Hook, Line, & Sinker - Addressing the Human Risk of Phishing and How to Avoid the Bait

[Music] as I said earlier I've never been accused of being quiet so this should work well um I've always been told to start off a talk with a joke so this is one I really enjoy um and kind of relevant and recent Apple recently I killed off the idea of creating an Apple car which honestly isn't that unheard of or unexpected considering who wants to drive a car without Windows yeah sorry the rest of the presentation will be better I promise at least I hope so we are talking fishing and the human side of fishing so like the non-technical aspect the things that we can take back to our friends family co-workers so in 1944 the United States had a problem

they had a really big problem and what they were realizing is that this problem is something that they can't tackle on their own it was a an issue that they needed help uh controlling and and getting under control and they needed the the people's help of America right so they tried to figure out what the best way to get this under control was and they decided the best way to go is with an ad campaign and so they put together an ad campaign and they pushed it out and that ad campaign went on to be the longest running and the most successful ad campaign in American history so better than got milk better than just do it and

I guarantee that if I were to pull this uh this group of people most if not all of you at least know the slogan only you can prevent forest fires the problem was everybody knows that forest fires are an issue it's still is a an issue today but the problem was is the US government and the forest Service couldn't do it on their own they needed our help to try to get things under control by doing small little changes in Behavior things like pouring water on your fire when it was done not setting a fire at certain points of the year or not setting fires in certain areas of a camping site helped reduce that overall

risk of creating wildfires and so why am I bringing this up right well you've got 3.4 billion malicious emails sent per day right there's a lot of similarities between the idea of what the small changes that we can make in fires and forest fires and what we can do with with uh with fishing that 3.4 billion emails that are sent per day leads to a data breach about every 39 seconds so if you want to think about it that is about 80 to 90 data breaches before I'm done talking today that's that's pretty that's pretty insane so I figure why not take that same idea and try to bring awareness to the the fishing of small changes that we can

make to try to make our friends our family members our co-workers and other people aware so I came up with the idea of cyber the bear which first my idea was cyber the fish because you know we are talking fishing but a fish out of water doesn't do very well and a data center in water does even less well so we stuck with the bear idea and uh and Deli did a pretty decent job of of coming up with an image for me as well and what I wanted to come up with was a slogan as well but instead of making it just about you making it about us because it's still from a cyber

security standpoint we have a very large part in uh preventing data breaches so today when we go through we're going to kind of talk about what we can all do together to help prevent these data breaches so social engineering is a it's a big topic and anytime this little guy comes around you know something bad is happening that's a little social engineering worm underneath that umbrella of social engineering is all types of of the fishing um of of fishing smishing Vishing all the ishes that everybody is talking about and when I usually start talking to people about fishing this is usually what I hear well I know what I'm looking for but do we because things are

changing right I think we all know what we're talking about ai ai has certainly changed the game in certain ways but at the same time what we can do to try to remed or uh remediate things hasn't with fishing fishing what was the big thing that people always pointed out as something as a red flag that you needed to look out for misspellings grammatical errors problems that because why a lot of these fishing campaigns are coming from another country and they're coming and they're being written in English and in language that maybe they don't know quite as well well I went through and I created a fishing email in Bulgarian a language I don't speak a language that

has a lot of nuance to it I have a friend who is Bulgarian in and I asked him to read the email and he said he did it did a very good job I did that in about 3 seconds so now the opposite can happen right you can create an email in that is grammatically correct that's spelled correctly that has all the markings of someone that knows the language writing it so those red flags that you used to know in fishing now make it look more like a spear fishing account right because now you can tailor things very very well to the actual people that you're you're trying to attack in the same vein uh with wailing

if you've never written a business email before chat GPT or Gemini can write something that is relatively business friendly to make it seem like something that you're going for wailing being the emails that go after the SE Suite right CEOs cesos CFOs um because they've got a lot of access they've got a lot of uh emails too that they can't really look over over their emails quite as well as they would want to to be able to spot these things so we've got these problems Vishing how many people have ever gotten a an phone call saying that it's the IRS calling you didn't pay enough taxes last year so you owe us Target gift cards right yes and those sort of things

