Krome Cast: Tech-IT-Out

Krome Cast: TECH-IT-OUT: How to Protect Employees from Phishing by creating a Human Firewall.

Krome Technologies Season 1 Episode 8

Defeat Phishing Attacks with Regular Employee Phishing Training & Testing

In this episode of Krome Cast: Tech-it-out, we discuss how phishers can impact a business, and how, with the right tools, phishing training, and testing, businesses can prevent phishing by creating a human firewall security layer.

In this easy-to-consume technology podcast, we discuss Krome’s Phishing Awareness Service offering, which includes employee phishing awareness, regular phishing testing, and end-user training to help prevent phishing attempts.

This podcast features Krome’s Commercial Director, Sam Mager, along with Krome’s Compliance Officer, Chris Swan, sharing their insights into what businesses can do to defeat malicious phishing attacks to avoid devastating consequences for both their users and the business.

► ABOUT KROME: Krome Technologies is a technically strong, people-centric technology consultancy, focused on delivering end-to-end infrastructure and security solutions that solve business challenges and protect critical data. We work collaboratively with clients, forming long-term business partnerships, applying knowledge, experience and the resources our clients need to solve problems, design solutions and co-create agile, efficient and scalable IT services.

► KROME WEBSITE: https://www.krome.co.uk/

► SOCIAL MEDIA
• YouTube: https://www.youtube.com/@krometechnologies
• Linkedin: https://www.linkedin.com/company/krome-technologies-ltd
• Instagram: https://www.instagram.com/krometechnologies/
• Twitter: https://twitter.com/KromeTech
• Facebook: https://www.facebook.com/KromeTechnologies/

► CONTACT
• Telephone: 01932 232345
• Email: info@krome.co.uk

SPEAKERS
Sam Mager, Chris Swan

Sam Mager  00:00
Welcome to Krome Cast: Tech-It-Out. I'm Sam Mager, Commercial Director, of Krome Technologies. Today, on this edition of Tech-It-Out, I'm joined by our Compliance Officer, Chris Swan. We'll be talking about the security issues that end users are subject to from phishing attacks and how with the right tools tests and training, you can protect and educate your employees against phishing attempts, by creating, in essence, a human firewall. Chris, thanks for joining me today.

Chris Swan  00:34
No problem, thanks Sam, thanks for having me.

Sam Mager  00:37
So to begin with Chris, whilst I'm sure our audience would be aware, could you just briefly, and I say briefly and if anyone knows you and I, we don't really do briefly, but we'll do our best today, just summarise, what phishing is, the process and the purpose?

Chris Swan  00:57
Okay right, phishing basically is an attempt to commit online fraud. So what cybercriminals are looking to do is steal your personal information, they can do this in various ways, by phishing emails, fraudulent websites, SMS attacks to your phone, which they call Smishing or calls directly to your phone which is Vishing, but they always will appear or appear to be from reputable organisations or someone you know and trust, but their main aim, is really just to steal your personal data, such as you know credit cards or debit cards. That basically, in a nutshell, is what online sort of phishing is about but what they're looking to do really, is playing your fears, your curiosities and your insecurities, just to gather your data and to get you to phish on bogus links.

Sam Mager  01:52
Obviously we see this you know, going through the roof all the time, so it's probably worth mentioning, the sophistication of these attacks, and you know over the years we've seen some, obvious and blatant, you know email scams in the past, such as promises of wealth left at foreign banks, for you to pay a small fee to collect from, but more recently claims that things like indecent footage that people hold on you, threats of information being released, unless you send you know extortionate fees via bitcoin, which is obviously always a good sign that is fraudulent or cryptocurrency of some description, something that can't be traced, you know these simple scams, whilst obvious in their nature, are unfortunately still very much catching people out, I guess, as you said, the issue is they do prey on people's fears and insecurities to catch them out, so you mentioned some of the more primitive, you know phishing attacks, stuff we've seen, as we said, the like playing on the on the fears and whatnot, we've got this on you, please send us bitcoin etc. But as this gets more sophisticated, I know you've seen things are more sophisticated, as that increases, our threat landscape obviously changes, so are you able to give us a bit of an insight into how that, I guess that threat landscape has evolved and what it looks like now?

