A Warning on Christmas Delivery Scams

The time of year has once again arrived when post offices are busier than the freeway on a Friday evening. We buy gifts, online and in stores, and we send and expect packages to and from the far corners of the country, continent, and even the world.

Yet behind this frenzy of merriment skulk a series of dangers. Although Christmas is still more than a month away, scammers of this kind have already been active in various areas across the US. For a number of years, security experts have grown to expect a hike in the number of internet scams being spotted around the festive period, from fake deal websites to counterfeit greeting ecards. One example is becoming highly-popular among threat actors and is better positioned to trick even the most security-aware individual: failed delivery phishing scams.

UPS estimates that in the U.S., more than 630 million packages were delivered by shoppers during the holiday period last year, and FedEx predicts  317 million shipments between Black Friday and Christmas Eve. With all this holiday mail, not to mention everyone out and about to prepare for their celebrations, it is not surprising to find a “delivery failed” notice in your inbox. If the message concerns something needed by Christmas, the annoyance at having to re-organize a delivery can make us act rashly and even foolishly.

It is widely-known that the keys to successful social engineering are fear and greed.  When presented with compelling stimuli under these categories, criminals can count on a significant number of their potential victims briefly suspending their information security awareness training and clicking the link.  As Christmas approaches, certain malware families such as ASProx may have high-volume spikes, taking advantage of shoppers lowering their guard.  In December 2014, spammers used ASProx to deliver fear in the form of a Failed Delivery email from big, respected brands like CostCo, BestBuy, and Walmart.  Recall that PhishMe’s Gary Warner identified more than 600 hacked websites that were used as intermediaries to prevent detection by causing the spammed links to point to websites that had been “known to be good” until the morning of the attack.

So who should be on the lookout for these scams, and what can be done to protect Christmas shoppers?

Basically everyone, from individual consumers to massive businesses, should be on high alert. Though we should not let scammers turn shoppers into paranoid victims, being able to spot the details that reveal a scam can be the only thing standing between a scammer and your personal or company bank account details. While Christmas scams are thought of as dangerous, if the computer used to access these websites is a company or government computer, these scams can have a wide-ranging and long-term impact. And with nearly , this is a subject to take extremely seriously.

So be vigilant, and have a very merry (and scam-free) holiday season.

 

Did you know that 97% of phishing emails delivered in 2016 contained ransomware? Learn more by downloading our latest Q3 Malware Review.

SC Magazine Awards Recognize PhishMe as Finalist in Best IT Security-Related Training Platform Category for the Second Year in a Row

Fresh off our win in the same category last year, we’re thrilled that PhishMe Simulator has been chosen as a finalist once again in the 2017 SC Magazine Awards for Best IT Security-Related Training Platform. The award highlights companies and organizations that provide end-user awareness training programs for enterprises to ensure that employees are knowledgeable and supportive of IT security and risk management plans.

We’ve worked hard to live up to the honor of winning this prestigious award and many others such as being named a leader in the Gartner Magic Quadrant for Security Awareness Computer Based Training.

This industry recognition reinforces PhishMe’s commitment to delivering the best solutions to combat today’s top cyberthreats such as phishing emails and their malicious intent – whether malware, BEC or credential theft. These types of attacks show no signs of slowing down – and neither will PhishMe.   Just recently, Europol named ransomware the top cybercrime threat and our own PhishMe Q3 Malware Review showed that 97 percent of phishing emails now contain some form of ransomware.

As the reigning winner of this award, we have strived to spread our philosophy that Awareness is Not Enough. By leveraging our unique approach to phishing defense, our customers have been able to train their employees to be security assets instead of vulnerabilities by behaviorally conditioning them to identify and report threats. As such, we look forward to being considered by the judges as a finalist for another year in the training program category.

By empowering employees with the proper conditioning needed to detect and report malicious phishing emails, our users quickly and efficiently assess organizational risk, identify areas for additional improvement as well as provide security teams with effective intelligence that allows them to respond to incidents in a timely manner. In some cases, this type of conditioning has reduced a company’s overall susceptibility by more than 95 percent.

