Submitted 1 month ago by cm0002@infosec.pub to cybersecurity@infosec.pub
I would be more interested in a study of people entering credentials or taking other risky actions after clicking.
Yes, people whose job includes lots of link clicking are going to click links.
And one obvious but good conclusion: invest in mandating MFA for sensitive actions.
Totally agreed, I get it’s easier to consider it a fail if you open the link, and that simply opening a random link has some inherent risk, but there should at least be a fake page to enter credentials and evaluate how many people actually go through with that, and break that out as a CRITICAL where the other clicks are HIGH or MEDIUM status, to classify the risk.
Also, this is just an anecdote, but in a similar phishing simulation i helped with, we had to bypass filters for rejecting emails with links for websites registered in the last 60 days. Obviously this isn’t a foolproof way to prevent phishing attempts, but it does cut out a lot of junk, and we’ve indirectly been training employees to not deal with that.
mfa is not going to help when people will literally transfer their money to a scammer, because the scammers convinced them that said money are in danger and only way to protect them is to transfer them to “secure account”
Perhaps because corporate security training is boring as hell?
I worked up a training class over the course of a year. Ridiculous to take so long, but I wanted to nail it. I figured there were three key things.
The things I talked about had to be relevant to the employees. I pared the stories down to items they could actually encounter. This is how an attack can affect you, how it can affect us.
Anything I wanted to talk about had to come with actionable prevention techniques. Here’s the problem, here’s what you can do about it. They had to feel empowered, not helpless.
The class had to be entertaining and interesting, start to finish, no fumble fucking around. I rehearsed that entire year until I could do it in my sleep. Plenty of humor threaded throughout the talk.
Nervous as hell when the day finally came. I have no problem speaking to a group, love it in fact. But talking cybersecurity to non-technical people is about as boring as it gets. Business owners bought everyone lunch and we met in the conference room.
Timed it to run for 40 minutes, left space at the end for questions. Talk about a resounding success! Everyone in the room was engaged and had questions, some even staying beyond the allotted hour. Fuck me, I actually got applause! (Yes, and everyone clapped. Really.)
Phishing tests went from 25% failure to 4% failure overnight. I left a USB drive on the floor by the printer. No one touched it for three days, and then only to place it on the table.
A good teacher builds their lessons around their pupils.
This was before I watched Paul Harrell (RIP) on YouTube. Gun content, take that as you will. But the man was a masterclass in how to present information.
Tell 'em what you’re going to tell 'em. Tell ‘em. Tell’ em what you just told them.
Never once talked down to anyone, except for “so called experts”. Never assumed the audience knew specific things. Always showed examples and tests, with controls. Always spelled out any inexact differences in testing, no matter how small. Sprinkled in some dry humor, often unexpectedly. Anyone who teaches could learn from the man.
Hell ya. I’m glad you feel really proud about that. I’ve lead so many garbage trainings, it makes the great ones really stand out!
Thank you! I AM proud! It’s one of the finest things I’ve accomplished in the corporate world, and actually useful.
The dedication to your task is commendable 👏. This is becoming rare day by day.
Abstract from the paper itself:
This paper empirically evaluates the efficacy of two ubiquitous forms of enterprise security training: annual cybersecurity awareness training and embedded anti-phishing training exercises. Specifically, our work analyzes the results of an 8-month randomized controlled experiment involving ten simulated phishing campaigns sent to over 19,500 employees at a large healthcare organization. Our results suggest that these efforts offer limited value. First, we find no significant relationship between whether users have recently completed cybersecurity awareness training and their likelihood of failing a phishing simulation. Second, when evaluating recipients of embedded phishing training, we find that the absolute difference in failure rates between trained and untrained users is extremely low across a variety of training content. Third, we observe that most users spend minimal time interacting with embedded phishing training material in-the-wild; and that for specific types of training content, users who receive and complete more instances of the training can have an increased likelihood of failing subsequent phishing simulations. Taken together, our results suggest that anti-phishing training programs, in their current and commonly deployed forms, are unlikely to offer significant practical value in reducing phishing risks.
And the methodology:
Our study analyzes the performance of nearly 20,000 full-time employees at UCSD Health across eight months of simulated phishing campaigns sent between January 2023 and October 2023. UCSD Health is a major medical center that is part of a large research university, whose employees span a variety of medical roles (e.g., doctors and nurses) as well as a diverse array of “traditional” enterprise jobs such as financial, HR, IT, and administrative staff. For their email infrastructure, UCSD Health exclusively uses Microsoft Office 365 with mail forwarding disabled. On roughly one day per month, UCSD Health sent out a simulated phishing campaign, where each campaign contained one to four distinct phishing email messages depending on the month. Each user received only one of the campaign’s phishing messages per month, where the exact message depended on the group the user was randomly assigned to at the beginning of the study (§ 3.1). In total these campaigns involved ten unique phishing email messages spanning a variety of deceptive narratives (“lures”) described in Section 3.2. All of the phishing lures focused on drive-by-download or credential phishing attacks, where a user failed the phishing simulation if they clicked on the embedded phishing link.
