Converting Cybersecurity Awareness to Muscle Memory

An email was sent to the entire team with the subject: “Beware of Cyber Teams Trickery.” In the body, one member warned their teammates not to open or click on an email, claiming it was a phishing exercise. Another phishing spoofed email was sent out by the cybersecurity team today, wasting our time and trying to trick us into clicking on a link. Do not do this unless you want to sit through another boring 60-minute training!

Have you received or even sent an email like this? It may be a message shared verbally across the cubicle floor. Warning others of cybersecurity tests? Just like the initial article, you are perpetuating the problem.

There is a reason Cyber Teams require mandatory cyber training annually, and it seems to be the same message each year: don’t click on emails, links, etc. that you don't know. Now you are further circumventing the training by telling everyone you know about the suspicious email!

Policy vs Practical

Most companies have policies that establish expectations for addressing risks and operations. Included in the policies is training and education of personnel. Since the real unknown factor in cyber risk is often a result of what is between the chair and the keyboard, there is usually a significant focus on training you to report emails that look suspicious, not to click on links, reply to, or delete emails, or take any other action that interacts with the suspicious email.  Most companies offer a plug-in that allows you to add a handy button to your Outlook to report suspicious emails.

At times, companies may need a policy that requires employees who alert others to unannounced exercises, tests, or phishing emails to face severe consequences.  It's great that you detected it, but what about the others who need to build muscle memory so they don't fall prey to such attacks?

Policies drive the cybersecurity team and other IT resources to place multiple controls upon inbound and outbound email. They verify and authenticate the email, source, links, and attachments. They can remove emails from being delivered, flag them as external, or apply other markups to identify the level of confidence in the email's validity. It is the last factor: a policy can guide you through training but may not be able to control.

Real impacts of phishing emails

Each time someone is spoofed by a phishing email (and there are many other types of malicious emails as well), a company is at risk of stolen user credentials, data loss, reputation damage, business losses, productivity losses, legal consequences, and more. On the BlueVoyant website, there are eight notable examples of the real impacts on large companies resulting from phishing. These are the examples directly from their site:

1. Between 2013 and 2015, a phishing campaign resulted in losses of $100 million for Facebook and Google. The attackers exploited the fact that both companies had a common Taiwanese supplier, Quanta. The attackers sent a series of fake invoices, pretending to be from Quanta, which were paid by Facebook and Google.
2. In 2020, a whaling attack was conducted against the co-founder of the Australian hedge fund Levitas Capital. The co-founder received an email containing a fake Zoom link. When he clicked the link, malware was deployed on the hedge fund's corporate network, resulting in the generation of nearly $8.7 million in fraudulent invoices.

3. In 2020, attackers breached the U.S. Department of the Interior's computer systems. Hackers used the evil twin phishing technique, in which individuals are tricked to connect to a fake Wi-Fi access point controlled by an attacker. This technique enabled the attackers to steal credentials and gain unauthorized access to the department's Wi-Fi network.

4. Crelan Bank in Belgium was the victim of a business email compromise (BEC) scam, resulting in damages exceeding $75 million. In this type of attack, phishers compromise the accounts of senior corporate executives and instruct employees to send money to accounts controlled by the attackers. The Cleran Bank phishing attack was discovered during an internal audit. The organization was unable to recoup the loss.

So next time you are sitting in a cyber training, think about the impact your actions could have. The correct action could make you a superhero in cyberspace!

What can you do?

Though this may sound repetitive, carefully review every email and digital interaction you have. Consider the five W’s:

1. Who: Who is this? Look at the name on the email, the email address, and perhaps the phone number, as well as the text that is coming from. Does it look legitimate? Are the graphics correct? Is the domain accurate? Is it considered a reliable source by your IT department? If there is a phone number, do a reverse lookup, but never call it.

2. What: What is the purpose of the contact? Would this person usually contact you through this method? What are they seeking? The IRS does not call or email, so any email you receive from them is not legitimate. Almost all phishing emails contain some emotionally driven action, so if you need to act now, you probably shouldn’t.

3. Where: Combined with what is the source, where are they directing you to go? If the email were from your bank, it would likely include the bank's phone number; however, it's still a good idea to look up the number and verify it. If PayPal notifies you of a problem, do not click the link; instead, go directly to the website or app on your phone and check if the notification is present.

4. When: Is there a reason for this email arriving today? Is it trying to provoke a timely response by making a soft threat? It may be referencing an issue with taxes, and it is a month before the filing deadline.

5. Why: Why am I receiving this email? If it is legitimate, would it be a standard method of communication?

You could delve deeper into the 5 Ws, but the key point is to question everything before taking action. If you think you need to act, consider what the consequences of my actions.