that's that is still happening however now with AI we can spoof a phone uh a phone number and we can make it sound like anybody that you want I can sound like your grandmother I can sound like your father I can sound like your children I can make it seem like I am in trouble I've been arrested I need bail money I'm in the hospital I can't pay the bill you need to send me money immediately right these those are far more difficult to stop because what parent what child isn't going to immediately try to help out a family member right these these issues are are coming hard and fast fast right smishing so created

another uh gen gen image and you can send these things out Hey listen I found this this poor dog we need to we need to collect money to help the the animal please go to the ASPCA which you can see it's typos squatted uh apsca most people wouldn't necessarily see that uh who's this don't judge them for the green bubble please for those apple users out there but you know and furthermore I can also have ai write a uh HTML script to create the website for me so now I can go ahead and capture all of your credit card information I didn't have to know a line of code I mean it wasn't the greatest looking website ever

I'll be honest but it's enough that it could fool uh some people into giving me their credit information and this is these are all things that we need to to keep our eyes out for business email compromise over the last two years this has increased 1700% that's a huge jump in business email compromise because again using things like chat GPT you can make business emails sound far more businesslike without having to actually live and work inside that world right and [Music] then finally there's this my wife found this for me yesterday if you're interested uh you can get a muffin or cinnamon roll their cinnamon rolls are amazing they're right downstairs so if you scan the code you um you can go

right downstairs pick up a a cinnamon roll but these these QR codes are everywhere right and here's here it is a little bit larger if you need it um but the problem is you see them everywhere restaurants in airports and other things but the problem is you don't know where you're going right and when your phone pops up it looks like this you just get the the little URL code on the bottom so again you can't really see where it is that you're actually going right so um for those of you that were hoping for a cinnamon roll and are now looking at my face I apologize that I lied to you and socially engineered you

this early on in my talk um but I sent you to my LinkedIn page instead right I was able to create the QR code I was able to take the the URL and make it a small URL so you had no idea where you were going and and these can be slapped everywhere you know a lot of times at conferences you'll see them hey here's the agenda scan the code it doesn't take much for someone to just put a sticker of their own QR code on top of that to start capturing or downloading malware onto onto a device so we've got a whole bunch of different kinds of social engineering and it's no doubt that with all these

different things that 90% of corporate breaches are the result result of some sort of fishing attack but wait that's not all now we have this to deal with right so seeing is believing but not anymore we had this this uh event happen over in Hong Kong where a finance worker was duped into sending $25 million after they had a video call with the CFO and several other people from their company so this is a person that knows their CFO knows what the CFO should sound like should look like and was still faked because of it so and we'll talk a little bit more about what they what they could have done but they started out by getting an

email and it seemed fishy so like this doesn't seem right let's jump on a call all of a sudden boom there's the CFO right so now we got to add Zoom fishing or or Zing I did a quick search online and I don't see anyone else having used Zing yet and God I really hope it doesn't catch on but I'm going to trademark it anyway right now uh so so you heard it here first right so again we've got all these different forms of social engineering why do they work they seem so stupid sometimes so easy to spot but they've they've been able to continue faking us out even after Decades of awareness and training and it

comes down to a few basic ideas denial you know people will come up with all sorts of ideas as to why it may not work for them we're too small we're a tiny company no one will come after us with or Worse we're a huge company we're MGM no one's going to come after our our our casino right well a very simple fake was able to take out MGM the casinos scams are complex and believable you know the fact that you can now fake a video fake a voice fake uh fake a language you will click on something eventually if you if you think you won't you're you're you're faking yourself out it's going to happen they're very very

believable also there are some that are very not believable but with scale it only takes a couple people to click for you to get a Payday so if I can send out 14 million emails I only need a couple people out of that to to fall for it right so it doesn't have to be great and we're to distracted how many people here have more than three devices on them at the moment a phone a tablet a computer maybe another phone right we've got tons of different things that are constantly pulling our attention right I my company we have a global presence so I have emails that are coming in all hours of the day my job isn't just 9 to5 any

longer um you know I work at home sometimes and if you don't think having children at home home is not distracting it is very distracting you work at in an office again you've got people walking past your cubicle people talking to you um things are happening all the time and when you're distracted that's when mistakes can happen so and human psychology as well you we want to help when there's a natural disaster people want to help they'll they assume that hey I see this thing for the Red Cross it's got to be legit I'm going to go ahead and and give money we want to help we want to we want to be part of a solution um but on the flip