We’re excited to find out if we’ve made the cut again during the awards ceremony Tuesday, February 14 2017 at the Intercontinental San Francisco. Wish us luck!

 

To learn more about the SC Magazine Awards, visit https://www.scmagazine.com/awards/

Learn more about our multi-lingual, complimentary, computer based training – PhishMe CBFree.

Ransomware Delivered by 97% of Phishing Emails by end of Q3 2016 Supporting Booming Cybercrime Industry

PhishMe Q3 Malware Review finds encryption ransomware has hit record levels, while ‘quiet malware’ remains a significant threat

 LEESBURG, VA November 17, 2016: PhishMe Inc., the leading provider of human phishing defense solutions, released findings today that show the amount of phishing emails containing a form of ransomware grew to 97.25 percent during the third quarter of 2016 from 92% in Q1. Remaining at the forefront is the Locky encryption ransomware, which has introduced a number of techniques to resist detection during the infection process.

Published today, PhishMe’s Q3 2016 Malware Review identified three major trends previously recorded throughout 2016, but have come to full fruition in the last few months:

  • Locky continues to dominate: While numerous encryption ransomware varieties have been identified in 2016, Locky has demonstrated adaptability and longevity
  • Ransomware encryption: The proportion of phishing emails analyzed that delivered some form of ransomware has grown to 97.25 percent, leaving only 2.75 percent of phishing emails to deliver all other forms of malware utilities
  • Increase in deployment of ‘quiet malware’: PhishMe identified an increase in the deployment of remote access Trojan malware like jRAT, suggesting that these threat actors intend to remain within their victims’ networks for a long time

During the third quarter of 2016, PhishMe Intelligence conducted 689 malware analyses, showing a significant increase over the 559 analyses conducted during Q2 2016. Research reveals that the increase is due, in large part, to the consistent deployment of the Locky encryption ransomware. Locky executables were the most commonly-identified file type during the third quarter, with threat actors constantly evolving the ransomware to focus on keeping this malware’s delivery process as effective as possible.

“Locky will be remembered alongside 2013’s CryptoLocker as a top-tier ransomware tool that fundamentally altered the way security professionals view the threat landscape,” explained Aaron Higbee, CTO and Co-founder, PhishMe. “Not only does Locky distribution dwarf all other malware from 2016, it towers above all other ransomware varieties. Our research has shown that the quarter-over-quarter number of analyses has been on a steady increase, since the malware’s introduction at the beginning of 2016, and thanks to its adaptability, is showing no signs of slowing down.”

While ransomware dominates the headlines, the Q3 PhishMe Malware Review reveals that other forms of malicious software delivered using remote access Trojans, keyloggers and botnets still represent a significant hazard in 2016. Unlike ransomware, so-called ‘quiet malware’ is designed to avoid detection while maintaining a presence within the affected organization for extended periods of time. While only 2.75 percent of phishing emails delivered non-ransomware malware, the diversity of unique malware samples delivered by these emails far exceeded that of the more numerous ransomware delivery campaigns.

Rohyt Belani, CEO and Co-founder of PhishMe added, “The rapid awareness and attention on ransomware has forced threat actors to pivot and iterate their tactics on both payload and delivery tactics. This sustained tenacity shows that awareness of phishing and threats is not enough. Our research shows that without a phishing defense strategy, organizations are susceptible to not just the voluminous phishing emails used to deliver ransomware, but also the smaller and less-visible sets of emails used to deliver the same malware that has been deployed for years. Only by preparing for these attacks is it possible to empower users to act as both human sensors for detecting attacks and partners in preventing threat actors from succeeding.”

To download a full copy of the Q3 2016 Malware Review, click here.

 

Connect with PhishMe Online

 About PhishMe

PhishMe is the leading provider of human-focused phishing defense solutions for organizations concerned about their susceptibility to today’s top attack vector — spear phishing. PhishMe’s intelligence-driven platform turns employees into an active line of defense by enabling them to identify, report, and mitigate spear phishing, malware, and drive-by threats. Our open approach ensures that PhishMe integrates easily into the security technology stack, demonstrating measurable results to help inform an organization’s security decision making process. PhishMe’s customers include the defense industrial base, energy, financial services, healthcare, and manufacturing industries, as well as other Global 1000 entities that understand changing user security behavior will improve security, aid incident response, and reduce the risk of compromise.