Always report suspicious emails. Some companies do not inform the user whether the email was malicious or not, but those that take it seriously do. When a user reports a suspicious email and it is determined to be malicious, the cyber team can remove it from any inbox to which it may have been delivered. So, the actions of one could remove the threat to hundreds or thousands!

It is probably better to report something and find out it was not malicious, than to find out you ignored a malicious email.

Making Resiliency Training Relative

The key point is that training is vital, but the quality of the training can make all the difference. Although the cybersecurity team would love to know that no one would ever click on a malicious email, text, or provide insider information through other means. We know it will never happen, but we can develop training to build our muscle memory.  The training doesn’t have to be costly, but it should be impactful.

It is very standard to have online computer-based training that walks you through a regimented review of what to look for when reviewing your email. However, one of the best trainings I had seen in this fashion was followed up with a 10-minute email review. The intent was to allow 30 seconds for each email review on the screen; the options were to click the good button or the report button. The key was that the email was tailored to the person taking the course. If the participant did not select the right option in time, it would automatically count against them. If they selected the wrong option, the screen flashed red and a large alarm sound was heard. It prompted a quick review of the 5Ws and an examination of other indicators, such as logos and domains.

Here is the kicker: after completing the course, all the users thought they had passed, and that was it. Over the next few weeks, they would receive a few fake emails intended to raise their awareness. Then came the big one, an email would arrive that was extremely difficult to tell by any of the traditional signs. It was from a reliable internal source; most of the 5 Ws would be accurate, but there would be something to prompt the person to question it. Well, if they clicked on a link or replied, upon doing so, the entire computer screen would turn red, an alarm would sound, and on the screen, they would be instructed to contact the service desk.

The service desk had to clear the alert, and the user may have been enrolled in a review of the class; however, the experience was very impactful because they had to take action and acknowledge that they had made a mistake. For the record, we all do. Perhaps it is due to the number of emails and the fast-paced environment we are in, but regardless, it takes only one instance for bad actors to gain access, and every time for us to prevent it. There is no wiggle room!

Can I make a difference?

The short answer is yes. As an individual, you can research trends in phishing and similar attacks. As a team member, you can take a few minutes during team meetings to share recent trends and keep the threat at the forefront of everyone's minds.  Recognize that the source of the scam may change, but the concept remains the same. The old Nigerian Prince needing your help email scam still generates approximately $1 million per year. It has been active for nearly 15 years, and people still fall for it. The average score is $35k!

Listen and be aware of what is happening around you. I once overheard a fellow team member answer his phone, and after a brief conversation, he began sharing the phone number and email addresses of a few other employees. I tried to get his attention and asked him what he was doing. Though he said it was all good, after the call we both reported it. Sure enough, the two people had been contacted; the caller said someone else with more authority had provided them with the contact information and had attempted to land a whale.

Whaling, also known as whale phishing, is a targeted phishing attack that specifically targets high-profile individuals, such as CEOs or CFOs, to steal sensitive information or gain unauthorized access to critical areas of a network.

Provide feedback to your cyber training team. If you feel the training is monotonous, you're probably not alone. Challenge them to up their game and make the training more relevant and impactful.

I have never participated in a training where a review was not requested. Most of the trainings I have provided have resulted in several compliments. Still, it is rare for me to receive constructive criticism, additional questions, or feedback on areas where I could improve. In other words, if you do not speak up and drive a better training, then chances are you will not get an engaging and meaningful training.

Be aware, and constantly second-guess your instinct to click, respond, or take action and speak up!

Muscle Memory is Power

The goal is to build each employee's muscle memory, for like a star Athlete, they make the play and it looks as though it was effortless. It looked effortless because they had trained to the point where they could perform with minimal thought. They have developed their skills to the level that their actions are second nature. This is the ideal goal of cyber training; it should be the goal of any response training.

Like a star athlete, they never stop training year-round, and neither should we. We need to develop and maintain that level of muscle memory to overcome our innate desire to take action and discover afterwards that we've made a mistake.

Although your phishing exploit may not result in losses you are directly aware of, every time a bad actor gains access to our companies and moves closer to the prizes sought, the losses accumulate.

Next month, we will discuss the threat of digital wallets and resiliency, and how your convenience can cost your company millions!

James Knox is a resiliency expert with an innovative spirit who thrives when building meaningful solutions to various daily problems in the corporate world. He is an avid outdoorsman and loves extreme rock crawling, fishing, and hunting. As a survivalist, James has learned from necessity how to prepare for life’s bumps and thrive with practical and sensible solutions, supporting his family's self-sustaining lifestyle.