side of that there's the seven principles of persuasion right and if you've ever looked in into that that's what the social Engineers are are looking into or to using against you um things like reciprocity hey I did this for you now you owe me something back or hey a lot of other people are are using the same sort of thing you should click on this link as well because a lot of people are you know they they use these they use our Evolution against us so these are things that are reasons why it's working we're we're hardwired against against it right 74% of data breaches involve Human Action because of those things that's a huge huge

amount so what can be done about it I've given you a lot of very bad news now it's time for the good news what can we do about it and it really boils down to to one simple word nothing honestly we're not going to be able to stop socially engineering one another it's not going to be a thing people have been scamming one another for years and years and years and it's going to continue happening for many more years um I was able to get a a an image of the first successful social engineering attack um and it kind of goes it proves my point it goes back a little further than most people might

think um we have been socially engineering scamming and lying to one another since humans stepped foot on the planet right since we stood upright and could talk to one another it's not going anywhere and here's another reason why 12.5 billion dollar lost to email email fraud alone it's just email fraud there's a lot of money and it's just part of what we as people do we try to steal and cheat and lie to one another to get things so now to the better news how to protect ourselves um from a employee or personal level this is not one of those ways you do have to check your emails I have I have several people in my well several I

have quite a few people on our company because I run our fishing and awareness campaigns um that have never failed a simulation and it's not necessarily because when they catch something that they do something about it they just don't they don't read their email and I know this full well because when I do send them something that they need they also don't get back to me right away either so I know that they're not checking their emails but here's what we can do everybody should realize that security is is your job right security may be in my job title your job title may be Finance it may be operations it may be development it may be something

else but deep down we all are there together to protect your your company your family your personal finance whatever it is security is what we all need to do and to keep that mindset of this is what we need to always be thinking about is security security what is it that people could be doing to try to steal from me to try to G gain my information a big thing here is learning what is correct to spot what is incorrect before we were telling you all sorts of things like oh well there's this fishing and then there's the smishing and the fishing if you know exactly how ay should be contacting you anything that deviates from that should

be a red flag right I had a buddy who got a job at a bank and he was going to be a teller and the first I think it was the first week they sat all the new tellers down in their training and they they've laid out uh counterfeit money on the table and they let the the tellers look at it feel it taste it touch it I I hope they didn't taste it put it up to the light to try to see what exactly it looked like so that if someone ever handed you a fake $100 bill you could say ah this this doesn't feel right this isn't so they spent an entire week looking at all

these things learning all the ins and outs the next eight weeks after that all they did was focus on legitimate money because the bank knew just like how we should be teaching our people is there's no end to the list of things that could go wrong with an email the kind of campaigns that could be waged against your company or the kinds of ways that money could be altered in a way to uh to try to fake you out but if you know exactly what a bill should look like or you know exactly how a company should be contacting you that when you get even the slightest derivation that's when those alarm Bells go off so if I know that my that a company

a will never text message me but I receive a text message from them I don't care how convincing it is that's wrong if I know that everything needs to come through the phone but I get an email instead again that's wrong and it could be as convincing and as as well-crafted as possible but if you know what is correct when it's not correct that's when you'll be able to to spot those differences and a big thing too stop think and reflect we work in such a fast-paced society now that the idea a of stopping and thinking about something seems almost criminal but it's never as urgent as the person wants you to think and quite frankly if

you want to save your company time taking a minute to deconstruct an email to think about what it is that you're looking at is going to save the company a lot more time than trying to recover from a breach that now lasts for days weeks months years so stop and think and we need to stop giving out personal information you really do and I don't just mean like hi oh you're talking to Aaron yeah here's my social security number not a problem my phone number as well great that's not what I'm talking I'm talking about things you don't necessarily think about like when you get a new job and the company sends you that laptop and you get really excited

you want to take a picture and post it on LinkedIn well now now they know what kind of laptop you're using you've just told the world what sort of software what version of software that you're using you know you've given potential criminals information about your your attack space they now know how to craft an email to try to get after Apple computers or specific issues with um Microsoft Office the version that you happen to be using if you're using the fat client if you're using 0365 um same sort of thing as posting information about your your family your children everybody loves that picture where you're down on your knees with your kid the first day of school and