PhishMe Ranked No. 152 Fastest Growing Company in North America on Deloitte’s 2016 Technology Fast 500™

Company Attributes Massive Revenue Growth to its Unique Approach to Preventing and Mitigating Cyber Attacks

Leesburg, VA – November 17, 2016 – PhishMe, a global provider of phishing defense and intelligence solutions for the enterprise, today announced it ranked No. 152 on Deloitte’s Technology Fast 500™, a ranking of the 500 fastest growing technology, media, telecommunications, life sciences and energy tech companies in North America based on revenue growth. PhishMe grew 564.1 percent over the last three years, as enterprises implement its suite of products to mitigate cybersecurity threats.

“The  unprecedented increase in frequency and damage caused by cyberattacks in the recent past has created a demand for innovative defensive solutions that can adapt to the attackers changing tools and techniques,” said Rohyt Belani, PhishMe CEO. “Our dogged focus on innovation followed through with strong execution have supported the company’s explosive growth over the last three years. We are honored to be recognized on this coveted list by Deloitte.”

“Today, when every organization can be a tech company, the most effective businesses not only foster the courage to explore change, but also encourage creativity in using and applying existing assets in new ways, as resourcefully as possible,” said Sandra Shirai, principal, Deloitte Consulting LLP and U.S. technology, media and telecommunications industry leader. “This ingenious approach to innovation calls for the encouragement of curiosity and collaboration both within and outside the office walls.”

“This year’s Fast 500 winners showcase that when organizations are open to diverse perspectives and insights, they are able to create an environment for their employees and customers to see the possibilities and ingenious solutions that might lie ahead,” added Jim Atwell, national managing partner of the emerging growth company practice, Deloitte & Touche LLP. “Entrepreneurial environments foster change and innovation within businesses, and we look forward to watching these companies continue to drive change across all sectors.”

PhishMe, Inc. previously ranked number 99 as a Technology Fast 500™ award winner for 2015. Overall, 2016 Technology Fast 500™ companies achieved revenue growth ranging from 121 percent to 66,661 percent from 2012 to 2015, with median growth of 290 percent.

About Deloitte’s 2016 Technology Fast 500™

Deloitte’s Technology Fast 500 provides a ranking of the fastest growing technology, media, telecommunications, life sciences and energy tech companies – both public and private – in North America. Technology Fast 500 award winners are selected based on percentage fiscal year revenue growth from 2012 to 2015.

In order to be eligible for Technology Fast 500 recognition, companies must own proprietary intellectual property or technology that is sold to customers in products that contribute to a majority of the company’s operating revenues. Companies must have base-year operating revenues of at least $50,000 USD, and current-year operating revenues of at least $5 million USD. Additionally, companies must be in business for a minimum of four years and be headquartered within North America.

As used in this document, “Deloitte” means Deloitte LLP and its subsidiaries. Please see www.deloitte.com/us/about for a detailed description of the legal structure of Deloitte LLP and its subsidiaries. Certain services may not be available to attest clients under the rules and regulations of public accounting.

About PhishMe

PhishMe is the leading provider of human-focused phishing defense solutions for organizations concerned about their susceptibility to today’s top attack vector — spear phishing. PhishMe’s intelligence-driven platform turns employees into an active line of defense by enabling them to identify, report, and mitigate spear phishing, malware, and drive-by threats. Our open approach ensures that PhishMe integrates easily into the security technology stack, demonstrating measurable results to help inform an organization’s security decision making process. PhishMe’s customers include the defense industrial base, energy, financial services, healthcare, and manufacturing industries, as well as other Global 1000 entities that understand changing user security behavior will improve security, aid incident response, and reduce the risk of compromise.

PhishMe Appoints Shane McGee as General Counsel & Chief Privacy Officer

Expansion of Management Team Signals PhishMe’s Commitment to Privacy, Compliance and Ethics

 Leesburg, VA – November 10, 2016 – PhishMe, a global provider of phishing defense and intelligence solutions for the enterprise, announced today it has expanded its senior leadership team and appointed Shane McGee as general counsel & chief privacy officer. McGee will be responsible for all of PhishMe’s legal affairs, acting as a strategic business partner and providing advice and oversight in several areas including privacy, compliance and ethics.

