What We Believe

For years, Cofense has preached the value of educating users to report suspicious emails. The idea is simple: with rigorous, frequent practice, any user in any department can learn to spot a phish and report it to security teams for faster investigation.

It’s a myth, pure and simple, that humans are the weakest link. A workforce not educated in spotting and reporting phish will, of course, be vulnerable. But the same employees, when properly conditioned, are the best defense when perimeter controls, even the best, prove fallible.

Our approach stands in contrast to an over-reliance on security technology. Secure email gateways, an important layer of phishing defense, catch many but not all phishing emails. Cofense reported earlier this year that 90 percent of the phish we verify for customers are found in environments using one or more SEG. Check our blog: we’re constantly reporting on SEG misses, examining the ingenious methods attackers devise to get past the perimeter.

Every phish in the stats above was reported by a human. A user reported an email to a security team, which used technology and expertise to verify and respond. In this way, user reporting links phishing awareness to response and remediation. Some approaches see awareness as the end goal. But what about taking action? Focusing on click rates instead of user reporting is like teaching people to see something without saying something. This approach often stems from compliance initiatives, where the idea is to check a box—”90 percent of employees took the annual CBT”—which isn’t the same as preparing users to stop real attacks.

Reporting is a learned behavior, a kind of conditioning, which builds muscle memory so users won’t think twice about raising a hand. As we’ll see in the next section, when users report they also help the security awareness team quantify their program’s impact.

Reporting Button: Make It Easy, Make It Better

With Cofense Reporter, users can report suspicious emails with one click. The deployment of a reporting button, especially when integrated with the phishing simulation platform, provides two primary benefits:

1. It allows you to measure true behavioral change, along with user engagement in your phishing awareness programs. Remember, when it comes to susceptibility, or click rate, there is no certainty. There’s simply no way of being 100 percent sure that a user who didn’t click made a conscious decision. Perhaps the email wasn’t read at all. Reporting a simulation is a conscious and deliberate action. It provides an unambiguous indicator: how well is the end user engaging in your programs? Is the user actively behaving in ways that improve overall security?

2. When phishing threats bypass perimeter controls and are delivered to a user’s inbox, those controls have failed. The only sensors you have now are end users themselves. The presence of a reporting button in the email client reinforces the need to be mindful of phishing threats. It’s a simple way for the user to take defensive action.

Deployment of a reporting button keeps security awareness teams happy—they gain valuable metrics that demonstrate the effectiveness of their programs. And SOC teams are happy to get visibility of threats they would otherwise be blind to. Let’s start with a couple of top-level views, comparing customers that use the Cofense Reporter button to those that don’t.

Simulation Performance, Customers Using Cofense Reporter (June 2018 – July 2019)

Susceptibility: 9.8%

Reported Only: 23.1%

Resiliency: 2.35

As you can see, the reporting button makes a positive difference: more than twice as many people reported instead of clicking. Customers not using it, who report emails manually, get an incomplete view of employee performance. If you tried to compare the stats above to those for customers that haven’t deployed Cofense Reporter, the chart would look like this:

No button, no instant metrics. No reporting or resiliency rate for customers without the button. You get only part of the picture—the least helpful part, the 12-month susceptibility rate. The security awareness team is left to compile data manually, while the SOC and helpdesk have the unhappy task of rounding up reported emails, during simulations and otherwise. The absence of a button means more work and mediocre metrics. Cofense Reporter, on the other hand, automatically feeds the metrics into the PhishMe platform for easy analysis.

It’s interesting to see that Cofense Reporter appears to help lower susceptibility. We’re not exactly sure why, but it could be that the button is simply a visual reminder to click with care. Or, as one customer told us, “users need something good to click on” and when you provide it, bad clicks drop. Regardless of the reason, Cofense Reporter drives better inbox behavior across the board.

Frequent Simulations = Better Resiliency

Practice makes better, as the following chart illustrates.

Customers running monthly simulations have a reporting rate nearly double that of customers that simulate less frequently. The resiliency score is more than double, with susceptibility a good deal lower.

Repeat Offenders Have a Learning Curve

For some users, it takes a few bad clicks before the “Aha!” moment happens. Repeat offenders—users that click during more than one simulation—need a little more practice, especially if they’re in high-risk functions like finance or human resources.

One tactic some of our customers use: after running a companywide simulation, they follow up a few weeks later by targeting users that fell susceptible during the past few campaigns. This gives them a chance to flex muscle memory and apply what they’ve (hopefully) learned.

The Difference Relevance Makes

Besides being frequent, phishing simulations should be relevant. Simulations ought to reflect both the attacks an organization sees and the overall threat landscape. And given time and budget constraints, every simulation ought to count.

Ideally, security awareness and operations teams collaborate and everyone wins. Awareness program managers have confidence that simulations are relevant, while the SOC receives more useful reports from well-conditioned users. For further relevance, Cofense has rolled out Smart Suggest, a feature that uses an advanced algorithm and best practices to choose from nearly 2,000 Cofense PhishMe templates and recommend scenarios based on program and industry experience.

Most Popular Phishing Scenarios in Cofense PhishMe

June 2018-July 2019

Source: Cofense Phish Top 20 Phishing Scenarios, June 2018-July 2019

BEC, Sextortion, and File-Sharing Phish

Besides wire fraud, BEC attacks have recently shifted to payroll diversion scams targeting HR and finance departments. This wrinkle hits employees where they live, in their wallets.

Likewise, sextortion scams are a growing problem. Sextortion emails use fear and panic to extort a ransom payment, usually in bitcoin. Cofense Labs is monitoring a sextortion botnet with over 300 million compromised accounts. In the first half of 2019 alone, our researchers analyzed over 7 million email addresses impacted by sextortion. Cofense Labs assessed that more than $1.5 million in payments were made to bitcoin wallets associated with sextortion campaigns.

