Why Implementing Ethical Phishing Campaigns Aren’t Enough to Protect Against Data Breaches

Have you checked your spam folder recently? Chances are some of the junk emails may contain threats to your private information. Emails are an essential form of internal and external business communication especially with the increase in remote work. Phishing is a common threat that comes in these messages.

This type of cyber-attack attempts to acquire private details, typically log-in credentials, through a spoofed web page which appears legitimate to trick users into entering sensitive information. Phishing comes in many different forms, and email is one of the common methods used to phish people.

In January of 2021, 245,771 phishing attacks were reported, yet not all of these attacks were successful. When they are successful, it means payday for scammers, and they will go to great lengths to overcome current cybersecurity. People are a direct source or route to sensitive information. For this reason, they tend to be the targets of scamming campaigns. A criminal only has to swindle one person into giving up private information to gain access to internal data.

The importance of ethical phishing

Phishing can have devastating and lasting effects on individuals, finances, and on perceived integrity of a brand. It is vital to develop a robust defense to prevent these losses. Individuals must develop security centered habits and skills to identify and evade potential scams to avoid becoming a victim of a phishing campaign.

Is it possible for phishing to be part of the solution? There are security standards that are created and upheld for anyone storing or processing cardholder info, and testing security infrastructure is one of many components for ensuring compliance with the PCI-DSS encryption standards. One method for testing is ethical phishing where scam emails are developed to mimic a real threat without the consequences.

By putting employee skills to the test, employers can assess employee knowledge and ability to distinguish phishing attempts. It can help companies answer the following questions, can individuals recognize a phishing email? Is there a common theme to successful scams? Do employees know the protocol when a phishing attempt is made? What are the gaps in security? And what can be implemented to fill these gaps?

Much like a fire drill helps to prepare those for an emergency, it does not prevent a fire from happening. Ethical phishing does not prevent people from getting phished, but it does prepare them for when the situation arises.

There is an ongoing debate around ethical phishing. Scammers will go to great lengths to gather critical details, so should testing employ the same tactics? This may lead to employees losing trust in their employers or distress from emotional manipulation. Less realistic tests may make ethical phishing less effective at assessing an individual’s skills.

How data breaches still occur

Cyber hacking, spamming, and scamming are not going away anytime soon. Individuals, companies/businesses, health systems, and government systems are all targets which provide some sort of gain for the attacker – usually financial but sometimes political.

The more lines of defense, the stronger the security tends to be. Unfortunately, hackers are cunning and persistent. Despite security measures put in place, in 2020, Twitter fell victim to phone spear phishing attack where a group of hackers impersonated IT members and called staff members until someone fell for the trick. This led to the corruption of multiple high-end accounts for use in a bitcoin scam.

Why these breaches happen during a phishing campaign

A survey conducted last year revealed that 78% of users clicked on links despite claims of being familiar with the risks of unsolicited links in emails. When it comes down to it, breaches happen during a phishing campaign because someone has been fooled into providing private information – account logins, credit card numbers, security question answers (like your mom’s maiden name), or even authentication codes.

Methods of deception include impersonation, spoofed web pages, fake IT numbers, and the list goes on. Regardless of the means of fraud, your information could be intercepted verbally – like in the Twitter attack or collected from spoof web pages.

Spam creators try to gain your trust, toy with your emotions, prey upon your vulnerabilities, and may provide legitimate looking web pages to accomplish their goal of misleading you. They also know people slip-up and may bombard your email with various attempts until you make a mistake.

How to protect against phishing attacks with a layered security defense

Vigorous defenses can be put into place to greatly reduce the risk of a cyber-attack success. The first step is to quit thinking about your cyber security as a set it and forget it or a single action like anti-virus software.

A good defense requires multiple layers and consistent updates. The more hoops a hacker has to jump through, the more chances you have to protect private data. The following are some ways you can add layers to your current cybersecurity.

Stop hacking attempts before they make it to you

Nowadays, most emails include built in phishing filters and some web browsers or extensions can provide warnings when entering a potentially threatening situation. The use of anti-virus and anti-malware software can add to this layer of protection.

Encryption

Think of encryption as a way to prevent someone from pick-pocketing your data online. Some forms of encryption are already built-in, like HTTPS.

A Virtual Private Network (VPN) is a tool used to encrypt your web browsing data. However, as cybersecurity expert Ludovic Rembert from Privacy Canada makes note of, not every VPN is created equally, as some sacrifice speed for enhanced security while others choose speed over safety. Rembert also specifically advises people to avoid free VPN services, since tey

“One of the first things you’ll be faced with when you search for a VPN service is the proliferation of free options,” says Rembert. “You’ll be tempted, but please don’t fall for the bait. Free VPNs don’t charge anything to use their service, but you can bet they are collecting your browsing history and selling it to third party advertisers who will then proceed to drive you crazy with ads.”

Refresh and test your knowledge

Inevitably, you will come face to face with a phishing attempt – make sure you and your staff are up to date on ways to be online securely, how to spot a phishing attempt, and how to report a scam. Testing yourself can help you identify flaws in your spam detection capabilities, so you can decrease your vulnerability to scams. Staying up to date can also help you know about current scams going around.

To err is human

Keep in mind, it only takes one person to be fooled for a breach to occur, and chances are a breach will happen eventually. This is why some companies have chosen a zero trust model which requires authentication between each task. When a phishing attempt is successful, it is important to report it to your IT department and follow their directions to reduce losses.

Conclusion

Cybercrime is on the rise, and scammers will go to great lengths to deceive users into giving up private information. The 2020 Twitter hacking shows that even with proper training and testing, people can still be conned into providing confidential information.

The best way to prevent and reduce scam risk is to have a layered defense – complete with filters, encryption, continuing education, and to be humble enough to admit when you’ve been duped. Stay vigilant and remember, if it seems phishy, it probably is a phishing attempt.

*** This is a Security Bloggers Network syndicated blog from Security – TechSpective authored by Lee Li Feng. Read the original post at: https://techspective.net/2021/09/26/why-implementing-ethical-phishing-campaigns-arent-enough-to-protect-against-data-breaches/