Category Archives: Social Engineering

Click ratio is a useless metric for phishing!

I do not think it is still necessary to explain that phishing is a major threat for businesses and individuals. By now, most companies have one type of phishing training or another. But, are we sure these exercises work?

If we want to measure our training efficiency, we often perform regular phishing exercise and measure the results. If our phishing education was efficient, we should see a negative trend. Right? If we perform exercises every quarter, we should obtain something like that:

Typical phishing metrics

Looks good, isn’t it? Except we don’t know why there is a bump in the numbers in Q4. Is our training not working? Maybe is it due to the end of year exhaustion. Who knows? Or maybe the scenario we used in Q4 is more relevant to our context. Context is a key factor influencing phishing susceptibility. Unfortunately, it is hard to measure. So, we can’t accurately predict, nor define a level of efficacy for our phishing scenarios. Basically, comparing click/ration between different scenarios is utterly useless to measure progress and phishing risk reduction. So, how do we do?

Siadati et al. published an excellent article in 2017 highlighting this very issue. As the variance between scenarios can be as high as 40% (our research showed that it could be up to 60%), we cannot rely on inter-scenario measurement to measure the efficiency of our training. To say otherwise, the difference in the percentage of people clicking on a phishing link between two phishing scenarios sent to the same people at the same time can be as high as 60%.

Instead, they suggested using a system using multiple scenarios in parallel. The scenarios are used repeatedly with different groups of the population (groups are randomized). In our example, this would give this:

As you can see, we now have the four same scenarios sent to four groups of people in our population. Notice the 27% gap between scenario C and scenario D in Q1, like we had in our first example. Now, we don’t really care for the click ratio itself. What we would like to see is a downward trend for each scenario. And that’s what we’ve got. Same scenarios, same people, and a totally different, more accurate, measurement of our progress.

This protocol requires a yearly plan (that we should have anyway) and a sufficiently big enough population to have, at least, 30 persons in each group (for statistical significance).

There are, unfortunately, other pitfalls in our metrics that we have to take into account but that will be the subject of another post (and included in a short document we will publish very soon).

Reference:
Siadati, H., Palka, S., Siegel, A., & McCoy, D. (2017). Measuring the effectiveness of embedded phishing exercises. 10th {USENIX} Workshop on …, Query date: 2019-03-12. https://www.usenix.org/conference/cset17/workshop-program/presentation/siadatii

Your phishing awareness campaign may do more harm than good

Phishing and spear phishing campaigns become more and more elaborate, hence more difficult to identify and consequently more successful. Crelan’s 70 million € loss, early 2016 is a good example of the potential impact of such a successful social engineering attack.

As automated security systems are unlikely to detect and block the most elaborate and targeted attacks (as they need a significant number of similar emails to trigger their alerts), security officers are left with security awareness campaign focusing on developing skills to detect (spear) fishing attacks to try to mitigate this risk. It’s logical, it’s what security standards advise you to do but watch out you may be doing more harm than good!

One of the first mistakes in this approach is to consider awareness (or communication) as a goal. Any communication is aimed at instilling a change in its recipient(s). The aim of an awareness campaign is likely to change people’s behaviour and attitude so they pay more attention to the source of their emails, their contents and the rightfulness of what is asked to them. So basically, we should first have a measure of the current situation and aimed at a certain improvement in our “smart” metrics. The most obvious and significant one being: How many people will fall for a (spear) phishing email.

How do we usually do that? Often by a combination of training, online training, posters and “homemade” phishing campaigns to measure the exposure of the company and tickles our employees. In such case, we appeal on fear. Fear to contribute to a security incident, to a fraud, to a loss of money, fear to get fired.

Fear appeal is used to leverage behavioural changes as one believe the emotional reaction caused by fear will increase the likelihood of the occurrence of the appropriate, secure, behaviour. You better think twice as, like it is often the case, devil is in the details.

Fear appeal effectiveness is still a debatable question (that’s the principle of science) but mainly because it might works under some conditions. In their “Appealing to Fear: A Meta-Analysis of Fear Appeal Effectiveness and Theories” article, Tannenbaum et al. (2015) have analysed 217 articles on the subject and found few conditions making fear appeal ineffective while effects seem most apparent in women and for one-time behaviours.

However, in a review of 60 years of studies on fear appeal, Ruiter et al. (2014) concluded that coping information aimed at increasing perceptions of response effectiveness and especially self-efficacy is more important in promoting protective action than presenting threatening health information aimed at increasing risk perceptions and fear arousal”. A 2014 study of Kessels et al. using event-related brain and reaction times found that health information arousing fear causes more avoidance responses among those for whom the health threat is relevant for them.

Still, it seems there is some consensus regarding some specific conditions to be met by such communication: the communication must provide, just after the fear arousal, a solution to allow the audience to reduce this fear with a sense of self-efficacy, or, to say it simply, we must provide a simple way for our audience to fix the issue, being an easy to follow behaviour (one that doesn’t require too much psychological and physical energy). If our solution is so complex that it will (or the thought of using it) generate more stress than the feared event, our brain will likely avoid this behaviour and deny the reality of the risk (and the fear).