Chris Swan  03:38
Absolutely Sam, so obviously as you say, the threat landscape is ever-evolving, and as we become smarter towards these emails, and the sort of hooks that they've got in them, the criminals become smarter as well, and their phishing attempts become more elaborate and in ways that are looking much more realistic. Some of the requests that we're seeing now or the phishing messages, the recent ones, they tend to be on-trend as well, so COVID-19 based phishing emails, appearing to be from the NHS, "inviting you for a jab", and sort of things are looking there to put your information again, other stuff from Netflix, you know there's a problem with your account, from Royal Mail or Amazon about your delivery, the list goes on, but effectively, what these guys are looking to do is use spoofed email addresses, that for all intents and purposes, they look like they're from the real company, and an organisation you might expect to receive an email from or you trust, but they're not, you need to look a little bit closer. A good example of that would be Netflix, but it's spelt with two x's, so when you look at it, it looks all good but you know it's not. So as I say, what I saw recently, was about a COVID-19 jab where they were looking to get you to input your national insurance number, so each of these attacks what they're looking for you to do, is first of all, trust what they're saying, it looks all real, and just provide your information somehow, either log into an account, that you think is your account or give the information. As I say, unfortunately, some of us are conditioned, if you like, to accept these emails sort of, without any sort of question and respond, but once the cybercriminal has your details, they're gonna use it to their gain. And as I say, they all look genuine, but they're just really designed to catch us out

Sam Mager  05:31
Yeah, absolutely. I mean, yes, and very real examples. I'm sitting here kind of half laughing because I've seen some, you know, the HMRC, the Amazon, the Netflix, 6, 6, 6, and so on. Yeah, I've seen them in my own inbox, and, within our business. Something you did mention, is spoofing and that can happen within an organisation, for example, many of our own employees, have received emails appear that have appeared to have come from me, or other Directors of the business, asking them to, what was the one recently, purchase a bunch of Amazon gift cards. You know, and I guess, fortunately, as an IT organisation, but, and you know this because you do this for us, you know, our cybersecurity awareness is very high and we focus on it internally, we undertake an awful lot of training, we do mock phishing attacks to make sure that as a business, our team are as educated, and that they you know, as best as possible, recognise this this type of activity. However, no one is infallible and mistakes, undoubtedly, you know, will happen and I was just thinking the other day, I thought before this, and I should try and remember it a bit better but I can't, but you quoted some really interesting statistics to me fairly recently, and to be frank, they are, they're shocking, but it really underlines why it's still so prevalent, so I guess, I hope you can share some of those statistics with our audience, I'm sure they'll find it just as eye-opening as I did.

Chris Swan  07:21
Okay, yeah, definitely Sam. They are eye-opening. So basically, phishing campaigns usually or typically send millions of emails out to unsuspecting individuals. And I sort of, the figures I've got, I've got a bit of a saying about this, it's "a bad days phishing, beats an honest day's work." So if you look at that, so see how that works, and how it would play out. So imagine this, 2 million emails are sent out. So 5% of those people, let's say they actually get to the intended recipient. So that's 100,000 users, will actually open the email, so that's quite a lot. So let's say again, out of that 100,000, people have opened emails, 5% of them will actually click on the link. So that's 5000 clicks and 5000 is a lot. And again, draw that down a bit more, if 2% of these people enter data into the site, that's 100 individuals who've actually been caught there. So on an average, let's look at the sort of trends I've seen, is about £100 ish, on an average from each person who give their details in good faith. So in one day's work, the scammers are able to scam £10,000 from unsuspecting victims, now it's not a bad day's work, hey Sam?