Attackers are also following businesses to the cloud, with greater abuse of filesharing services like SharePoint and OneDrive. Why? Because they’re legitimate and trusted, SEGs don’t usually block them. Users receiving an email with a link to a SharePoint file often won’t think twice before clicking.

Example of a phish that abuses SharePoint

‘Active Threat’ Scenarios Boost Performance

Another way our customers make their simulations relevant: using Active Threat scenarios based on input from Cofense Intelligence^TM,  who along with Cofense Labs form our threat-intel and research arm.  These teams have a unique perspective on phishing threats in the wild—campaigns and associated tactics, techniques, and procedures (TTPs)—as well as threats evading perimeter controls to reach users’ inboxes.

The chart below compares overall performance across all simulations over a 12-month period: customers that use these scenarios in their mix versus those that don’t.

Customers using Active Threat scenarios ran the table: the reporting rate was 4.6 percentage points higher, resiliency was 1.01 higher, and susceptibility was 2.3 lower. Threat actors study security controls, including secure email gateways, to adjust their tactics and keep a step ahead. This makes it urgent for awareness programs to simulate real threats. Use of Active Threat scenarios, versus random scenario selection, is the sort of refinement seen in mature programs.

Another Way to be Relevant:
Industry Benchmarking

Boards of Directors often ask: “How does our awareness program stack up within our industry?” Cofense PhishMe provides industry benchmarks in our Board Reports and other formats.

Below is a snapshot across industries classified as critical infrastructure. Because these industries have more regulatory pressure, they run more simulations. Moreover, industries like energy and finance are frequent targets of nation-state actors.

LOOKING AHEAD

Our data makes the case for key best practices: frequent simulations, relevant scenarios, and building a culture of reporting. Together, they add up to stronger phishing resiliency.

What is a Good Resiliency Rate?

It depends. At a minimum, we recommend aiming for a resiliency score of 1.0—for every user who clicks on a simulation, another reports it. But as you’ve seen, many industries have a much higher resiliency score. For example, mining has a score of 3.55. Imagine what that means during a real attack. If a targeted phish is delivered to 100 users at a mining customer, on average eight users would be expected to click. However, the SOC gets alerts from 29 users about a potential attack, visibility it might not otherwise have. The team can act before it’s too late.

The true value of high resiliency comes when the SOC turns users’ reports into actionable intelligence. When the SOC is able to prioritize, analyze, and understand the information users provide, it can take decisive action to neutralize the threat, cutting through the noise to “find bad” quickly. As organizations begin to track resiliency, they should ensure they’re tracking other metrics, too:

– Volume of reported emails
– Volume of malicious emails/threats identified
– Time to respond – from initial report to analysis
– Time to analyze
– Time to mitigate

Phish Testing is the Enemy of Phishing Defense

In phish testing, the idea is to run occasional simulations and establish a baseline. The focus is almost exclusively on click rates, not reporting.

This practice is riddled with problems. The tests are a kind of vulnerability scan for users, but you can’t patch users as you would machines. Moreover, due to variables such as timing and scenarios used, the baselines are only so helpful. And in a rapidly changing landscape, where phishing tactics evolve daily, trying for a zero click rate reflects an obsolete mindset. You need to drive reporting, not mere awareness, to give security teams visibility into real threats. If this isn’t happening, you’re building a false sense of security.

5 Reasons Why Phish Testing Doesn’t Work:

1. An over-emphasis on click rates suggests that awareness is the real goal, an isolated activity unconnected to broader cyber-defense.

2. Stressing click rates turns phishing defense into a game of “Gotcha!” Users either pass or fail, with little educational benefit. No wonder too many users find their awareness programs punitive and stop engaging altogether.

3. The goal of higher user reporting gets lost. Instead of concentrating on helping users do the right thing—to say something when they see something—phish testing leads you to believe it’s all about the metrics. Data is important, but there’s more to phishing defense than obsessing over numbers

4. Inattention to reporting means missing out on valuable intelligence. When security teams aren’t able to operationalize human intel, they’re blind to real threats that evade technical controls. Likewise, without steady reporting data, awareness managers can’t operationalize click rates or, for that matter, compare results over time. It’s pointless to compare one set of test results to another, since over time the users tested and circumstances will change.

5. Infrequent testing can’t keep pace with the shifting threat landscape. It’s impossible to prepare users for the latest attacker techniques when they only practice a few times yearly.

If your objective is to unite users and security teams against phishing, the better way is to stress reporting and overall phishing defense.

The ‘Weakest Link’ Myth
Can Weaken Your Security

To embrace the value of user reporting and build real phishing resiliency, security practitioners first need to free their minds. They need to bust the myth that humans are the weakest link, the most frequent point of failure in organizational defense.

Yes, phishing is a human problem. The whole idea is to trick someone. But the technology designed to stop attacks gets fooled itself, every day, by innovative tactics machines don’t recognize. Again, if you don’t believe this, peruse the Cofense blog, a catalog of technology misses and the active threats they trigger. Or view the Cofense Phishing Threat and Malware Review 2019, which details the cat-and-mouse game threat actors play so well.

Holding fast to the weakest-link myth will hold you back. It will limit the effectiveness of your phishing defense programs. After all, if you don’t believe in your people, they can’t possibly reach their potential. They won’t learn to recognize and report phishing emails. Nor will they give your SOC the visibility it needs to stop a phishing attack before lasting damage is done.

When perimeter technology fails, people must step up. Given the right conditioning, they will. They’ll unite to become a “Human Intrusion Detection System,” a set of sensors intuiting threats your controls miss. It’s human intelligence, not the artificial variety. And it’s exactly what your security awareness program should provide.

Further Reading