{"id":119,"date":"2021-03-04T07:36:32","date_gmt":"2021-03-04T07:36:32","guid":{"rendered":"http:\/\/15.207.161.156\/blog\/2021\/03\/04\/ceo-article-how-to-improve-organizations-phishing-simulation-programme\/"},"modified":"2021-03-04T07:36:32","modified_gmt":"2021-03-04T07:36:32","slug":"ceo-article-how-to-improve-organizations-phishing-simulation-programme","status":"publish","type":"post","link":"https:\/\/testblog.prodmarc.com\/index.php\/2021\/03\/04\/ceo-article-how-to-improve-organizations-phishing-simulation-programme\/","title":{"rendered":"CEO Article – How to improve organization’s phishing simulation programme"},"content":{"rendered":"
\n
<\/figure>\n

A lot of progressive organizations have been running phishing simulation programmes for their employees for many years now. These programmes are executed either with consultation of a cyber security company as a service or through a phishing simulation platform or as a hybrid model. The key objective of these programmes has been to train the end employees to detect and report most commonly known phishing incidents.<\/p>\n

However, these programmes have been highly ineffective to identify topical phishing attacks resulting in a material impact on the organization. The reason being, some of the most high profile and successful phishing attacks were wrapped in the context of a usual business process of a critical user. These phishing attacks can be highly covert, if they are further wrapped in the context of a current topical matter, for instance COVID-19.<\/p>\n

Definition of a critical user need not always be a system administrator or payment processing employee; it could be a PR \/ marketing department employee dealing with massive listing of customer leads generated or it could be a customer helpline executive possessing a list of high profile irate and vulnerable customers.<\/p>\n

In this article, I am trying to bring about a change in mindset of how phishing simulation programmes should be conceptualized and executed.<\/p>\n

<\/figure>\n

To start with, let us understand the present threat landscape \u2026<\/strong><\/p>\n

Since mid-March, cyber-criminals launched a variety of COVID-19 themed phishing and malware attacks against essential workers, healthcare facilities, and also the recently unemployed. One of the vital reasons behind the success of these attacks has been phishing sites running on HTTPS. A report suggesting the number of phishing sites protected by the HTTPS encryption protocol was published recently.<\/p>\n

<\/figure>\n

Image Source: <\/strong>,APWG Report<\/u><\/strong><\/a><\/p>\n

In Q1 2020, a new high of 74% of sites used for phishing was recorded protected with SSL. Majority of phishing web sites continue to use SSL \/ TLS. Users have to learn that SSL doesn\u2019t mean a site is legitimate. Virtually every website \u2014 good or bad \u2014 now use SSL.<\/p>\n

Taking advantage of the ongoing pandemic situation, scammers are using COVID-19 as a bait for cyber-crimes. E-mails \u2014 purportedly from renowned health organisations like the WHO, UN and ICMR \u2014 along with websites, messages and apps are being used to steal crucial information.<\/p>\n

Cyber-criminals topical \u201cCOVID-19\u201d usage in Business Email Compromise attacks<\/strong><\/p>\n

COVID-19 themed phishing attacks started spiking in the second week of March. Same time when COVID-19 started to spike as a topic of general public interest according to Google Trends. Security researchers identified what may have been the first documented use of the pandemic as a lure in a \u201cBusiness Email Compromise\u201d or BEC attack.<\/p>\n

In a BEC attack, a scammer targets employees who have access to company finances, usually by sending them email from a fake or compromised email account (a \u201cspear phishing\u201d attack). The scammer impersonates a company employee or other trusted party, and tries to trick the employee into sending money.<\/p>\n

Soon after the spike of COVID-19 themed phishing attacks, a criminal group named “Ancient Tortoise” reached out to a company and posed as one of the company\u2019s real suppliers. The criminal requested that the company pay past-due invoices, and used the coronavirus as a pretext to provide new payment details to the victim. The criminal explained that the outbreak had forced the supplier to change the bank it was using to receive payments. The new account turned out to be in Hong Kong, from which the criminal could retrieve funds via money mules.<\/p>\n

<\/figure>\n

Image Source: <\/strong>The attacker used a look-alike domain <\/strong><\/p>\n

to spoof the target company<\/strong><\/p>\n

Later on, security researchers reported that ransomware attacks on healthcare facilities were up 35%, versus similar attacks from 2016 through 2019. Healthcare providers must prevent disruptions to patient care, and cyber-criminals saw them as targets that would likely pay ransom. Researchers found that 70% of the healthcare attacks were directed at healthcare facilities operating with fewer than 500 employees. Attackers targeted smaller direct-patient care facilities because they might have smaller security budgets. It is predicted that threat actors would begin using ransomware against companies and organization in healthcare and related fields. By mid-March, cyber-criminals were spreading malware by adding text from COVID-19 news stories in attempts to bypass security software that uses artificial intelligence and machine learning to detect malware.<\/p>\n

Current method adopted by organizations for phishing simulation programmes<\/strong><\/p>\n

Phishing attacks from an organizational impact context could be classified broadly in two categories<\/p>\n