“PhishMe is growing and maturing as a company and we’re excited to welcome someone to the team with experience as extensive and impressive as Shane’s,” said Rohyt Belani, CEO of PhishMe. “This addition to the management team is the next step in our continuing growth and ongoing commitment to protect our company and customers globally.”

McGee joins PhishMe from FireEye where he was chief privacy officer and vice president of policy and managed the company’s global privacy program. He also led FireEye’s government affairs team, whose aim was to promote security policy changes around the world to safeguard against the increasing amount of cyberattacks from hackers and state-sponsored actors. He will now bring this expertise to PhishMe to continue those efforts and help lead the way in cracking down on phishing and malware scams, most notably ransomware, which has recently become the top cybercrime.

“In our digital world, cybersecurity is one of the fastest growing market sectors today, and PhishMe is in a position to make a real difference in the business community,” said McGee. “By joining PhishMe, a global leader in cybersecurity, I now have the unique opportunity to work with more than half of the Fortune 100 companies in their efforts to avoid and mitigate the damage done by cyberattacks.”

For nearly 20 years, McGee has been a practicing attorney focusing on data privacy and security law. He served as Mandiant’s General Counsel in charge of handling legal and government affairs for the company, and negotiated and finalized the sale of Mandiant to FireEye for more than $1 billion. Prior to joining Mandiant, McGee was a partner with SNR Denton (now Dentons) a large international law firm, where he was chair of the firm’s U.S.-based Data Protection Group.

Over the course of his career, McGee has counseled some of the world’s largest technology companies on privacy, compliance and security issues. He has represented several clients in privacy-related FTC inquiries, counseled clients on transactions involving large volumes of consumer data, and joined litigation teams on cases involving technology rights and advanced electronic discovery issues. Before going into law, McGee was programmer, consultant and instructor, and remains a Certified Information System Security Professional (CISSP).

 

About PhishMe

 PhishMe is the leading provider of human-focused phishing defense solutions for organizations concerned about their susceptibility to today’s top attack vector — spear phishing. PhishMe’s intelligence-driven platform turns employees into an active line of defense by enabling them to identify, report, and mitigate spear phishing, malware, and drive-by threats. Our open approach ensures that PhishMe integrates easily into the security technology stack, demonstrating measurable results to help inform an organization’s security decision making process. PhishMe’s customers include the defense industrial base, energy, financial services, healthcare, and manufacturing industries, as well as other Global 1000 entities that understand changing user security behavior will improve security, aid incident response, and reduce the risk of compromise.

Rohyt Belani Named a Technology Finalist in DC Inno’s 50 on Fire Awards

We are thrilled to announce that our Co-Founder and CEO Rohyt Belani has been named a finalist in the technology category for DC Inno’s 50 on Fire Awards. These are awards recognize the top 50 movers and shakers in Washington, D.C. across a variety of business verticals and practice, honored for their innovation, energy and contributions to their respective fields while making a big impact on the Washington, D.C. area.

Finalists have been carefully selected by DC Inno staff based on their 2016 editorial coverage of news and announcements, followed by an expert judging panel who will whittle down the top 50 honorees honored this year.

DC Inno recognizes professionals across a wide range of industry verticals, including: Community, Design, Education, Government & Advocacy, Healthcare & Medicine, Investment, Lifestyle, Marketing & Advertising, and Technology.

Read more about the 50 on Fire Awards on the DC Inno Blog.

Did you know that PhishMe was recently named one of the 50 Fastest Growing Private Companies of 2016 by the Washington Business Journal? Check out our recent press release to learn more.

PhishMe Adds International Training Modules to Complimentary Computer Based Training Program

Leesburg, VA – October 31, 2016 – PhishMe, a global provider of phishing defense and intelligence solutions for the enterprise, today announced the availability of new international modules for its complimentary CBT program, CBFree. The release, which follows PhishMe’s recognition as a leader by Gartner in the research firm’s 2016 Security Awareness Computer-Based Training Magic Quadrant, provides six fully translated and localized editions of CBFree. Available to any organization regardless of whether they are a PhishMe customer, CBFree provides employees with security awareness training on today’s greatest cybersecurity threats including spear-phishing, ransomware, and business email compromise (BEC).