they got the sign that says hi I'm I'm going into Mrs so and so's class for first grade and I'm excited well now now people know a you've got a child that's in such and such school that is with such and such teacher and you they in a great now they can use that to try to socially engineer a phone call to you or an another uh you know a video call or an email giving out that information it may seem like a really wonderful thing to do because you're really proud of that kid or you're really proud of that new job but all you're doing is you are hemorrhaging information that can then be taken and used against you so be very

careful what it is that you give out Ronald Reagan uh he said trust but verify I don't agree I say don't trust always verify um communication isn't safe if you can teach the people around you that you love that communication isn't safe and that's going to go a long way because so often people just think oh I got an email from from Bob Bob's a good person I don't have to worry about it well it may not always be from Bob hover over your mouse over the URLs there's two websites I always like to point people to one is urlscan.io and that does an amazing job with links any.run um that's for files uh um

for for documents andex those uh it will actually run it for you and be able to tell you if there's something wrong with it for URL scan it's super easy right you've got that that bar up there you put the uh URL in whether that be an IP address or the URL itself and it comes back and it tells you hey look that is malicious it'll tell you where the where the website is hosted in this case it is hosted in Russia um and it came back and it says hey this is malicious maybe you shouldn't actually go there and so if you hover that your mouse over a link in an email and you can't tell where it is

that you're going or it's going somewhere that it doesn't necessarily say it should be like if it says hey go to company.com and then you hover over it and it's a whole bunch of string of numbers and letters use URL scan it's very very easy to use any.run uh a little bit more difficult to use but if you uh teach yourself how to use it it can be very very helpful you run tasks so you can actually drop in a um an executable let it run see what happens and it's not going to blow up your I'll get to questions at the end um it's not going to Bull up your machine and verify always verify verify

your information and do it out of band and by by verifying out of band this is probably the most critical piece of information that I want you to to kind of leave here with verify information but do it out of band and what I mean by that is in a way way alternatively to how I can contacted you in the very beginning so if I if I send you an email and it seems suspicious give me a call if I ping you on slack or on teams email me back um last year I I on on LinkedIn I signed up for a soup Stakes to win tickets to black hat right then kind of forgot about it and a few weeks later I

got an email in my inbox and it said hey congratulations you won tickets to black hat and I mean it's unexpected it was too good to be true um there's a bunch of emojis in the email so it didn't fully feel like a business email it was it was shooting off red flags all over the place but at the same time I kind of had remember doing something to try to win black hack tickets but who knows maybe maybe that's whole sweep sakes maybe I just did a completely boneheaded thing and gave my inform to a a threat actor right so what I did the company that was sponsoring it I went to their website and I went to the very

bottom of their page and I found the contact us and I filled out you know I clicked on it and I filled out a quick email and just said hi my name is ARR strong I uh I was just contacted by this individual in this department from your company if they exist can you please have them Reach back out to me and let me know that this is actually a real thing sent to off and about 45 minutes an hour later I get a I get a ping in my inbox and there's an email from that person from that company and it says Aaron our contact team sent me over this email I wanted to ABS to verify with you

that yes this is real that yes you did win these tickets um so if you don't mind would you mind sharing me some information so that we could get your name on the tickets that's what I mean by verifying out of band that Finance worker they did an amazing job of saying hey this doesn't seem legit let's hop on a uh let's hop on a zoom call the one mistake that they did is they didn't initiate they didn't initiate the call they didn't say hey CFO I'm gonna I'm gonna call you I'm gonna call you on the phone I'm G to call you on on teams or whatever and that could have potentially stopped the whole thing but continuing

to take in and use the links that the attacker Maybe using against you that's that's where the problem lies don't use the email address that's in the reply to function of the of the email don't use the link at the bottom of the email don't use the phone number that's in the uh that's in the the email excuse me uh the email signature right go out and find that information from a trusted Source from the company's website from you know something internal if from within your company respond out of band that will save a whole lot of heartache and a whole lot of headache for you and your company from a corporate level a really big thing is to set up policies