    \n
  1. High Frequency \u2013 Low Impact<\/li>\n
  2. Low Frequency \u2013 High Impact<\/li>\n<\/ol>\n

    Impact can range of locking of files due to ransomware, compromise of internal \/ customer data, insertion of self-spreading malwares in the system, etc.<\/p>\n

    High Frequency \u2013 Low Impact:<\/strong> This type of attack targets a large set of users generally in the form of free vouchers \/ gift cards with an intention to get the personal \/ professional details enrolled by the victim.<\/p>\n

    Low Frequency \u2013 High Impact: <\/strong>This type of attack is on a huge scale where the end intention of the attackers is to carry out major frauds \/ scams such as the direct bank transfer SWIFT fraud of Bank of Bangladesh, the Unacademy data breach of 22 million users found to be sold on dark web, the Italian email provider data breach exposing data of 600,000 users.<\/p>\n

    Range of attack methods used by cyber-criminals:<\/p>\n

      \n
    • Email based phishing<\/li>\n
    • SMS based (SMiShing)<\/li>\n
    • Voice based (Vishing)<\/li>\n
    • USB drops<\/li>\n<\/ul>\n

      Most of the phishing simulation programmes are towards detecting the \u201cHigh Frequency \u2013 Low Impact\u201d. These programmes are not contextual based trainings on the risk profiling of the organization considering topical threats, its business departments \/ processes, country of primary business, industry vertical (bank, insurance, healthcare, manufacturing etc.), key business processes, partnerships, etc.<\/p>\n

      While \u201cHigh Frequency \u2013 Low Impact\u201d approach should be continued for detecting run of the mill phishing attacks, special emphasis should be put on subjecting your critical employees on phishing simulation which may be highly obfuscated under standard business process related email interaction.<\/p>\n

      Let me illustrate few common business processes \/ departments which would exist in most organizations & how tailor-made & contextual phishing simulation programme could be created:<\/p>\n

      <\/figure>\n
      <\/figure>\n
      <\/figure>\n
      <\/figure>\n
      <\/figure>\n

      Get to know us<\/strong><\/p>\n

      ProgIST offers a full range of cyber security consulting services and products for email security of employees, customers and third parties. Our consulting services include cyber security maturity assessments, incident response framework setup (SOC) and review, web application and mobile app security assessments (VAPT), security awareness, cloud \/ vendor risk assessment, forensic investigations etc. ProgIST is formed by practitioners who have an Information Technology and Information Security hands-on cumulative work experience of more than 100+ man-years.<\/p>\n

      ProgIST\u2019s flagship and country leading DMARC analytics platform ProDMARC has provided us an opportunity to work alongside and understand, in-depth \u2013 the mailing ecosystem and related business processes of leading organizations across sectors viz. Banks, Insurance, NBFCs, AMCs, Healthcare and Pharma, Stock markets, IT & ITeS, Manufacturing, Power & Telecom, Media & Entertainment etc.<\/p>\n

      ProDMARC provides us the threat intelligence of the most of pervasive phishing attacks which are impacting organizations, their employees, suppliers, distributors and other third parties.<\/p>\n

      Based on our strong understanding of the business context and mailing ecosystem, we at ProgIST, have developed a unique cloud-platform \u201cProPhish\u201d. We offer ProPhish based Employee Awareness Programme (P.E.A.P) which addresses the key lacunas mentioned in this article. Some of the key features included in the programme are:<\/p>\n

      <\/figure>\n

      We offer free trial for<\/h3>\n

      ProPhish platform based phishing simulation<\/h3>\n

      & corresponding \u201cOTS \u2013 On-The-Spot\u201d training.<\/h3>\n

      Reach out to us on info@progist.net<\/h3>\n<\/div>\n","protected":false},"excerpt":{"rendered":"

      A lot of progressive organizations have been running phishing simulation programmes for their employees for many years now. These programmes are executed either with consultation of a cyber security company as a service or through a phishing simulation platform or as a hybrid model. The key objective of these programmes has been to train the […]<\/p>\n","protected":false},"author":1,"featured_media":330,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"om_disable_all_campaigns":false,"_mi_skip_tracking":false},"categories":[1],"tags":[],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/testblog.prodmarc.com\/index.php\/wp-json\/wp\/v2\/posts\/119"}],"collection":[{"href":"https:\/\/testblog.prodmarc.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/testblog.prodmarc.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/testblog.prodmarc.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/testblog.prodmarc.com\/index.php\/wp-json\/wp\/v2\/comments?post=119"}],"version-history":[{"count":0,"href":"https:\/\/testblog.prodmarc.com\/index.php\/wp-json\/wp\/v2\/posts\/119\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/testblog.prodmarc.com\/index.php\/wp-json\/"}],"wp:attachment":[{"href":"https:\/\/testblog.prodmarc.com\/index.php\/wp-json\/wp\/v2\/media?parent=119"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/testblog.prodmarc.com\/index.php\/wp-json\/wp\/v2\/categories?post=119"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/testblog.prodmarc.com\/index.php\/wp-json\/wp\/v2\/tags?post=119"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}