PhishNet allows security teams to launch authentic phishing campaigns to their colleagues, bolstering training by demonstrating what a phishing lure looks like – and how easy it is to fall for one.
“Even in a company with a vibrant, happy, positive office culture, employee behaviour is one of the biggest risks to cybersecurity,” says Sean Nourse, Chief Solutions Officer at Internet Solutions. “Phishing attacks are increasingly sophisticated and they target individuals, so proactive employee education is an important element of a holistic cybersecurity strategy.”
Internet Solutions recently tested the efficacy of phishing by sending a PhishNet campaign to a list of IT-savvy contacts. Despite deliberate spelling errors, an outdated logo and a questionable subject line, a staggering 40% of recipients clicked the phishing link contained in the email.
“This test clearly demonstrated that everyone is vulnerable to phishing, not only people who are technologically-inexperienced,” says Nourse. “We can be negligent and distracted using our personal devices, and we’re no different when using company laptops, mobile phones and tablets.”
Phishing remains one of the most popular forms of cybercrime because it is highly profitable – it is easy to distribute thousands of emails that appear legitimate, and it offers returns in the form of banking PINs, credit card details, passwords, compromising personal information, confidential company and client information, or installation of malware or ransomware.
The recent WannaCry attack, which affected hundreds of thousands of machines worldwide, reportedly launched when an unsuspecting computer user opened a .zip file contained in a phishing email.
Our dependence on mobile devices aids phishers as small screens make it difficult to examine emails and websites carefully, and we’re more likely to unthinkingly click links while on the go.
PhishNet provides security teams with detailed reports on who clicked the links contained in the mock-emails, who submitted credentials when prompted and even who is running vulnerable or outdated Internet browsers. This helps companies identify which employees require additional training and contributes to security efforts by making employees aware of new cyberthreats.
Nourse is quick to point out that employee education should be regular and supportive, rather than punitive.
“Overly harsh measures in the case of accidental system compromise will only make employees less likely to report such incidences,” says Nourse. “Limiting device usage and Internet access is not usually practical either. A service like PhishNet contributes to an ongoing education effort that recognises how vulnerable all computer users are.”