Quick Clicks with Dire Consequences

Millions of people fall for fake emails every day. They open malicious links or file attachments, disclose sensitive data or transfer large sums of money to fake accounts. As different as the individual spear phishing attacks may be, they have one thing in common: they target the emotions of their victims so skillfully that they open the incoming mails without thinking and do pretty much whatever is asked of them.

Corporate environment particularly lucrative

Since employees are among the most appealing target groups for spear phishing attackers, the scammers have adopted a special tactic when it comes to the corporate environment. First, they meticulously scour social media and other Internet sources for company and employee information. Then they use this information to create deceptively real-looking emails in which they pose as superiors, colleagues or business partners. Finally, they reach into their psychological bag of tricks to trick their victims.

The most important emotional influencing factors include:

Deference to authority

On behalf of a board member, the employee is asked to make payments to someone else’s account. This fraud method, known as CEO fraud, caused the German automotive supplier Leoni in 2016 to lose around 40 million euros.

Time pressure

The alleged IT administrator warns: If the employee does not change his password immediately, his user account will be deactivated. The user obeys – and passes his log-in data directly into the hands of the attackers. In the worst case, these can serve as a gateway into the entire corporate network.

Helpfulness

The attackers claim to have been referred by a colleague. Since their company is looking for cooperation with the email recipient’s company, they send a link to a file “with initial ideas”. Since the employee would like to support his colleague, he obviously opens the link – and downloads malware onto his computer.

Fear

In the name of the financial accounting department, an invoice is complained about that has not been commissioned and has no reference to existing contracts. The employee gets a fright – he wants to get to the bottom of the matter immediately. Again, a click on the link to the invoice is enough to compromise the employee’s system.

Curiosity

Allegedly, the management announces important structural and personnel changes in the company and posts an organizational chart with the new responsibilities on the intranet. The employee is curious as to who is now responsible for which areas. The scammers rejoice at having a new victim on the hook!

Demand for awareness training is growing

Thanks to these methods, spear phishing has become one of the riskiest types of cybercrime. Many companies have recognized the danger and rely on security awareness training to educate their employees on the correct way to deal with fraudulent e-mails. However, traditional approaches fall short, as they focus on imparting theoretical knowledge through classroom training, e-learning and webinars. Why this does not suffice in the case of phishing attacks is shown by looking at the theses of psychologist and Nobel Prize winner Daniel Kahnemann.

In his bestseller “Fast Thinking, Slow Thinking,” Kahnemann distinguishes between two systems of thought. While system 1 – fast thinking – runs subconsciously and tends to make intuitive decisions, system 2 – slow thinking – makes its decisions only after systematic and logical examination of an issue. Since spear phishing attacks address the victim’s emotions and thus thinking system 1, conventional security awareness training aimed at rational thinking is not enough. They should definitely be supplemented with spear phishing simulations

Phishing simulations offer didactic value

These phishing simulations use real company and employee information to recreate authentic-looking attacks. But instead of falling into the scammers’ trap, email recipients land on an interactive explanation page. There, they are explained step by step the characteristics that would have enabled them to recognize the e-mail as a fake: for example, letter rotations in the address line, the use of fake subdomains or suspicious-looking links.

Spear phishing simulations are particularly valuable from an educational and didactic point of view because they take advantage of an employee’s “most teachable moment.” He is made aware of his potentially damaging misconduct at exactly the right moment. To ensure that this learning effect lasts, the phishing simulations should be repeated regularly. This is the only way to ensure that employees remember the retained information and handle incoming e-mails with greater caution in the future.

It is also important to align the security awareness training courses with the individual learning progress of the employees and to document the learning progress on the basis of key figures. This makes it possible to communicate the learning successes within the company and to define a common goal for which IT security officers, managers and employees are all pulling in the same direction

Communication is everything

Speaking of communication, companies would be well advised to let employees know in good time that awareness training is planned. For example, employees must not under any circumstances be given the feeling that they are being controlled or – even worse – tricked by their employer with spear phishing simulations. Companies achieve the most success when they explain the “why” and appeal to the self-responsibility and self-efficacy of their employees. Even though IT departments are already succeeding in intercepting many fraudulent phishing emails, quite a few still make it into recipients’ inboxes. Despite sophisticated IT security techniques, humans remain the greatest vulnerability to spear phishing attacks.

David Kelm

is co-founder and managing director of IT-Seal GmbH, which specializes in protecting employees against social engineering attacks, including research work at Darmstadt Technical University. IT-Seal bundles innovative methods and tools for measuring and training employee security awareness.