a strictly technical point of view, the options to counteract this kind of attacks are limited: you can’t just prevent phishing with technical countermeasures, and the best weapon we have is to educate users. To this end, besides providing end users with training to recognise a phishing email message or web page, an effective strategy is to simulate a phishing campaign.

In a phishing simulation you send fake emails to your own users, to monitor their reaction and evaluate their preparation against real attacks.

To ensure that such a simulation is effective, this should be repeated over time, without a regular pattern, but frequently enough to keep the users’ eye trained and their attention alert. Furthermore, to evaluate improvements in users’ response, multiple trials will also be needed. Phishing messages evolve, and they become more and more sophisticated, and this is another reason why you want to keep up this kind of training and keep the pace with the latest trends among… phishers.

To assess the degree of success of a simulation, different parameters should be correlated and you will need to perform a complex analysis on the results. At a first glance, you could think that looking at how many users have clicked the malicious link would provide a sensible metric, in fact the click rate is not enough to determine how well your test went.

A more useful measurement is, for instance, the correlation between click rate and the so-called serial clickers. Serial clickers are a particular group of users who tend to click on almost all simulations: thus, a reduction of this specific group’s click rate will be the expression of a real improvement in your users’ learning curve. On the contrary, if the click rate was to slow down but the actual clickers were always the same, there would be no improvement to speak of.

Here are a few indicators you want to use when assessing the users’ learning curve, simulation after simulation:

  • Click rate
  • % of serial clickers
  • User resilience
  • Difficulty of the attack

To make the best of the simulation, it is important that it is followed by training addressing its victims who should be made aware of the deception and of the consequences it may bring, and should be instructed on what they can do to avoid repeating it, without being in any way blamed for their blunder. To this end, the test should be as entertaining and inclusive as possible, to make the fight against cyber crime interesting and create a culture of security.

To avoid incurring in law violations and minimise the possibility of annoying staff, it is also possible to request the users’ consent prior to starting the simulations and allow them to opt out.
Several platforms developed to help simulating a phishing campaign are available, and you should consider using one of them for your tests. Some of the best open source tools are:

A good phishing simulation software will be automatised to reduce the data required as input and automatically send pre-configured phishing emails, that can be customised to better fit an organisation, an office and even a single individuals’ circumstances. A good platform will allow to measure trends, also at the level of the single user, in order to maximise granularity in the evaluation of the results.

A final aspect is worth to be taken into consideration when considering about starting phishing simulation campaigns: cost-effectiveness. This type of training, if carried out using open source tools, is very inexpensive when compared to other more traditional – however essential – training activities.


About the author

Maria Sole Scollo is an IT security expert at Consortium GARR. She has been part of GARR-CERT since 2002. She deals with the management of security incidents, user support and publication of security alerts, as well as training relating to cybersecurity issues. Her area of interest include to the study and analysis of Cyber Intelligence sources for operational data protection.

 


Read more on the GÉANT Cyber Security Month 2020: https://connect.geant.org/csm2020

Skip to content