If your experience is anything like mine, you don’t have much respect for the average spammer. The messages are so crude and so easy to see through that it’s a wonder any of them ever succeeds. Do they really think I might believe a message with the subject line “No Diet Or Exercise, AND Still Lose Weight” or “#1 Weird Trick To Pay $7 Month On Electricity”? I saw some research about a year ago that purported to explain that spammers and con artists deliberately use ridiculous messages in order to screen out people with a certain amount of sense, because they are unlikely to take the bait.
Some phishing attempts are just as crude, but phishing is continually evolving, and there are a number of well-heeled organizations in the game. The phishers are learning, and they are getting better.
Phishing is getting so sophisticated that a peculiar business model has arisen aiming to help organizations cope with it. PhishMe is a company that attacks its customers as a service, so the customers can better understand what kind of phishing attacks are most risky for them.
I have no personal experience with PhishMe, but a recent article in Wired described that of a reporter. Lily Hay Newman withstood PhishMe’s attacks for about five weeks:
I had given company CTO Aaron Higbee my personal and professional email addresses, and full permission to trick me into clicking on a malicious link, downloading a nasty attachment, or visiting a bogus site where my personal information could be compromised.
PhishMe’s hackers’ trick messages arrived in her inbox every couple of days. The first one, she says, almost had her. Its subject was “Court Notice,” and by chance her apartment had recently been burglarized, so she had every reason to open the bogus attachment it carried. It was only when she studied the originating address — firstname.lastname@example.org — that she realized what it was. A real court notice would come from a .gov address.
Then the frequency of the bogus messages increased dramatically:
My inboxes became a digital minefield, littered with clickbait subject lines like, “Action required: Confirm removal of email address as account alias,” and “Your order has been processed,” complete with a big Amazon-esque yellow button to “Manage your order.”
Newman parried every attack successfully, although she points out that she was only saved by a sort of heightened paranoia resulting from the awareness that she was a specific target. She was expecting and looking for the attacks, in other words. A little paranoia is a healthy outlook in today’s cyber security environment.
If you are in a high-profile business and are at a particular risk (think Sony or the Clinton Campaign), a service like PhishMe might be useful to you. You might have too much at risk to not know where your vulnerabilities are greatest. Most of us don’t have high profiles and are less likely to be targeted with messages that really seem to ring true. Every organization, however, needs to know where its defenses can be improved. So I suggest starting with the Logical Operations CyberSAFE Readiness Test. It can help determine the level of sophistication of your particular users — and therefore your vulnerability to attack. You can access the test at no charge. Contact us at +1.800.889.8350.