Skip to main content

Phishing for Success – Part 1

“A bad day of fishing is better than a good day of work.” – Unknown (image shows a crab holding a fish above its head - not our photo)
A bad day of fishing is better than a good day of work.” – Unknown

Leadership In Cyber Security

Hi folks, I am a Senior Threat Emulation Specialist at White Oak Security. The majority of my time in cyber security has been focused heavily on Red Team Operations and Social Engineering. Prior to entering the cyber security field, I spent many years in leadership positions in other industries. During that time, I managed over 200 employees and was responsible for multi-million-dollar business units. My prior leadership experience has made me particularly interested in supporting leaders in their security endeavors. 

Intro To Phishing

The goals of this series of blogs on phishing will be:

  • Bring awareness about the risks of phishing tests
  • Arm you with the right attitudes and knowledge to create a successful phishing program
  • Teach teams ways that they can quickly bootstrap phishing infrastructure
  • Teach red teamers some very basic methods that can get you past defenses, like Proofpoint.

Since its focus spans the gap between leadership and technical knowledge, we have broken it into a running series. We will start with the leadership focus and move toward the technical disciplines in the following parts. 

What Can Go Wrong?

“There’s a fine line between fishing and just standing on the shore like an idiot.” – Steven Wright

After conducting many phishing and social engineering tests, as well as speaking with many senior executives in fields (spanning the Defense Industry to Banking and beyond), I have reached the conclusion that phishing is a two-edged sword. It can elevate your security posture and the safety of your entire team or devastate employee trust in the security team and company. When employee faith in leadership/the IT security team is broken, it leads to a weakened security posture overall.

Poor Phishing Tactics

“The fishing was good; it was the catching that was bad.” – A. Best

I want to take you on a journey into the realm of phishing and its effects on an organization’s security posture when phishing tests are conducted poorly. I will be pulling from social media for anecdotal evidence, as well as pulling data from studies to back up my claims and recommendations. 

Social Engineering testing requires a delicate touch at times because it can easily have major ramifications across a company. Typically, the threat emulation teams are working with a light touch from leadership outside their direct chain of command. This is a necessary reality, but a risk as well. 

Phishing Scams

“Fly fishermen are born honest, but they get over it.” – Ed Zern

First, let us take a look at the absolute worst phishing ideas ever. None of you would ever sign off on a test like this, but somehow these slipped through the cracks and led to serious reputation damages and the weakening of security postures. I want to emphasize that I am not pointing fingers at the companies associated with these phishing tests, nor any particular leader that works at these companies. Without further ado, let us take a look at these examples of phishing tests gone awry.

Phish Around & Find Out!

This phishing campaign below single-handedly damaged GoDaddy’s reputation, employee buy-in to security, and employee morale – a giant trainwreck of a phishing campaign. Here’s a screenshot from Twitter stating that the company sent out a holiday bonus phishing email, where 500 employees “failed” the phishing test (they fell for the email scam).

Here’s a screenshot from Twitter stating that GoDaddy sent out a holiday bonus phishing email, where 500 employees “failed” the phishing test (they fell for the email scam), provided by White Oak Security's pentesting team.
source: https://twitter.com/lolonghi/status/1341863667290140672

Hold My Phish!

What a puny fake bonus phishing campaign, only $650 bucks?! Here’s one that pumps it up to $10k! Below is a screenshot that shows another phishing email scam, sent from Tribune Publishing to their executives, offering an extra bonus if they “click the link below”. The clickers would then be told they failed the phishing test, (and no there was no bonus). 

White Oak Security shows a screenshot of another phishing email scam, sent from Tribune Publishing to their executives, offering an extra bonus if they “click the link below”. The clickers would then be told they failed the phishing test, (and no there was no bonus). 
source: https://twitter.com/DTOhl/status/1308839731443179520?ref_src=twsrc%5Etfw

These examples really show how leadership/the IT team can lose the trust of the rest of the company, even in “efforts” to strengthen their security posture.

