YYBC: Don’t lie to your users about compliance

2014 was PhishMe’s 3rd year at RSA. Our growing team allowed me to steal a few hours away from the Exhibit floor and attend some excellent sessions. While many of the sessions I attended related to PhishMe’s offering I also made it a point to take a break and enjoy some fringe topics. A talk entitled: “The Dark Web and Silk Road” with Thomas Brown, Deputy Chief for Cyber, U.S. Attorney’s Office of Southern New York was a fascinating view into how Bitcoin is used in illicit underground marketplaces. The presentation was well-done and a great play by play about how the man behind Silk Road was unmasked and arrested.

Another presentation that really stood out: “Cognitive Injection: Reprogramming the Situation-Oriented Human OS” with Akamai CSO Andy Ellis.

The Double Barrel Throwdown 2013

One of the great things about the IT Security industry is the intelligent, creative, and interesting people who work in this field. PhishMe challenges you to show just how witty you really are by submitting us your best idea for a Double Barrel phishing scenario. Read below for contest details:

How to defend against longline phishing attacks

A report from ProofPoint released at the RSA conference discussed what is supposedly a new phishing technique dubbed “longline” phishing.  The report touts “longlining” as the newest way criminals are sending phishing emails in efforts to bypass technical controls.  Mass customization of emails allows criminals to fly under the radar of most email filters and successfully deliver spear-phishing emails to a larger number of email users at a single organization.  This tactic combines the best of both worlds from the criminal’s standpoint, but it doesn’t really change the game in terms of defending against phishing attacks, as your users still provide the most effective line of defense against the phishing threat.

Whether “longline” phishing is actually a new type of attack or not, Security Officers should focus on the fact that adversaries will continue to modify their attack strategies to circumvent or evade technical controls in an attempt to directly exploit humans. This is why it’s increasingly critical for organizations to invest in proven and effective behavioral change programs that educate users about the attacks that target them.

PhishMe’s 2013 RSA Conference Preview

PhishMe (along with our giant bowl of Swedish Fish) will be attending the RSA conference this month for the second time, and we’re pretty excited to be returning to the City by the Bay. We’ve grown a lot since last year’s conference, and this year provides us with a chance to show off how PhishMe has evolved – both as a product and company.

Who better to help us preview our first big event of the year than our founders, CEO Rohyt Belani and CTO Aaron Higbee? I conducted short interviews with each outlining what they are looking forward to, not only about returning to the conference but also about visiting San Fran itself.

2011 – The year of spear phishing And spear phishing

spearphish vs spearphish

spear phish vs. spear phish

An odd title for a blog post but something that has been on my mind for a while now. We get a fair amount media requests for comments or perspective on phishing stories.  This is a good thing. It’s nice to have recognition in your field. Of course 2011 was no shortage of phishing related news. (What’s up RSA, I’m looking at you. I’ve noticed you frequent our website a lot. How about a demo. Couldn’t hurt?)

User Awareness: A Growing Concern Among Organizations

Phishing has always been a challenge for companies, but in recent months high profile breaches have cast a bright light on a more pressing aspect of the phishing threat – user awareness; or the lack there of! The reason phishing attacks are so effective is because most employees have a basic level of phishing awareness. Companies attending recent events such as Black Hat and SANSFIRE, reiterate a common theme; “we need more effective ways to increase our employees’ awareness to help minimize the success of phishing attacks.”

Once thought of as a threat that could be mitigated simply by an email filter solution, phishing (and now more importantly, spear phishing) has evolved to such a sophisticated level that technical controls are no longer effective in differentiating well-crafted and targeted emails from legitimate ones.  This leaves employees as the last line of defense which is highlighting the need for improved education. The challenge for many security IT professionals is that they have little time to develop programs that provide effective education and reduce the risk to their organization. While many companies indicate they have an awareness program, they also indicate that they lack consistency and content.  This awareness model does little to increasing their employees’ awareness or change their behavior.

Organizations with mature awareness programs attribute their success to a mix of periodic communications and structured training that provide immediate, informative and relevant awareness content to employees. The inline awareness saves both time and resources and targets training to those who need it most. At PhishMe we encourage our customers to conduct sanctioned simulated phishing exercises. This allows organizations to identify where targeted education should be directed and offers the ability to provide immediate education.

There are several different ways PhishMe works with our clients to improve overall employee awareness including online games, tutorials, custom training and awareness program consultation.  In the end it comes down to striking the right balance between content and repetition for your enterprise.  Having trained over 2 million users to date our customers have seen how consistent training can raise awareness and reduce the risk of employees falling victim to phishing attacks by up to 80 percent.

If we are in your area, we welcome you to come speak with us at an upcoming event!


The PhishMe Team


RSA Conference: Circus of Vendors

In past years I never attended the RSA conference; it always came across as too much of a vendor show to me. This year I didn’t think I would go, until rsnake convinced me otherwise. So I bought myself an Expo Only pass. I had a lot of fun, meeting old time buddies from Foundstone and Mandiant, a bunch of clients, and partners. But I had the most fun just watching the show on the Expo floor. Must have been 300 booths and a gazillion sales people swarming them with those annoying mics trying to outspeak each other like barkers outside a souvenir store at a tourist destination. Companies doing raffles at their booths – I’ve seen that, but arcade car racing games like those at Dave & Busters, security “Jeopardy” shows every hour being hosted by “slick” sales people, cheesy whack-a-fraudster, wannabe Houdinis showing off card tricks and free beer made the cut too. I wondered, do clients actually walk the floor to learn about new products? I think not. They do so for the free entertainment, adulation, and giveaways.  Makes one wonder, are the RSA booths worth their price tag? The smallest, and furthest ones, which you would see if you were really looking for, are worth an arm and leg. VC money well spent? Oh what a circus it was!

– Rohyt

SCADA hacking? What if they used phishme.com?

At this year’s RSA conference Ira Winkler went on to tell the audience about hacking into an energy company (via an authorized penetration test) using a targeted phishing email. Details are in this networkwold article: http://www.networkworld.com/news/2008/040908-rsa-hack-power-grid.html

“The penetration team started by tapping into distribution lists for SCADA user groups, where they harvested the e-mail addresses of people who worked for the target power company. They sent the workers an e-mail about a plan to cut their benefits and included a link to a Web site where they could find out more.”

Are we surprised they were successful? Absolutely not. We’ve been using this technique and responding to real incidents that that used spear phishing for quite some time now. But what if those same employees had already been “phished” through targeted awareness and then presented with the appropriate training material? What if you ran this exercise against all your employees regularly?

Phishme.com already has pre-built scenarios to make this training quick and easy. It has many generic domain names to choose from or you can register your own look-a-like domain.

There is no sense in paying a pentest company high dollar consulting fees to find out if your employees are vulnerable to phishing. I’m about to save your company a boat load of money.

Dear Magic Eight ball, I don’t currently conduct phishing attacks against my own employees as a means to train them. Am I vulnerable to spear-phishing attacks?