Posey's Tips & Tricks

How To Bait End Users into Better Anti-Phishing Habits

Nobody likes to be lectured about security. When it comes to enforcing e-mail security practices among end users, some benevolent trickery is sometimes needed.

• By Brien Posey
• 01/10/2020

Even though e-mail-based phishing attacks have been going on for decades, users still inevitably fall for them.

Don't get me wrong -- I'm not trying to call end users stupid. I think that there are plenty of end users who are savvy enough to spot a phishing e-mail message.

Even so, there are three things that cause phishing to continue to be problematic:

1. The attackers aren't giving up. Phishing attacks are just as prevalent today as they were last year or the year before.
2. The attackers are becoming more sophisticated. While some phishing messages are easy to spot as obvious frauds, others would likely fool all but the most discerning person.
3. It only takes one user clicking on a malicious link to create problems for the entire organization.

Given these three facts, administrators have no choice but to take phishing attacks seriously. AI-based filtering will continue to be a critical component in the fight against phishing attacks, but given that some messages will inevitably slip through the filter, end user education is still equally important.

Over the years, I have been involved in several efforts to educate end users about e-mail-based threats. What I have discovered is that this type of end user education is only minimally effective. Simply put: Nobody likes to be lectured about security. While there may be a few people that absorb the security lessons being taught, most will simply tune out and forget everything that they have learned by the time that they make it back to their desk.

Recently, I stumbled onto a vendor that takes a more unique approach to end user security education. A company called PhishLabs has published an app that adds a button to the Microsoft Outlook toolbar. If a user identifies a message as being a phishing attempt, they can click on the button as a way to flag the message.

Flagging a message with the push of a button isn't really anything new. I remember anti-spam products from long ago that used a similar technique. Those products created a spam database containing messages that their customers identified through a similar technique. However, the thing that really caught my attention about PhishLabs is that the company's product will apparently send users bait messages.

From what I understand, the software will periodically send users phishing e-mails of its own. These messages are designed as something of a test for end users. If a user clicks on the button to identify one of these bait messages as a phishing attempt, then the user will see a message congratulating them for successfully identifying a phishing message. (The company's Web site did not make it clear what will happen if a user fails to recognize -- or recognizes, but fails to report -- one of the bait messages.)

Even though I have never had a chance to try out the software for myself, I think that the bait message technique could end up being a very viable way to teach users how to be on the lookout for phishing scams. Not only does the technique teach users how to recognize phishing messages, but it also gets them into the habit of reporting those messages, which can be beneficial to the entire organization.

I think that the key to making this or similar techniques truly effective is that the bait messages will need to evolve as phishing attacks evolve. After all, attackers continually adopt new methods in an effort to fool would-be victims.

In fact, it was one of these new methods that led me to stumble onto PhishLabs in the first place. Apparently, an attack now exists in which the victim is sent an invitation to access an Office 365 document. Once the user clicks on the link, they receive a message that the document requires a number of different permissions, and the user is prompted to click on an Accept button in order to grant those permissions.

The thing that makes this attack so unique is that the attacker does not attempt to steal the user's password. Instead, the attacker gains full access to the user's account by simply asking the user to grant full access permissions to an application that is under the attacker's control.

It is safe to say that no matter how sophisticated anti-phishing software may become, there will always be some attacks that are able to fool the filters. This means that the end user is ultimately the last line of defense, and so it makes sense to take the time to educate them on how to tell the difference between a legitimate message and a phishing message.