I have been thinking over the content and structure of the security awareness chats I have with staff, picking out the things that are working well and those areas which need some improvement.
Im still working hard on improving the parts where I talk about social engineering, especially phishing. Phishing it turns out is a really tricky topic to cover well without it being loaded with fear. We are after all talking about really malicious people praying on our personal weaknesses and vulnerabilities to trick us out of information or infect our computers.
I have in the past made the mistake of focusing too much on conveying the lengths and methods an attacker might go to in order to deceive someone. I think it ended up being counter productive and not a risk a user would feel they personally would be subject to.
Now days I usually talk about fake DocuSign requests and some examples of Paypal and Apple ID account as more generic phishing attempts as opposed to targeted phishing. Even the more generic examples are nasty enough and illustrate how if a person was not on their guard they might click through and get their computer infected or lose control of an account.
It conveys the threat well enough, so job done? Well no. I have only at this point only explained the potential harm and some of the warning signs.
Im mindful after showing some of the better crafted examples you can be fairly certain there is now an even bigger fear brewing in your audience, that they might be the ones that get caught out. They failed to spot the con and clicked that malicious link. What would they do if this happened to them? Panic?
It’s really important to explain everyone is vulnerable one way or another. No one is immune from making an honest mistake while tired or under pressure. How can we assure our staff everyone including us the security professionals get baited every once and a while?
I have decided in my next session I am going eat some real humble pie and to start telling people I work with how I got phished recently. How one late night I ignored some of the signs I teach people to look for that somethings not right and gave up my e-mail and mobile number to a phishing scam.
It was a Thursday night, I had my feet up on the couch listening to some music and was flicking through Instagram on my phone. I was really tired, It had been a really busy week. I saw a promoted advert for Ben and Jerrys ice cream which apparently is opening up stores here in New Zealand.
For avery limited time Ben and Jerrys were offering a select few people the chance to grab up to 3 free tubs of any flavour of ice cream provided we shared it somehow on social media. I love ice cream and I sure love twitter, what luck! Im perfect!
The advert was well designed and the branding looked absolutely like what I had seen in other Ben and Jerrys stores I had been to in Singapore and the US. Just enter your full name, email and mobile number and we will send the voucher codes out it said.
There were a few things right away that if I was paying heed to my own advice id have at this point wanted to reconsider engaging with this offer.
1. Instagram are not perfect, they like many other social media sites will take ad revenue from anyone. Including people running a phishing scam. Just because its from Instagram there is no guarantee this is legitimate.
2. This was a limited time offer, appealing to scarcity and creating a sense of urgency. Get in quick before its gone!
3. Thats a lot of personally identifiable information to give away for 3 samples of ice cream.
4. The amount of genuinely free lunches that exist online (none).
5. This popped out of Instagram into a browser, is everything still looking ok?
Now in my defence I was really looking forward to this ice cream. I was going to pick it up and enjoy it with a bit of Netflix on the weekend. This is what I was thinking about when I blasted right past all the warning signals and gave them all the details they needed.
Moments later I started getting SMS spam and spam messages starting to pile up in my inbox. It very suddenly hit me what id gone and done. Free ice cream? Brendan you idiot! I went back to the Instagram post and saw a bunch of other unlucky ice cream fans warning people in the comments this is a scam and not to engage.
Social engineering is something I love learning about and hope to one day participate in some social engineering CTF contest and maybe even some trainings.
While no expert in the subject by any means I know enough to give other staff their security awareness training in what they should be on the look out for. Point is if anyone thinks this interest in the subject gives me some kind of elevated immunity from being conned I am sorry to admit turns out offers of free ice cream are enough to do the job on me somedays.
I felt pretty stupid. Really stupid. Fact is everyone can be exploited and do silly things under pressure or when they are tired and there is no real shame in getting baited. This needs to be part of the security trainings on phishing as much as coverage of the motivations and methodologies of the attackers your helping your people become aware of.
Understanding it happens to the best of us is important but it also needs to be backed with an assurance if it does happen the right support and assistance will be blamelessly in place and provided for people who ask for help when it goes wrong.
I filed an abuse report to Instagram and my ISP/telco to get help. They both helped a lot in stopping the spam id signed myself up for. Make sure your people know the security team is here to do the same!
Will be interesting to see how sharing this story of mine goes. Im willing to bet an open admission of my own mistakes and how I was able to recover quickly will help take the heat and fear out of potentially being phished at work. Understanding the threat, knowing what to look for and having actionable steps if things do go wrong is what I think makes for valuable secuirty awareness training.
Do you do secuirty awareness sessions in your company? What works for you and your staff when explaining social engineering topics?
Keen as always to continue the conversation on twitter @SparkleOps .