I hope you enjoy my latest cartoon about data security — a twist on the angel on one shoulder and devil on the other. Humans are the weakest link for data security. Attempts to control people with surveillance or lots of technological restrictions often backfire. I believe that the most effective solution is to train people. It’s not perfect, but if training is done right, it can make a meaningful difference.
Misspelled words and bad grammar are tell-tale signs of phishing. Why don’t phishers learn spelling and grammar? Can’t they afford a copy of Strunk and White?
Phishers don’t need to spell better because their poorly-written schemes still fool enough people. It’s just math for the phishers — a numbers game. If you handle IT security at your organization, don’t assume that people won’t fall for obvious phishing scams — they do. That’s why it is essential to train people — again and again.
Why do phishers waste their time with such obvious phishing scams when they can do so much better?
One possible answer: They don’t have to do better. They send out so many emails that they only need a very low percentage of people to click. And people always do. In fact, if phishing emails became more effective, phishers might get too many clicks and might not be able to process it all!
To break into an organization, all the phishers need to do is to catch just one person. They don’t need to overphish the seas. Victims are plentiful enough!
Don’t assume that people won’t fall for obvious phishing scams — they do. That’s why it is essential to train people. I am pleased to announce that TeachPrivacy now is offering a phishing simulator service. We’ve teamed up with QuickPhish to provide a platform where organizations can conduct simulated phishing exercises for their workforce. A great way to teach people not to fall for phishing emails is through direct experience. When people wrongly click, our training can follow to teach them how to improve.
A popular way some organizations are raising awareness about phishing is by engaging in simulated phishing exercises of their workforce. Such simulated phishing can be beneficial, but there are some potential pitfalls and also important things to do to ensure that it is effective.
1. Be careful about data collection and discipline
Think about the data that you gather about employee performance on simulated phishing. It can be easy to overlook the implications of maintaining and using this data. I look at it through the lens of its privacy risks. This is personal data that can be quite embarrassing to people — and potentially have reputational and career consequences. How long will the data be kept? What will be done with it? How securely will it be kept? What if it were compromised and publicized online?
The Payment Card Industry (PCI) Security Standards Council recently released a helpful short guide to preventing phishing attacks. Merchants and any other organization that accepts payment cards most follow the PCI Data Security Standard (PCI DSS). One of the requirements of the PCI DSS is to train the workforce about how to properly collect, handle, and protect PCI data.
A major threat to PCI data is phishing, with almost a third targeted at stealing financial data.
According to a stat in the PCI Guide, Defending Against Social Engineering and Phishing Attacks,: “Every day 80,000 people fall victim to a phishing scam, 156 million phishing emails are sent globally, 16 million make it through spam filters, 8 million are opened.”
I am pleased to announce the launch of our new training program, Social Engineering: Spies and Sabotage. This course is a short module (~7 minutes long) that provides a general introduction to social engineering.
After discussing several types of social engineering (phishing, baiting, pretexting, and tailgaiting), the course provides advice for avoiding these tricks and scams. Key points are applied and reinforced with 4 scenario quiz questions.
A study recently revealed that nearly 25% of data breaches involve phishing, and it is the second most frequent data security threat companies face. Phishing is an enormous problem, and it is getting worse.
In a staggering statistic, on average, a company with 10,000 employees will spend $3.7 million per year handling phishing attacks.
by Daniel J. Solove
I’ve really been enjoying the new TV series Mr. Robot on USA. Network. It presents highly-engaging depictions of hacking and social engineering, and it is great entertainment for privacy and security geeks.
The protagonist is Elliot Alderson (played by Rami Malek), a tech who works at a cybersecurity firm in New York City. The show is narrated with voiceover by Elliot, and we get a glimpse into the mind of this reclusive and quiet person. Voiceover can often falter as a technique, but here it works wonderfully — and all the more impressive because Elliot speaks softly, often in monotone. But Elliot is such a fascinating character and Malek delivers Elliot’s monologue so effectively, that it becomes surprisingly engaging.
Elliot is very smart and clever, and he sees many around him as idiots. He suffers from severe bouts of depression, is a recluse who wants to be invisible, and he is very awkward around other people. He lives most of his life inside his head. The show presents the stark contrast between what he says to others and what he is thinking. In one scene, we see him speaking to his psychiatrist, telling her hardly anything. But we hear his thoughts and know that he is pondering quite a lot.
by Daniel J. Solove
A few days ago, I posted about how boards of directors must grapple with privacy and cybersecurity. Today, I came across a survey by NYSE Governance Services and Vericode of 200 directors in various industries.
According to the survey, about two-thirds of directors are less than confident about their company’s cybersecurity. This finding is not surprising given the frequency of data breaches these days. There is a growing sense of exasperation, as if we are living in an age of a great plague, with bodies piling up in the streets.
by Daniel J. Solove
Although we are seeing increasingly more sophisticated attempts at phishing, it appears as though many phishers still haven’t been able to get their hands on a program with spell check. Why are we still seeing the $10 million lottery winning emails? Or the long lost relative of yours living in Fiji who is leaving you $4 million?
A recent article explains that for the phishers, it is all a numbers game:
“So, if 97 per cent of phishing attempts are unsuccessful, why is it such a large issue? Because there are 156 million phishing emails sent worldwide daily. . . . Of the 156 million phishing emails sent daily, 16 million get through filters. Another eight million are opened by recipients. 800,000 click on the link provided, and 80,000 provide the information requested.”