We in the security industry know that phishing is one of the most effective tools in an attacker's arsenal. At Rapid7, we recognize phishing training and phishing simulation as key inoculation mechanisms that help businesses build both resilience and confidence.
Last month, I was invited to conduct some security experiments at a cybersecurity event attended by 60 CEOs. My participation had a specific purpose: to simulate targeted phishing campaigns and raise awareness of what real-life adversaries can accomplish with a few personal details and a healthy supply of motivation.
By the time the event was over, 45 CEOs had fallen for at least one phishing campaign—75% of the total group in attendance. Here’s how we went about our experiment, as well as what you can take away from the results:
Phishing experiment criteria
Our plan was to send three phishing simulation campaigns over the course of 14 days, with each campaign increasing in sophistication. These simulated phishing emails would take no more than 20 seconds of the targets’ time, and we did give targets a chance to opt out of the experiment.
When a target was successfully phished, that person was directed to a page that revealed the experiment and offered educational information about phishing and its indicators. We did not collect any personal information as part of this experiment.
Phishing template 1: Delivery tracking
In this email, we asked the target to sign in to a system to track a package. This was a low-sophistication email, which meant we made no attempt to spoof an authentic sender and no attempt to convincingly mimic the domain of the shipping company. We also had no idea whether targets had credentials for the delivery carrier.
Results: 5% phished
Phishing template 2: I’d like to join your network!
For this template, our bait was an “Accept” button that mimicked an invitation from popular professional networking site LinkedIn. This email had moderate sophistication—there was no spoofing of the sender’s email, but it was designed to look like a legitimate LinkedIn request from one of the CEOs attending the event. The sender’s domain would take targets to a page that resembled LinkedIn.
Results: 17% phished
Phishing template 3: Spear-phishing simulation
This high-sophistication email requested that the CEOs log in to a portal to review information about their hotel rooms for the event. This email included a spoofed email address and realistic call-to-action, and looked very similar to a real one that had been sent to attendees. The simulated phishing campaigns looked like they came from someone the targets knew and trusted (the event coordinator), and the content was based on timely, specific knowledge of the targets’ schedules.
Results: 57% phished (and 35% entered their credentials in addition to clicking the phishing link)
Over the course of two weeks, 75% of the targets had been phished. The most sophisticated simulation was the most successful: 89% of the CEOs who fell for the final phish hadn’t fallen for either of the first two simulation campaigns.
Of the 35 targets who clicked a phishing link in the final campaign, only four had been phished in one of the first two campaigns. This is how we measured the success of the simulation in our experiments: 63% of users who clicked one of the first two campaigns did not fall for the final, sophisticated phishing campaign.
Here are some lessons to take away from this experiment that can help inform your anti-phishing efforts:
Simulate often, and make users part of the solution by giving them tools to report phishing
One of the things we noticed was that targets began to report emails to the event organizer, including emails that were not part of our simulation campaigns. Their instinct to report after being exposed to suspicious activity was strong, as was their instinct to help peers protect themselves. Users leveraged the tools available to them to report—in this case, their relationship with event staff.
Measure success by those who learn instead of those who fall
Our KPI for this experiment was the percentage of people who fell for an early phishing simulation campaign but learned their lesson and did not fall for the final, more sophisticated simulation campaign. Another option is to measure the success of your program by the percentage of people who report phishing emails. As your phishing security program involves, so too will your metrics for success.
Understand there are no silver bullets
Email security products are helpful in filtering out some phishing emails, but they’re a minimal level of protection. The more sophisticated simulations weren’t caught by email security solutions.
A stellar phishing security program needs to build confidence both in the security team’s ability to handle phishing and the employees’ ability to spot a phish. It’s a two-way street. When that confidence is established, resiliency against phishing is born.
For data-driven readers, here is the breakdown of events per template used. Note that 73.3% (44 unique targets) of the CEOs who agreed to take part in the experiment got phished, and 41.6 (25 unique targets) entered credentials.
|Template number||Description||Emails delivered (not blocked)||Emails opened||Target clicked on link||Target entered credentials|
|Template 1: Raw Numbers||Package delivery||55/60||17/55||3/17||1/3|
|Template 1: Percentages||Package delivery||91.6%||28.3%||5%||1.6%|
|Template 2: Raw Numbers||LinkedIn contact request||56/60||18/56||10/18||0/10|
|Template 2: Percentages||LinkedIn contact request||93.3%||30%||16.6%||0%|
|Template 3: Raw Numbers||Spear phishing||60/60||54/60||35/54||21/34|
|Template 3: Percentages||Spear phishing||100%||90%||56.6%||35%|