Latest researches in neurosciences (and more specifically in the field of neuroergonomy) provide some guidance to shape our message and solution in order to allow our audience to easily grab our communication and adopt the desired behaviour.

Like for most communication, we must avoid to saturate the working memory. What does it means? If we receive too many information at once, our brain is not able to process it at once. It is like for a lift. If there is more people trying to enter than the lift capacity, the lift is not going to move and will be stuck. It is the same for our brain. If we saturate the place where the information is stored in order to be processed (what we call the working memory).

The average span of the human’s working memory is 5 objects or, if we use Husserl’s terminology, noema. For most people, this span is between 3 and 7 objects.

But, what is an object (or noema) in that context? If I give you a phone number digit per digit (let say: 1,5,5,5,1,2,3,4,4,6,9), it will be hard for you to memorize the 11 digits of this number, each digit being an object. But, if we combine some digits together in small numbers (1, 555, 123, 44, 69), it will be easier to remember. The reason behind it being that these small numbers are also objects (noema) for our working memory and in that case, we don’t saturate it as there is only 5 objects (so, within the average memory span).

Why are the small numbers an object and not the large one? Simply because we are used to them. If you are bone in 1980, this number can become an object (as you are quite well acquainted with it) while 1256 could require 2 noema (12 and 56).

The same is true with words. Well known words (and their associated concepts) are easier to process. It is why I put multiple time the word “noema” (likely to be a new name for most readers) with the word “object” (a quite common word and clear concept) so it can be used as an “handle” to better “grasp” the new concept of “noema”. Similarly, using the metaphor of the “handle” to “grasp” a concept ease the understanding (the grasp) of the concept.

To summarize, our solutions, our expected new behaviours, must be as close as possible to something we already know in order to make it easier to grasp.

As a concrete example, if you want your user to check the validity of an email sender’s domain name (just that concept is not that easy to understand for a lot of people, so what’s on the right of the @ in an email address), you should provide a tool available in the first level of the menu or a link in the favourites website. The best thing would be to have the information integrated in the email or at a click from it.

E-commerce websites have already well integrated such concepts. They understood long ago that if you want to have a client ordering something, he must find it and be able to order it with 3 clicks or less. You maybe know the saying: “the best place to hide a body is on the second page of a Google search”. Meaning? Most people don’t go to the second page, it is a click too far.

kittenUsing pictures, drawings (simple one, keep the 3 to 7 objects rules in mind), stories, jokes help memorizing. Anything that might be relevant to the concept or totally outstanding might help too. Emotions help to memorize. If you scare people first, making them laugh or smile with your “solution” might allow memorizing it. Go kittens! (see https://www.ezonomics.com/stories/how-pictures-of-kittens-can-help-you-manage-money/).

Also, do not forget a basic principle of behaviourism… the sooner the better. If you want to foster an action, the reward must come very soon, ideally immediately, after the action. So, if you have people clicking on a link in a “test” phishing email, you may scare them by pointing their mistake but you should also immediately provide a way to avoid this experience the next time by providing a few quick tips on what they did wrong and how they should do it the next time.

Here is a nice example of a video playing just a bit on the fear and providing advices in a non-threatening, aesthetic (it matters too) and very simple way (by http://www.nomagnolia.tv/).

So, you know (a bit more) what to do now!

How to detect fake or stolen IDs?

Identification is one of the big challenges faced by security managers. It is a challenge when it comes to IT systems but even before that, to identify people. Even with the rise of national electronic identity cards (like eID in Belgium), fake or stolen IDs are still possible.

Even better, you might just make a Google Image search using a picture of an eID (like the one below) and find some other pictures of legitimate ID available on the web (not to say it is a breach of the European Data Privacy regulation).

Fake-eid

Sometimes, you might just receive a photograph of an eID or even just an ID card number or National Register number in a registration form or in a job application form. Shall it be for recruitment, background check or customer identification (like de KYC, Know your Customer, process for financial institutions), you might need to check, as much as possible, if the credential you have received are legit or not.

In Belgium, luckily for us, the ministry of interior provides a partial access to its database to validate an ID card number or an national register number. This application, Checkdoc, will just tell you if the number is still valid (No Hit) or if it is outdated or stolen (Hit).

You need to register first before being able to use Checkdoc (https://www.checkdoc.be/) .Also, notice you have to inform your customer or contacts that you will run their information through the database before doing it.

Additionally, you’ll find also pictures of every type of ID card being used at the moment and an explanation of the various security features you can use to spot a fake.

(Updated on 13/08/2016)

At the international level, Interpol provides the same kind of services to airlines operators through its Stolen and Lost Travel Documents (SLTD) database. Although there is plance to extend the access to this service to other industries, it is not the case yet.

 

Good hunting!