Sophos Phish Threat, in its own words, is a phishing attack simulator – it lets your IT department send realistic-looking fake phishes to your own staff so that if they do slip up, and click through…
…it’s not the crooks on the other end.
The crooks are testing you all the time, so you might as well test yourself and get one step ahead.
(Don’t panic – this isn’t a product infomercial, just some intriguing statistics that have emerged from users of the product so far this year.)
You can knit your own scam templates to construct your own fake phishes, but the product includes an extensive collection of customisable templates of its own that we update regularly.
The idea is to to track the look and feel of real-world scams of all types, all the way from Scary Warnings of Imminent Doom to low-key messages saying little more than Please see the attached file.
History teaches us that email tricks can work surprisingly well with no text in the message body at all. One of the most prevalent email viruses of all time was HAPPY99, also known as Ska, which came out just over 20 years ago at the start of 1999. The email consisted only of an attachment – there was no subject line or message, so the only visible text in the email was the name of the attachment, HAPPY99.EXE. If you opened it, a New Year’s fireworks display appeared, though the animation was cover for the virus infecting your computer and then spreading to everyone you emailed thereafter. Ironically, the lack of any explanatory text at all meant that the email was much less suspicious than if the subject line had contained words in a language the recipient wouldn’t have expected. HAPPY99 as a filename all on its own had a timely and global appeal that almost certainly tricked millions more people into clicking it than if it had included any sort of marketing pitch.
Searching for the best worst
Well, the Phish Threat team asked themselves, “Which phishing templates give the best, or perhaps more accurately, the worst results?”
Are business email users more likely to fall for sticks or carrots? For threats or free offers? For explicit instructions or helpful suggestions? For “you must” or “you might like”?
The answers covered a broad range of phishing themes, but had a common thread: not one of them was a threat.
Most of them dealt with issues that were mundane and undramatic, while at the same time apparently being interesting, important, or both.
Nothing on this list was truly urgent or terrifying, and they all sounded likely and uncomplicated enough to be worth getting out of the way quickly.
The Top (or Bottom) Ten
- Rules of conduct. This purported to be a letter from HR outlining the company’s new Rules of Conduct. With global interest in increasing worksplace diversity and reducing harrassment, many companies are revising their employment guidelines. Most staff know that they’re supposed to read new guidelines, and that the HR team is obliged to chase them until they do, so clicking through here feels like a task you might as well get out of the way.
- Delayed year-end tax summary. This notified staff that their tax docmentation wouldn’t arrive when they expected. Whether your country calls it a W-2, a P60, an IRP 5 or a Payment Summary, it’s one of those “necessary evils” that staff know they need, so they might as well find out how long the delay will be.
- Scheduled server maintenance. We were surprised that this was #3, because we rather cynically assumed that most people would be inclined to ignore IT messages of this sort, on the grounds that they couldn’t do anything about them anyway. In retrospect, however, now that so many people are working from home, we suspect that people like to know when outages are likely so they can schedule their own lives around them.
- Task assigned to you. In this message, the Phish Threat user gets to pick a project schedulding system that their own company uses (e.g. JIRA, Asana), so that the email doesn’t stand out as obviously bogus. Although that makes this a semi-targeted phish, you should assume that the business tools used in your company are widely known and easy for crooks to figure out, perhaps even automatically.
- New email system test. Who doesn’t want to be helpful, if all it takes is one quick click?
- Vacation policy update. Thanks to coronavirus lockdown and quarantine, booking and taking vaction leave is a tricky issue these days. Many companies are adapting their vacation policies accordingly – and who wants to risk missing out on time off?
- Car lights on. In this message, the building manager was apparently being cheerily helpful by reporting a car with its lights turned on. In real life, you might be suspicious that they posted a picture instead of just typing in the vehicle tag – but it occurred to us that many states and provinces in North America don’t supply front plates any more, so a photo taken from the front of the vehicle probably wouldn’t show the tag (registration number) anyway.
- Courier service failed delivery. This is a tried and tested trick that crooks have used for years. It’s especially believable these days thanks to the surge in home deliveries due to coronavirus. In fact, you may be expecting a delivery yourself right now – and in most cases it’s the vendor who decides which courier company to use, so you might not know who is doing the drop.
- Secure document. This purported to be a “secured document” from the HR team, giving a plausible reason for making you take an unusual route to view it. This trick is widely used by phishing crooks as reason to convince you to enter passwords where you wouldn’t usually have to, or to adjust the security settings on your computer – ostensibly for the sake of improving security, but in reality to reduce it.
- Social Media Message. This one was a simulated LinkedIn notification promising that “You have unread messages from Joseph”. LinkedIn seems to be enjoying a surge in popularity right now, which is not surprising considering how many people have lost their jobs or had their working hours cut because of the coronvirus downturn. It’s tempting to click through, for fear of missing out, and scammers are happy to capitalise on that.
What to do?
- Think before you click. Even if the message looks innocent at first sight, are there any scam giveaways that are obvious if you take the time to check? Examples include: spelling mistakes you doubt the sender would make, terminology that isn’t how your company would say it, software tools your company doesn’t use, and behaviour such as altering security settings you have explicitly been warned not to change.
- Check with the sender if you aren’t sure. But never check by replying to the email to ask if it’s genuine – you will get the answer “Yes” either way, because a legitimate sender would tell the truth but a crook would lie. Use a corporate directory accessible via trustworthy means to find a way to get in touch with a colleague you think has been impersonated.