Released during National Cyber Security Month in the U.S., the new modules have been delivered as a response to the huge number of localization requests PhishMe receives every month from organizations wanting to meet compliance obligations. Recognizing that cybercrime is a global problem and that many organizations have an internal requirement to provide a broader program for security awareness training to their employees, the localized modules for CBFree enable access to world class non-English CBT lessons.

“CBFree has proved extremely popular among companies looking to provide awareness CBTs to expand their security awareness programs and satisfy compliance requirements,” explained Jeff Orloff, Director of Content at PhishMe. “With our new international modules, we’ve made this valuable educational content available to a much wider audience. That said, PhishMe acknowledges that awareness is not the problem. CBTs alone won’t address the full extent of the cybersecurity problem. By offering CBTs at no cost, PhishMe is enabling organizations to focus their resources on instituting impactful programs to effect real changes in behavior.”

Now available in English, French, German, Japanese, Chinese, Spanish and Portuguese, PhishMe’s current library of complimentary CBTs includes 15 security awareness modules and three compliance training modules. The second phase of the International launch will accommodate for languages in the Middle East, Russia and Italy.

“Cyber Security Month has been illuminating this year for the security industry,” concluded Rohyt Belani, CEO, PhishMe. “The level of discussion around threats faced by the business community is higher and more complex than ever before. This, coupled with the growing popularity of our CBFree program and demand for international modules, emphasizes the growing need for company-wide engagement around cybersecurity. However, if we want to make a dent in the enormous scale of this problem and protect global enterprise now and in the future, we must continually expose employees to safe, managed experiences that condition them to adjust core behaviors. Only then will our line of defense be strong enough to make a difference.”

To learn more and to download these modules, please visit PhishMe CBFree.

To receive a complimentary copy of the Gartner 2016 Security Awareness Computer-Based Training Magic Quadrant, click here.

About PhishMe

PhishMe is the leading provider of human-focused phishing defense solutions for organizations concerned about their susceptibility to today’s top attack vector — spear phishing. PhishMe’s intelligence-driven platform turns employees into an active line of defense by enabling them to identify, report, and mitigate spear phishing, malware, and drive-by threats. Our open approach ensures that PhishMe integrates easily into the security technology stack, demonstrating measurable results to help inform an organization’s security decision-making process. PhishMe’s customers include the defense industrial base, energy, financial services, healthcare, and manufacturing industries, as well as other Global 1000 entities that understand changing user security behavior will improve security, aid incident response, and reduce the risk of compromise.

PhishMe, Inc. Recognized by Washington Business Journal as One of Washington D.C.’s Fastest Growing Companies

LEESBURG, VA – October 28, 2016 PhishMe, Inc. a global provider of phishing defense and intelligence solutions for the enterprise, announced today that the Washington Business Journal has ranked the company as #21 of Washington’s 50 fastest growing private companies of 2016. PhishMe’s team was honored at a public award ceremony on Thursday, October 27, where their ranking on the list was announced. Additionally, the list has been published on the Washington Business Journal’s site.

This highly competitive list is comprised of companies that have recorded consecutive year-over-year growth of more than $2 million in revenue in 2013 and more than $10 million in revenue in 2015. The firms are privately held during the reporting period and must be headquartered in the Washington D.C. area. They cannot be subsidiaries of other companies. The Washington Business Journal then calculates the revenue growth percentages by which the companies are ranked. Only the top 50 make the list.

“Making the Washington Business Journal’s list of the fastest growing companies is a great honor and an indication of all the hard work our team has been doing,” said Rohyt Belani, Co-Founder and CEO of PhishMe. “As cybersecurity continues to be at the forefront of businesses in this digital age, our strong business fundamentals and ability to adapt to the market has afforded us the platform for strong growth.”