and procedures right as a as a human firewall don't allow one person to be able to make sweeping changes especially when it comes to finances when it comes to finances make it touch two three four people because if if one person gets popped and they believe that this scam is happening and they they think it's fully a legit thing hopefully someone down the line will be able to stop and think and say wait a second this doesn't seem right let has anyone verified this information has anyone gone back and and spoken to the individual that's starting this this process up right policies and procedures again knowing what's correct to be able to find what's not correct

follow that procedure every single time and if it derivates from the hey I know we normally have to get you know Simon and Edna involved with this but this is time is of the essence this has to happen right now can you just please bypass that's a huge red flag it goes against policy procedure and it's outside of how we normally do things and so you deputize your your employees to say that's not how we do things we kind of have to go things the right way and make sure that comes down from the top if your executive team does doesn't follow the same rules that you want your employees to your employees aren't going

to either make sure that they continue to do it talk about it often you know the more we talk about security and the more we talk about um issues like this the more people will feel comfortable coming to you and coming to uh being able to start up new conversations hey I read something what do you think about this hey I saw this what do you think about X Y and Z right it normalizes conversation so that people will feel more comfortable that you don't end up like this guy on CNN talking to Christian Amore this went around the world and what's over his shoulder I mean that's that's an individual who probably didn't talk

enough about security and best practices within his company enough because that should never happen right from a technical level you've got password rotation and complex we all patch our systems we all use multiactor authentic or we should be using multiactor authentication if you have the option please use it it's it's huge email security I the you've got the alphabet soup a 247 stock all these things are good all these things should be used and must be used however if we don't train our people all that kind of goes out the window because here's some scary facts that cisa put put out last year 70% of attached files and links won't were not blocked by Network Border Protection so

that's a lot getting through 15% of malicious attachments are links not blocked by endpoint protections and this is the worst one 84% of employees who took the bait did so in 10 minutes or less so you're up against the clock so for for all of us with when you're talking to friends and family when you're talking to co-workers being able to make sure that they know what they're looking for and they know what that they need to to see and look out for is going to be a huge huge help because 10 minutes may seem like a long time but 10 minutes to stop a breach is not a lot of time so awareness and training what's

the one thing we constantly hear about people people [Music] are yeah well I'd like to push back on that yes people are an attack Vector that gets put uh hit quite a lot but thinking of them as a weak link as opposed to an asset within your company another another line of defense that defense in depth right that shifts the the blame away from people and puts it back on on us as practitioners to be able to train you because if I don't train you well how am I supposed to be able to know that what you're doing is that that you're going to know what you're what you need to do so don't think of people as a weak link think of

people as an asset something that you can use as another layer of Defense so if you train them right that's the same thing as going to a firewall and saying how dare you firewall when really the you know the uh the information that you gave the firewall the Ackles that you put in the fire were crap to begin with you can't blame the firewall blame the the information that they were given right so address that human component early and often everybody when you get onboarded into a company you've got 30 days or something like that to complete Security training and a whole bunch of other things that's great but why wait 30 days do it early the sooner you start

your people on security training and security awareness the better prepared they're going to be to be able to stop these things because for those 29 days that it takes for them to get onboarded and start working and doing their job that's a Potential Threat right there right they you want to get them involved in the way you do things the the security that you have so that that way they fall in line with the rest of the company otherwise it's just kind of a a potential problem out there this is another big one don't vilify failure excuse me don't vilify failure and and by that I mean when you send out a simulation someone clicks on it and then

you maybe they click on another one as well don't don't come down on them as though they are the problem with the culture in the company because all that's going to do is it's going to make them hide future failures you know for for those out there that have kids the same sort of thing if you come down on your kids really hard on something and then they actually mess up they're going to hide their mistakes from you when really you want them to bring their mistakes to you so that you can help them fix it same thing here if they can't hide a fishing simulation failure they can try to hide an actual attack

failure and those are the ones you don't want hidden from you you want them to be able to say oh my God Aaron I I just clicked on something I don't know what to do please help me they you want them to be able to feel comfortable coming to you instead of oh no I just clicked on something well I'm not telling Aaron about it because he's going to scream at me for the next 3 4 days I don't want that so hopefully this wasn't a problem I'm just going to let it I'm just going to let it slide you don't want that to happen so if you vilify failure they're just going to hide the problems from you and going