Sam Mager  08:37
It's not a bad days work, well it is. But it's yeah, you know, you look at those sort of statistics, or how easy it is to use, you know, intelligent marketing campaigns, to fill a system up with that many emails and press go, is not a lot of work for that sort of return it's no wonder that you know we see so much of this, because how easy is it to feed a machine data, press go and just wait you know you're preying as you said on people's insecurities, it's a horrible thing and i'm sure, well i know you do and i do, we all know people who've been caught out by this, to a lesser or greater extent but it's hardly surprising and it really is a, you know these people are throwing enough mud at the wall and hoping that some of it will stick and these statistics are no less shocking to hear the second time around, you know I've said, it's just, it's never nice to hear about people falling foul of these types of scams, but you can see what they're now becoming more and more advanced in their approach, we've all got used to like we mentioned before, the you know, this Prince wants to give you his money etc etc and they are improving and becoming way more intelligent, like you said, with the spoofing and referencing companies you've heard of. So, I guess obviously, in an ideal world, we'd wave a wand, and this problem would just go away. That'd be lovely. Right? But clearly, you know, that's not an option. So for our audience, and in your position, I don't want age you Chris, but obviously you've been doing this for a while. 

Chris Swan  10:24
A couple of weeks yeah. 

Sam Mager  10:26
What top tips, and this is my podcast bit, there's always a top tips bit or a you know, how would you bit? So what top tips do you have, and you can share with our audience that will stop them from being the next victim of one of these these awful scams?

Chris Swan  10:44
Okay, Sam, well, I think really the best way to defeat these type of phishing campaigns is just to be vigilant. I know that can be easy to say. But if you just think of things, if you're asked, ever asked, for any of your personal information on an email, or asking you go to a website and once you put these in, just remember, you know, stop, a legitimate company will not ask you to do this, your you know, your Royal Mail's, and Inland Revenues, and all these sorts of people will never ask you for this sort of information on an email. It's just as simple, as just stop and think and be careful. I know sometimes that's easy, but I can give you a sort of a few things to sort of check it out. So if you look closely at the sender's email, and you just take a second to look at it. You can spot the sort of things you know that the Netflix with the two x's again, look at the, the email, see if it matches the actual website address. And it's from that, you know, so if it's Netflix to say, with two emails, two x's sorry, you can see that the Netflix doesn't have to x's. So little things like that. Beware of generic emails. Now what I mean by this, it's ones like, you know, "Dear Sir", or "Dear Customer". They're not addressed to you personally, because, basically what they've got is a bulk email, as we mentioned earlier, and they don't have your personal details, just your email address. A big thing, but even this is getting more sophisticated now, is look at the spelling and the grammar. Because they might, the way that we would speak, or we would do an email, it might just be wrong, might be a capital letter in the wrong place, the wrong context of the word, a comma or too many full stops, just look and just take just that extra time.

Sam Mager  12:29
That's the sort of thing I'd expect HMRC or Amazon or someone to get right.

Chris Swan  12:34
Yeah, that's exactly that Sam, no matter who the email is from, never respond to the email asking for your information. As I say, never click on the link if you're unsure, and say it's from Netflix, that we've had, as we said, there are lots of things, come off of your email, open up your browser of choice, whatever it may be, go into Netflix's official site through your browser, not through the link, and actually look on there and look at your account on that. And then you'll see or, if you can, if possible, contact these people by phone and say, "Look, I'm unsure I've had an email. I don't know what this is all about." Or even sometimes it's better than that. Speak to your local, your manager, your IT team, anybody. And you mentioned earlier on about some of these threatening sorts of things. Never be ashamed to speak to people and say I think this is wrong. Nobody's going to come down on you and say don't waste my time. We would rather you speak to us and come and say look, you know, yes. Okay, that actually turned out to be real, but well done. That's good for spotting it. And you're aware that's a good thing. So yeah, a simple thing. If it looks strange, it probably is.

Sam Mager  13:39
If it walks like a duck, and quacks like a duck...  
Okay, so I think that helps us establish, obviously, there's a lot to look out for. And attacks as we said, they're getting more and more sophisticated and subsequently, more difficult for people to recognise and differentiate between important email and obviously this nefarious kind of stuff. What measures can organisations, if we take the upper level from the frontline, from the person who is, unintentionally clicking the wrong button and causing a problem? But what measures should a business and organisation put in place to protect itself and its users from getting caught out?

