Gold Phish

Todd O'BoyleA WatchGuard expert shows you how to build a phishing protection program that works.

Most phishing attacks begin by targeting people.

“Therefore, our security programs should spend 90 percent of their money on people.”

Todd O’Boyle, director of product management with WatchGuard, spoke at the Midsize Enterprise Summit Spring 2018 conference in Orlando. O’Boyle says there are three reasons why attacks are getting more sophisticated: happy clickers, spear phishing and CEO fraud.

O’Boyle says happy clickers are “people who will click on anything put in front of them, such as fake UPS invoices. DocuSign phishes are good. Office 365 password resets are another common one. ‘Your mailbox is full. Click here and log on to your email to get more storage.’”

When phishing attacks work

O’Boyle shares one example of a successful phishing attack where the attacker used an email that was one letter off from a client’s email address.

“The attacker lived in the person’s email inbox for about a week, looking for other bids the salesperson had submitted. They put the effort in to understand who the salesperson was dealing with in their customer database.”

O’Boyle says midmarket IT executives must convince employees of the danger of a phishing attack and advise they use caution when opening emails and attachments.

“The attackers knew what they were after, targeting bids in the salesperson’s inbox. They got greedy and started sending emails inside the company from the salesperson’s inbox. A fellow salesperson asked, ‘Why did you send this email?’ The salesperson said, ‘I didn’t.’ and got IT involved.”

O’Boyle says the attack response got to the level of the company CEO. “It was the first time in the company’s history cybersecurity was an operational issue. Through unraveling the data, we believe it was one of the company’s competitors who paid someone to attack them. They wanted to undercut bids and if you undercut by a percent or two, you will win a lot of jobs.”

Get management buy-in

Phishing attacks represent an opportunity for midmarket IT leaders to get management buy-in to fund a phishing protection program.

Start with your executives. Visit them; ask them to talk about phishes they’ve seen; try to connect phishing attacks to business impact. “You won’t get buy-in from all executives, but you’ll get some. They are your allies to roll out phishing education company-wide,” O’Boyle says.

Reinforce with stories. Collect and tell stories about successful and non-successful phishing attacks. Link them to different aspects of your business, including sales, HR and research and development.

Keep an open door. Be nice to people. Remove the shame of being a victim. “We all make mistakes. Get them talking to you about the phishes they see.”

Focus your efforts. “These phishes are gold. They tell you why and how your company is being targeted. Pay attention to trends in who is getting targeted, and focus your energy there.”

What should you do?

O’Boyle advises using a three-step process:

  • Roll out protection first
  • Combine that with phishing education
  • Reinforce reporting

“I’m a believer that, because of happy clickers, you should roll out protection first, but when a user clicks, that’s a perfect time to give them education. They made a mistake. They want to be better,” he says. “Help them dig themselves out of the hole they dug themselves into. In your education programs, reinforce reporting. Getting people to talk to you about phishes can reinforce protection.”

Turn phish into gold with adequate levels of protection.