PhishMe has recently achieved record cumulative growth of more than 560 percent over the last three years. In addition, the company has helped more than half of the Fortune 100 organizations defend themselves against thousands of phishing attacks perpetrated by cybercriminals across the globe, helping PhishMe attain a 93 percent gross retention and negative net churn. This has resulted in PhishMe also being recognized as a leader in the 2016 Gartner Magic Quadrant for Security Awareness Computer-Based Training.

The company’s growth has landed PhishMe on multiple lists of the nation’s fastest growing companies, including Deloitte’s Technology Fast 500 and the Inc. 500/5000 Awards.

Connect with PhishMe Online

About PhishMe

PhishMe is the leading provider of human-focused phishing defense solutions for organizations concerned about their susceptibility to today’s top attack vector — spear phishing. PhishMe’s intelligence-driven platform turns employees into an active line of defense by enabling them to identify, report, and mitigate spear phishing, malware, and drive-by threats. Our open approach ensures that PhishMe integrates easily into the security technology stack, demonstrating measurable results to help inform an organization’s security decision making process. PhishMe’s customers include the defense industrial base, energy, financial services, healthcare, and manufacturing industries, as well as other Global 1000 entities that understand changing user security behavior will improve security, aid incident response, and reduce the risk of compromise.

PhishMe Recognized by Gartner as a Leader in Magic Quadrant for Security Awareness CBT 2016

 PhishMe positioned as a leader for ability to execute and its completeness of vision

Leesburg, VA – October 28 2016 – PhishMe, a global provider of phishing defense and intelligence solutions for the enterprise, announced today it was positioned as a leader by Gartner, Inc. in the global research firm’s 2016 Security Awareness Computer-Based Training Magic Quadrant for its ability to execute and its completeness of vision.

To receive a complimentary copy of the report, go to the PhishMe website.

“We are especially pleased to be included as a leader in the Gartner Security Awareness CBT Magic Quadrant this year,” stated Rohyt Belani, CEO and Co-Founder, PhishMe. “We take a more interactive approach to security awareness than the traditional vendors. PhishMe creates awareness and training materials as part of its Human Phishing Defense platform, which is designed to modify behavior through experiential learning and engagement. It’s an approach which has been proven to reduce the threat of employees falling victim to sophisticated cyberattacks by up to 95 percent.”

PhishMe provides a complete anti-phishing product portfolio that engages both everyday user and the IT Security response teams.  “PhishMe aggressively invests in new product capabilities and services, which is a critical requirement for any cybersecurity company,” commented Aaron Higbee, CTO and Co-Founder, PhishMe.  “Hackers are always coming up with new ways to circumnavigate our defenses and the onus is on security vendors to develop new ways to respond. We believe that Gartner has recognized PhishMe’s technical innovations and growth in this area.”

To protect against advanced phishing attacks coming from motivated attackers, many modern enterprises rely on PhishMe – including more than 50 percent of the Fortune 100 – as the foundation of their security programs. This is one more indication of PhishMe’s leadership in the security industry, along with many other awards and honors that the company has received, including the most recent accolades from: the 2016 SC Award, 2016 Inc 500/5,000 award, 2016 EY Entrepreneur of the Year finalist, 2016 Information Security Products Guide Global Excellence Award, 2016 CDM Infosec Awards and 2016 Washington Business Journal Best Place to Work Award.

To learn more about PhishMe’s solutions, please visit www.phishme.com.  The PhishMe human defense solution suite includes PhishMe Simulator, PhishMe Reporter, PhishMe Triage, PhishMe Intelligence and PhishMe CBFree.

 

Connect with PhishMe Online

 

Disclaimer

Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including all warranties of merchantability or fitness for a particular purpose.

About PhishMe

PhishMe is the leading provider of human-focused phishing defense solutions for organizations concerned about their susceptibility to today’s top attack vector — spear phishing. PhishMe’s intelligence-driven platform turns employees into an active line of defense by enabling them to identify, report, and mitigate spear phishing, malware, and drive-by threats. Our open approach ensures that PhishMe integrates easily into the security technology stack, demonstrating measurable results to help inform an organization’s security decision making process. PhishMe’s customers include the defense industrial base, energy, financial services, healthcare, and manufacturing industries, as well as other Global 1000 entities that understand changing user security behavior will improve security, aid incident response, and reduce the risk of compromise.

