Article submitted by Suryanarayanan K, ,Central Bank Of India
Phishing attacks are one of the most common security challenges that both individuals and organizations face in keeping their information secure. Phishing is the attempt to obtain sensitive information such as usernames, passwords, credit/debit card details etc., often for malicious reasons, by disguising as a trustworthy entity in an electronic communication. Phishing is typically carried out by email spoofing and it often directs users to enter personal information at a fake website, the look and feel of which are almost identical to the legitimate one. Also phishing emails may contain links to websites that are infected with malware.
One of the effective method to assess the awareness level among staff is to conduct phishing drill wherein a phishing mail will be sent to the mail ids of staff. The mail can have a link (intranet link) where staff will be prompted to fill in certain details. Subsequent analysis like number of staff opened the mail, number of staff clicked on the link provided, number of staff provided the details asked etc. will help in assessing the awareness level. It is to be ensured that no critical/sensitive information is collected from them, to avoid any type of possible misuse of the same.
Such a drill was conducted recently in the organization, details of which are as follows :
- A webpage in organization’s intranet server has been created for inputting the details by staff.
- A separate temporary mail server, outside organization’s domain, has been created for sending the mail to all staff. The domain used was different but looking similar to actual domain.
- A mail was sent to all staff (wherever mail ids available), asking certain details and requesting them to provide the details by clicking the link provided in the body of the mail. Though the information sought was not so critical (considering the possible misuse of the same), there was some sort of urgency created in the mail, like any other actual phishing mails do.
- The drill was very successful in the sense that nobody could recognize that this is an exercise conducted by the organization.
Summary of response by staff in this regard is as follows :
- Some of the staff have reported the receipt of the mail to their controlling offices and also to CISO through mail/phone and requested to confirm the genuineness of the mail.
- Some of the offices have advised the offices/staff under their control that it is a fraudulent mail and not to provide the information asked in the mail.
- Some of the staff reported the receipt of the mail to the incident response team of the organization.
- Some of the staff reported that the link is not opening at their end for providing the required details, which indicates that they will end up with providing the details if the link is opened.
- A good portion of staff from various offices across the country have clicked the link and provided the details.
Observations/findings from the drill are as follows :
- A good portion of the staff are aware of such phishing mails and the harm associated with it. They are aware that such mails are not to be responded.
- A major portion of the staff are not aware of such phishing mails. Considering the urgency mentioned in the mail, they have provided the details asked in the mail. Also they could not identify the difference in the domain name used for sending the mail.
- Since certain departments/staff have alerted the branches under their control, most of the branches/officials have not submitted the details. If the exercise was to a targeted group, say branches only, then the number of staff clicking the link and submitting the details may be more.
Considering the above, there is a need to improve the awareness level among staff, on a continuous basis.
An advisory with special reference to the phishing drill conducted with instructions regarding what they are supposed to do on receipt of such mails has been sent to all staff subsequently.