I guess the point is that users who are taking training are not more likely to pass the phishing simulations but I think that’s missing point. In competently ran organizations the point of these trainings aren’t explicitly to teach people to not fall for tests but to be able to identify which users are your greatest risks and either give them more support or can them if they are to high of a risk that it outweighs their productivity.
Of course the people who are taking more training are failing tests. It’s because they lack the computer skills or cognitive ability to understand what they doing. But taking a five minute training that says “don’t click the link” isn’t going to magically make people not get phished, but it has usefulness in basic awareness (which is why we have the super basic cyber security awareness training as well)
The reality is that all human beings can be socially engineered if the attacker is motivated enough. You can’t stop it by training only by planning and being proactively prepared
Ironic thing a company I use to work for would send out both email you need to click links to do your job then do training to not click links or even open the same kind of email. Then even test that by seeding in very realistic test email. Total stupidity. Your expected to tell the difference when there is no way to do so. The training was moe CYA then anything.
I got some emails about required training from outside the company. I needed to download and complete a PDF, which had links to other forms to complete, all offsite. I do know with certainty that the email was legit, but I reported as phishing. Still haven’t heard back about this critical training attestation, so I assume their tracking is as awful as the process.
It’s not my ass on the audit finding. Fix your shit.
One time I failed a phishing test because I did a message trace and confirmed that it originated from our own internal servers.
I report emails that I know are legit if it fails the phishing rules. Best example is unprompted emails from third party services that I know my company is using. If I don’t get a real email from a real employee either including the link or warning me that a valid third party link is coming, I’m not going to click it.
Make your shit legit or I’m not gonna do it.
This is exactly it. Out sourced stuff that there is no way to verify. I stopped clicking on this stuff too unless I had to.
It’s also such a dumb metric because most of people’s jobs are to click on links elsewhere on the internet, yet when it’s in an email, it’s bad? Unless you’re running an old browser or there is a 0 day, simply opening a link isn’t going to hack your system, but further actions by the user would need to be taken to be compromised. These simulations don’t account for that.
The real idiotic thing is a network where one client system compromise compromises the whole company.
Clicking the link hypothetically confirms to the spammer that yours is a valid and monitored email address, and that you’re a sucker suitable for more targeted phishing.
Of course, it seems like every random user will also happily type their password into any text box that asks for it, too.
I’ve “failed” phishing tests because my email client loads images by default. The way they set it up.
I reported the “you failed a phishing test” email as a phishing attempt, and funnily enough they backed off on the “mandatory training”.
Bottom line, don’t set your employees up for failure. Even the tech literate are going to fail if that how you set shit up.
When the son of the deposed King of Nigeria emails you directly asking for help, you help. His father ran the freaking country, okay?
Fond memories to my last company, where every email had its links obscured in the email client, so you couldn’t even tell where they led before you clicked on them.
I never understood this
I mean in that case it was running everything through a filter when accessing said links. Fair enough, but makes the training we did to verify links mildly pointless, and I don’t believe it was that good at filtering out phishing links either.
Isn’t any training better than no training?
no. training costs time and money, so if it has zero effect, then no training is clearly better.
I guess I don’t understand the metric of success. My training at work has helped me recognize risks more than most of my family that has no idea what root domain URL scam is. Did most of my family fail? Yes. Did 20% learn something and avoid risk? Yes.
In large companies the training is for liability purposes, “see they all passed their tests, we tried to warn them”. People are always going to be the attack vector, that’s unavoidable… but 20% success is better than 0% success. As an admin, if I received a 20% spike in phishing reports, that’s statistically significant and should be looked into and stopped (proxy violation).
Cost of training is unavoidable and budgeted for.
Maybe not if it only gives a false sense of security.
It’s weird how private email and verified senders are a problem solved like 20 years ago. And we still can’t figure it out?
Who’d of thunk you should maybe pay better and invest in quality employees.
Is it the quality of an employee?
My boss makes double what I do. His boss - triple. The CEO speaks of record profits, and HR says we can’t afford raises.
I literally could not care less if my company gets hacked.
oh the quality employees may already be there but the pay needs to be on a level that they would be crazy to go work somewhere else.
xxce2AAb@feddit.dk 1 month ago
That’s a shame, although I unfortunately have no problem believe that’s the case in general. I still personally benefit from the social engineering resistance training I’ve had over the years to this day though.
bamboo@lemmy.blahaj.zone 1 month ago
Me to, I use it to get out of situations I don’t want to deal with. “Ohh you’re calling me asking for PII? Sorry, i can’t provide that information unless I initiate the conversation. I’ll call the number I have on file for you to provide that.” <hangs up and never follows up>
xxce2AAb@feddit.dk 1 month ago
That’s the spirit!