In 2022, a rapid succession of data breaches affected multiple prominent brands in the security sector, including Cisco, Okta and LastPass. These large-scale data breaches may be indicative of a cyclical trend that involves phishing, as such breaches can either initiate or contribute to future phishing attacks. 

Alongside a rise in the number of organizations being targeted with credential phishing campaigns, global events over the past year have been leveraged by threat actors for monetary gain. A case in point is the development of a meticulously crafted credential phishing campaign, disguised as a donation to aid victims of the Russia/Ukraine conflict. In addition, the age-old password reset style phish is alive more than ever. There will always be attempts to convince the recipient their mailbox is full, and their password needs to be updated. 

Throughout the year, these types of baiting tactics remained a constant backdrop. While threat actors may take advantage of global events and unsuspecting employees opportunistically, there's generally little incentive to switch from the more established and reliable baiting methods, which have a proven track record of success. According to the 2023 M-Trends report, phishing continues to be a lucrative and mainstay vector for adversaries year over year.

There are two crucial steps an organization can take to avoid falling victim to a credential phishing attack. One is adopting a phishing simulation platform that meets their needs. A simulation program that doesn’t emulate real threats seen in the wild will do very little to prepare an employee for when a threat arrives. 

The second step is creating a culture of reporting suspicious emails. The human side of security is often ignored, as it is assumed technology can do a better job of detecting threats; however, with a solid reporting culture, organizations can better protect themselves from attacks. It’s important to remember that humans can add context to a suspicious email that technology can’t.

Real world threats

Simulated phishing attacks are the commonsense solution to protecting against phishing attacks, but they are just the start. Ensuring your simulation program is relevant and timely can take your protection to the next level. 

There was a 478% increase in credential phishing this past year, yet only 29% of simulated scenarios used a credential threat. In 2023 the number of phishing simulations imitating credential phishing threats did increase to 39%, but there is still work to be done to ensure security programs provide an accurate picture of the threat landscape.

A few key things to keep in mind while developing a security training program to protect against credential phishing campaign include: 

• Disable auto-forwarding rules across the organization. Unable to fully block? Review rules to work with the business to allow exceptions for legitimate business needs. Resetting a users’ credentials due to a recent campaign? Check the auto forward rules and remove rogue rules potentially set up by threat actor. 
• Continue to increase the cadence of simulation scenarios using this threat type. 
• Customize the Microsoft landing page with the company logo. Communicate to the organization to report any landing pages that don’t fit the corporate branding standards.
• Enable MFA. Enhance the authentication experience to help users avoid MFA exhaustion. 

What security teams do with the data collected from a simulation program is just as important.  Security teams need to be able to collect and analyze the data results from a simulation to determine if, when, and how employees are interacting with the phish. Being able to measure the success of a simulation is key to understanding user behavior and creating a program unique to your organization. 

A strong line of defense

It is a common belief that employees are not effective in protecting organizations from phishing threats; however, this belief is incorrect. According to the 2022 Verizon Data Breach Report, 82% of breaches involve a human element, meaning it requires a user to click, share or download for the attack to be successful. Using that human element against threat actors by creating a solid reporting culture among employees can save data, time and money.

For every one email reported by a user, an average of 20 additional malicious emails are removed from inboxes around the world. This really puts the benefits of reporting into perspective.  

No shame in our game

Establishing a corporate culture that prioritizes openness and awareness is the most challenging aspect of implementing effective phishing training. Given that mistakes are bound to happen, it's imperative to educate and correct employees when they inadvertently respond to phishing emails. Employees should be encouraged to report a real phish even after they’ve submitted their credentials, allowing the security to still mitigate the threat.

However, shaming employees for their errors may discourage them from reporting future mistakes, depriving security teams of the opportunity to contain threats quickly. Given the potential fallout of an unaddressed threat, it's crucial to ensure that everyone in the organization, from the CEO down, participates in phishing training.

By training employees on how to identify and respond to phishing attacks and by conducting realistic simulations, organizations can empower their employees to serve as a strong line of defense against these threats.

The rise of cybersecurity threats is not a new development and it is not surprising that a vast majority of such incidents involve some form of phishing. By implementing a comprehensive phishing simulation program that includes customizable security awareness training and simulated phishing campaigns, organizations can minimize their vulnerability to costly phishing attacks.