An Ounce Of Prevention…

Probably not a good idea, says the fish staring at the "free lip piercing" sign on a hook. (image isn't ours)
Probably not a good idea, says the fish staring at the “free lip piercing” sign on a hook. (image isn’t ours)

My first thought regarding how these tests were not prevented is one of the most common Social Engineering findings in my career – the lack of or failure to implement policies and procedures

Anytime that you find yourself conducting dangerous and highly sensitive security testing of any kind it is imperative to create solid policies and procedures about why, when, where, by who, and how that testing will be conducted. Additionally, there needs to be a clearly articulated business case for conducting that testing. 

My rule of thumb for leadership decisions about penetration testing is that if we cannot get buy-in from all stakeholders, whether they be internal to your security team or your peer executives and their teams, then we need to take another look at our business case, policies, and procedures. We all know how important security testing is and SO DO YOUR NON-SECURITY PEERS! They’re placing their entire future in your hands and all they want is to feel that the security team is a tight ship sailing under the mandate of the company. 

If you need proof that your gut instinct about those phishing campaigns is correct, you can go read the comments on Twitter or read the many articles lambasting these companies for being heartless in major news sources. The problem with these kinds of phishing campaigns is that they sacrifice the company’s internal/external image for results. Additionally, these tests weaken security posture and productivity.

Company Integrity & Phishing

“Do not tell fish stories where the people know you. Particularly, don’t tell them where they know the fish.” – Mark Twain

While it’s true that these are phishing campaign examples that real threat actors may use, that does not excuse the company from using them on their own employees. It is not technically hard to conduct a phishing test, especially if you are conducting it from the inside with a tool like KnowBe4 or gophish. With minimal effort, you can get many users to click on links and submit credentials. This is because Social Engineering is NOT a security threat you can eliminate. It can only be mitigated by the careful defense of in-depth measures. 

Does this mean you shouldn’t conduct phishing tests and training? No, conducting phishing tests can be very valuable to your company, as well as the individuals being tested. The actual reasons to conduct phishing tests and align your methods/responses to the results are the key to fixing the industry problem with phishing

Phishing Test Results

“It has always been my private conviction that any man who pits his intelligence against a fish and loses has it coming.”  – John Steinbeck

Let’s take a look at a really accurate take on how not to handle phishing test results. For this, I again can thank a tweet. A man complains about failing a phishing email scam, and how he could have destroyed the company’s network if it had been real. He states, “if me clicking can destroy the network, I’m not the one who sucks at their job”. Another person replied, “zero trust isn’t supposed to describe how you feel about the security team”.

That hits hard for me.

White Oak Security shares a tweet of a man that complains about failing a phishing email scam, and how he could have destroyed the company’s network if it had been real. He states, “if me clicking can destroy the network, I’m not the one who sucks at their job”. Another person replied, “zero trust isn’t supposed to describe how you feel about the security team”.
source: https://twitter.com/quinnypig/status/1532724283079700480

I remember the various times corporate executives asked me to provide data attributing clicks and credential submissions to users in the company. Sometimes they might mean well, but all too often serious damage will be done to their careers and reputation. 

Let me make it abundantly clear: if you are going to hold a heavy machinery operator accountable for being attacked by threat actors and failing to recognize they were under attack then you need to pay them 30% more since they are handling two jobs now. The job of IT Security is to protect the company. The job of a scissor lift operator is to use scissor lifts. Not only is there a lack of justice in punishing them, but it can be self-destructive behavior. They might stop answering emails, they might find a new job where they are only held accountable for their own job performance. Either way, their company loses.

One exception to this might be if your data center security guard lets someone in without a badge at 3 am because they tricked them into believing they belonged in the building, but that is another story for another time.

Better Luck Next Phishing Trip!

So, what can we do about the phishing problem? Stay tuned for Phishing for Success – Part 2, where we will touch on ways to avoid the common pitfalls of phishing programs and how to use the results to improve your security posture.

In the meantime, White Oak Security has some great Social Engineering blogs, as well as Adversarial Pentesting (such as social engineering or red team/purple team engagements) and Security Team Development services you can check out. 

White Oak Security shares (doesn't own this photo) this meme of a fish in someones hand that says are you going to throw me back? please throw me back!

MORE FROM WHITE OAK SECURITY

White Oak Security is a highly skilled and knowledgeable cyber security and penetration testing company that works hard to get into the minds of opponents to help protect those we serve from malicious threats through expertise, integrity, and passion. 

Read more from White Oak Security’s pentesting team