Behavioral Conditioning, Not Awareness, Is the Answer to Phishing

BY AARON HIGBEE AND SCOTT GREAUX

You don’t stop phishing attacks by raising user awareness. A recent study conducted by a German university confirms what we at PhishMe have known all along: Focusing on awareness isn’t the point. The real solution is behavioral conditioning.

The study, conducted by Friedrich-Alexander University (FAU) of Erlangen-Nuremberg, Germany, used 1,700 students to simulate spear phishing attacks. An August 31 Ars Technica article published preliminary results of the study showing at least 50% of students clicked simulated phishes, even though they understood the risks.

With its headline, “So Much for Counter-phishing Training: Half of People Click Anything Sent to Them,” the article appears to suggest training is pointless. But we see it differently. While the article confirms what our own research has revealed – that awareness isn’t the problem – the proper conclusion to draw isn’t that training is futile. PhishMe tends to agree with this sentiment and encourages organizations to focus on conditioning their employees to identify and report security risks.

We focus our training on conditioning human behavior, and the results speak for themselves. Our customers spend 22 seconds reviewing phishing education, and yet their susceptibility to phishing decreases significantly. Why? It’s the experience we put them through that changes behavior. Even when they are aware of the risks, as studies show, they are susceptible to opening email from unknown users and clicking suspicious links. But conditioned through the real-world examples we provide in our simulations, users are much less likely to click.

Enterprise Relevance

The FAU study focused on students, who were sent emails and Facebook messages with links purporting to be for photos from a New Year’s Eve party held a week before the study. “Links sent resolved to a webpage with the message ‘access denied,’ but the site logged the clicks by each student.”

It’s dangerous to use research results conducted on a student population to Enterprise workers. We have several problems with the approach as described. For starters, it wasn’t created by people in the trenches who understand real-world threats, but by academics in a computer science department. We already know the bait used by the study’s authors works on students, as well as consumers, but is far less effective with enterprise users. Yet, readers of the Ars Technica article are concluding the study’s results apply to enterprise environments.

We know that because we’ve started to get messages with their reactions. So we feel an obligation to point out the study didn’t use a realistic scenario, from an enterprise point of view. Real-world enterprise phishes are more likely to be emails pretending to be files from a scanner, a document with a job evaluation, or a message that someone has signed for a package addressed to the user.

There’s also a difference of perspective between students and enterprise users. Students, whose primary experience with computing revolves around mobile devices such as tablets and smartphones, don’t worry about cyber risks. Clicking a link from a smartphone isn’t going to compromise the device because such devices are nearly impervious to attacks. But click the link from a computer, and the story is quite different.

It also appears the FAU study focused only on clicking links, but phishing threats aren’t limited to one vector. Others include data entry, password credentials, clicking attachments, and email conversations that don’t involve links or attachments. Replicating some of these vectors in a real-world simulation is a bigger challenge than the method used by the study.

Focus on Reporting

A PhishMe-commissioned study found 94% of office workers know what phishing is and the risk it presents to organizations. The study also found that 94% of office workers know how to report suspicious emails in their organization. And that’s where the focus of training needs to be – reporting. When users are conditioned to report suspicious email, even if they do so after already clicking on it – maybe they had a lapse – the reporting is still valuable because it helps your security operations teams.

Learning to identify suspicious emails through conditioning is far more effective than general efforts to raise awareness. PhishMe simulator provides customers with templates that include the exact content used by threat actors.  By deriving content from our Phishing Intelligence platform we provide experiences that are relevant to enterprise users.   This method allows customers to condition users to spot potential phishes, avoid interacting with them, and report them to their security teams.

While we appreciate the FAU’s study’s confirmation of what our own research has shown about awareness, we fear it may lead enterprises to make decisions based on the erroneous conclusion that training doesn’t matter. This perspective could lead to the compromise of a network with disastrous results. To avoid such an outcome, we at PhishMe stand ready to work with any academic institution or researcher that could benefit from our experience in the trenches to produce meaningful research about phishing.