back to encouraging that dialogue if they have a question hey I clicked on something what may have happened all right let's talk about it you have a question about something you heard in the news let's talk their behavior and quite frankly our Behavior impacts everything if they don't buy in then then you've got a serious problem on your hand and reward success going back to the idea of Honey catches more flies than vinegar right one thing I do once a month I go in and I am able to find all the people in our company that actually successfully report a fishing simul or a fishing email in the wild and I grab all those email

addresses and I send send them this congratulations a security rockar award this is a certifi you saw a big old fish and reported it to security this is exactly what we want congratulations go ahead print it out put it on your cubicle I've even seen people add it to their their email um signatures as well and it gives them the feeling of hey I did something right I want to keep doing that but at the same time for the people that are putting it up now someone else walks past your cubic going what's this what's this security Rockstar award I've now basically brought you into the security team because now you're going to tell somebody else well it's because I

clicked on a fishing uh email and I used that button and it was actually a thing oh well what's that what's that button now you've got more people security teams are small right the more people you can get on your team the better you're GNA you're going to be all right so Lessons Learned do it often the more often you talk about things and the more often you run training and simulations the more people start thinking about it the other thing I've noticed is after I run a simulation in the days and and weeks afterwards the amount of of reported emails spikes not just a little bit it spikes you get a lot more and that's not because you're getting

more uh malicious emails coming into your corporate inboxes no that's because your employees are starting to think about it and they're like ah I failed that simulation let's go ahead and let's click on let's try to make these things um let's send this in so make them realistic it makes it does no one any good to to throw out softball uh simulations it trains people to look for the same thing at the same time of the month at the same time of the week the same day of the week whatever it happens to be if you keep it repetitive or you keep it really easy it yes your click rate your your metric that you can bring to the the elt may

look amazing our click rate is at near 0o per. well it's because it's it's not actually realistic it doesn't help your company because when an actual attack comes everyone's going to fall for it because you haven't trained them right I always follow up with results and Lessons Learned so I'll send out a simulation and then at the end of the simulation send out another email here's what you found or here's what you received here are the Red Flags you should have seen we did great this time and or we didn't do so great this time here's what to look for As you move forward you know be open about it be honest be transparent that's what makes

people believe you and again top down compliance with training if you're my CEO and you click on an email I'm going to Hound you to finish your training just as much as I'm going to go after the intern that we have for that semester right everybody has to do it because again if the CEO isn't no one else is going to want to do it tail your trainings just do it not everybody needs the same kind of training you can go for high-risk groups or people that have a lot of access um there's different types of training as well games and puzzles people love the games um we've seen a lot of uh a lot of interaction with

those you can use stories stories very easy to remember videos broad subjects can use longer trainings specific subjects it's better to go smaller we live in a Tik Tock society as unfortunate as that is where our attention span if it goes longer than 30 seconds we start to kind of get distracted but by by other things because there's something else that's happening right so keep them short people will be able to take that information in better and touch on relevant news stories and make the training diverse as well because again for a company like I work at we have people all over the world which means that what makes sense to me and what's relevant to me is not

necessarily going to be relevant to somebody else so if you're setting up these trainings either make it so that it's relevant to everybody or make sure that you send relevant information to those specific people we work think differently have different points of view different languages experiences and cultural references it's we're never going to be perfect right we aren't but if we do these things and we try to train people as best we can we will be as strong of a company as we can be and that's why we have those those other technical controls because again going back to the idea of I don't have to be perfect I don't have to run faster than the Hungry Bear right I just have

to run faster than you you don't want to be the guy with the camera you want to be the guy with the sun shade booking it out of there so together we can prevent data breaches and I know we only have a couple seconds left so I'll make sure that we touch on these last points these are the things I want you to leave with today for tips for your your people your friends your families your co-workers know what's okay that way you can spot what's not okay be careful what you click on verify that information but always do it out of band slow down and ask questions and learn how to report everybody has a reporting feature and

learn how to contact your stock just in case something bad does go uh does happen you need to be able to get in touch with your security operations team from a training standpoint remember to educate people on new threats that are happening make them realistic do it often and normalize the conversation don't vilify the failure and reward your successes because last year8 trillion dollar was lost because of global cyber crime and this year it's they're thinking it'll be closer to 10 to 11 trillion dollars this isn't going anywhere we need to stay on top of this we need to train our people thank you very much [Applause] [Music]

[Music]