- Take a careful look at links before you click. Many phishing emails contain text and images that are error-free. But the crooks often have to rely on temporary cloud servers or hacked websites to host their phishing web pages, and the subterfuge often shows up in the domain name they want you to visit. Don’t be tricked because a server name looks “close enough” – crooks often register near-miss names such as
yourcompanny,yourc0mpany(zero for the letter O) oryourcompany-site, using misspellings, similar-looking characters or added text. - Report suspicious emails to your security team. Get in the habit of doing this every time, even though it feels like a thankless task. Phishing crooks don’t send their emails just to one person at a time, so if you’re the first in the company to spot a new scam, an early warning will let your IT department warn everyone else who might have received it too.
By the way, if you’re in the security team and you don’t have a quick and easy way for your staff to report potential cybersecurity problems such as suspicious phone calls or dodgy emails, why not set up an easy-to-remember internal email address today, and get used to monitoring it?
It doesn’t take much encouragement to turn your entire workforce into the eyes and ears of the security team.
After all, when it comes to cybersecurity, an injury to one really is is an injury to all.
Mahhn
Sharing solutions,
We auto tag all inbound mail in the subject line and the footer – so that staff know it is external to be more cautious. All the phishing emails that pretend to be Internal are negated with this.
The rest is up to training – expecting phishing emails.
This week I contacted two legit companies that sent us malicious emails, to which they discovered accounts (at the least) had been hijacked. One was an investment firm, the other and insurance company. I only call these places that are legit, and usually business partners in any fashion. I’ve never shared with any media who these companies are over the years, but I don’t think most places disclose these compromises ever unless they get caught with a mess.
Paul Ducklin
Earlier this week, we wrote up the case of a UK construction company that got “BECced” – an email account was commpromised and used to go phishing against everyone in the poor chap’s address book (at least). He had the Naked Security contact address in there so we were one of the many lucky recipients :-) The email was surpisingly believable because it came from the claimed sender’s own account and claimed to be the kind of document you might expect a construction company to send…
…fortunately the crooks lost the plot a bit at that point, presumably either down to carelessness or to a blunder by some sort of automated script, and there were several telltales that we’re hoping everyone noticed:
https://nakedsecurity.sophos.com/2020/09/02/phishing-scam-uses-sharepoint-and-one-note-to-go-after-passwords/
Mahhn
“Report suspicious emails to your security team. ”
This is HUGE! this gives us the chance to block people from going to malicious links (and check if anyone did) in them that may be to new to get filtered.
IT can also block the real sender (not the pretend address you see in the email) by Email, domain, or IP or IP range. (it’s so satisfying to block IP ranges,, china,,)
It is not being a nuisance, it is helping your company. I thank people often, as it helps me be effective, and keep our jobs safe :)
Simon
You haven’t explained how you determined the ranking order. Is that somehow built into the simulator, in which case, how do we know it’s accurate? Or did you actually send phishing emails out into the world to see how real recipients reacted to them?
Paul Ducklin
Ah, as far as I understand it, this is based on click-through rates reported by customers who used Phish Threat themselves on their own users. No Phish Threat testing emails were out send out “into the world”!
As for “how do we know it’s accurate”, well, the measurements of sent-versus-clicked are correct because the product knows how many emails it sent and how many got clicked… I guess the real question is “how realistically do these simulation results model real life”, or “what is the statistical significance of this list”, and that’s not easy to answer. I think it’s fair to say “these results are representative and therefore tell a story that is both intruiging and actually useful”…
…but overall, I’m treating these as what you might call “fun with a serious side” rather than as a scientific measurement of phishing power.
I didn’t collect the data here, just thought it was interesting enough to report – but AFAIK we weren’t able to do any kind of correction for what I think is called confirmation bias. Notably, we can’t force every customer to try every phish in the database – their users would be awash in tests! – so we are, effectively, measuring the click-through results of the phishing samples *that customers already decided were the best ones to test with*. For all we know, if they’d used phishing samples that received wisdom would suggest were “too obvious” or “too well-known”, they might have got some surprises and found that “obvious” scams worked even better. (It’s hard to do any useful controls here, because you can’t legally spam the world to do the needed measurements.)
In short: I’m not saying “these 10 are the ones to worry amount more than any others”, just suggesting that these results are useful in giving us a feeling for how the phishing scene is evolving. It’s as though the crooks have woken up to the saying that you catch more flies with honey than with vinegar… and that the simpler and more everyday you keep your scams, the more likely that people will accept them as legitimate.
HtH.
Paul Ducklin
OK, I made a small change that I hope will help a little. I changed the HTML for the Top Ten list from an OL (ordered list, i.e. numbered 1 to 10) to a UL (unordered list, i.e. bulleted).
By not listing them 1 to 10 (those numbers were meant to be cardinal, not ordinal!), I hope to avoid the impression that I think there’s a statistically significant pecking order here, and instead to create the impression that I am just trying to create an impression (if you get my drift) that this group of phishing topics are ones to watch out for, rather than finishers in some kind of competition!
John Griffith
I worked in IT for 3 banks over 35 years (2 in the top 5) and never changed cubes. Our security team would send out test phishing emails. I always used the process to report suspicious emails and got an Atta-boy email in return. Apparently those that fell for the email got a nasty gram from security and word in their shell-like ears from management.
Keith Roberts
Sounds like a good idea to do a Phishing test at regular but unexpected intervals in a company, like John did working in a bank. That will keep people on their toes and help identify the employees that need more help in how to recognise and deal with real Phishing emails.
Maybe companies need to set up some internal training with this sort of thing?