Chris Swan  14:30
Okay, well, it's a good point that Sam say companies normally have good protection in place such as your firewalls and antivirus and so on and so forth. But they often miss out one key thing, it's the forgotten vulnerability, and that is the human element. So if you look at that, it's as I say, if you perform your network monitoring and so on and so forth and your network testing, in order to ensure that your business safe, do the same thing for users. So run regular human security testing, test for their vulnerabilities of the staff. So as you said earlier Sam, nobody's infallible at all, you know, not, not even me, let's say. But by running regular education of the users, you can create an additional security layer. As we said, it's in essence, a human firewall. So the more testing that we do, we do a lot of testing at Krome and our users, in fairness are very sharp. Again, nobody's infallible. So the sorts of things you can do, the approaches that we're looking at is where you devise, sort of diverse and sort of targeted phishing attempts to actually evaluate and respond to their particular weaknesses that users are falling foul to. So you'd run regular testing, targeted at a group. So maybe your finance department as you were saying there, where you know, a Director is shouting and bawling, for all intents and purposes, it looks like it comes from one of you, just tweak this training, and it's targeted more better and make it a bit more realistic, and then once you get the results from that, we can target the training, according to what sort of weaknesses that we're seeing. So regular testing overall gives the management a good view and a good level of understanding of vulnerabilities that we found across the users within the business. And the ways to do this, as I've just said there, create the targeted roles towards a staff member. But by regular testing and educating the users, we will strengthen our security and effectively be creating a stronger and a human firewall.

Sam Mager  16:32
Yeah, absolutely. And that's definitely something that we can and do help our clients out with, the Security as a Service piece, with Phishing Assessment Services being a small, but a very relevant piece of that of that wider offering. Conscious of time, and we were briefed by marketing beforehand, not to go on for too long. So I guess this will be my final piece. As our Compliance Officer, you've been rather heavily involved with us achieving and maintaining both our Cyber Security Plus, sorry Essentials Plus, isn't it? Certification, and also our ISO 27001 certification. So in your opinion, what is the importance of having something like that in place from a compliance perspective?

Chris Swan  17:34
Okay, well, as we've covered in many points, today Sam, cybercrime is a major concern, so that the more that companies can do to minimise the effect of these phishing attacks, the less likely it will be that they'll fall foul to them. So the compliance, the key thing is people often think compliance is just ticking a box, and you know, it's what the auditor says, so we've got to implement it. But really, it's not just about that, following good compliance basis gives us the tools to keep the company and the staff safe. And sometimes, not in all cases, but in some cases, it makes our jobs easier. So if we implement a good security training programme, that we keep all our staff, well trained, and well informed of potential threats, we look at the risks as they evolve, we look at different things, we look at the different trends, we can minimise and say but a good way that I would say to everybody is lead by example. So when you're doing these in training, security awareness, training programmes, don't just target it to users. Look at the Senior Managers, Directors include everybody in because it's not do as I do,  or do as I say, it's we're all, we're all in this together. So if staff see that, that, you know, they're getting the help, and the training and the Directors and Managers are in on it as well, we're all got the same amount of buy-in. That's a better way to be. I think that sums it up Sam.

Sam Mager  18:52
I think it does, and I can attest to that having been on the receiving end of one of your tests the other day to make sure that as a, as the senior team in our business that you know, we are paying attention and aware of this, and you're absolutely right, it is, it is top-down. You know you've got to make sure that everyone in the business takes this seriously and that everyone is educated because you're only as, as weak as the strongest link, I guess. So we've got to make sure that we look at all the different moving parts and make sure everyone is equally well educated because it just takes one person to do the wrong thing and all of a sudden we've got a crypto locker attack or whatever it might be and as we both know the costs of undoing, that sort of problem is well it doesn't bear thinking about. Okay, well Chris listen, thank you for taking the time to speak to me today. It's always good to speak to you. I mean, this is a real, a very real threat, so it's good to go through in a bit more detail. Hopefully our audience will get some good use out of this, and you know they can use the data or the information contained to help you know, help their business and remain compliant themselves, so really appreciate your time.

Chris Swan  20:09
Pleasure's mine Sam, thanks a lot.

Sam Mager  20:13
This has been Krome Cast, we hope you've enjoyed today's content. If there's anything you'd like us to cover in future episodes then please do leave that in the comment section below. Remember to like, comment, and share and join us again next time for Krome Cast, Tech-IT-Out.