Advanced Phish Threat Simulator combats low security awareness among end-users

Sumit Bansal, director for ASEAN & Korea, Sophos

Phishing remains one of the most common attack vectors for hackers who exploit end-user behavior as the weakest link in a company’s cyber-defenses. Traditional online security training programs are blind to the current attack landscape and disconnected from the rest of IT security management, making it burdensome for IT managers to effectively integrate anti-phishing into routine risk assessments.

Phishing is the fraudulent practice of sending emails purporting to be from reputable companies in order to induce individuals to reveal personal information, such as passwords and credit card numbers. It is a serious threat. The Comelec data breach before the May 2016 national elections exposed voters’ information to phishing and similar identity theft and scams. The Bangladesh $10 million heist may have succeeded by compromising the country’s secure server to malicious spear-phishing attacks via email.

“Globally, some recent attacks have targeted users such as the Gmail Phishing campaign, which was so effective that it even fooled tech-savvy users,” said Sumit Bansal, director for ASEAN & Korea at Sophos in an exclusive email exchange with “Snapchat also fell prey to spear-phishing, which tricked employees into divulging sensitive information based on an email that came from Snapchat’s CEO requesting data on current and past employees.

“According to a 2016 FBI Business Email Compromise (BEC) report, phishing and its variants (spear-phishing, whaling, etc) is part of a growing cybercrime industry, which has reached a staggering $2.5B worth of damages since January 2015,” he added.

To help organizations and staff understand phishing attacks, Sophos, a global network and endpoint security provider, recently launched Sophos Phish Threat Attack Simulator, which enables IT managers to create authentic phishing simulation and training sessions, and initiate course corrections for their employees. End-users are better equipped to recognize what a phishing attack looks like and learn from their mistakes should they get lured into taking the bait.

As attacks change with current events, changing seasons and attacker methodologies, Sophos Phish Threat constantly updates its testing framework to reflect real-world threats.

Sophos Phish Threat is fully integrated with the company’s cloud-based security management platform, Sophos Central. With centralized management and automated campaign analysis, Phish Threat dramatically reduces the time and resources required to affect real change in employee behavior when faced with sophisticated and rapidly evolving cybercrime techniques.

“We built Phish Threat to replicate the mindset of a real attacker, using the complicated methods and techniques in use today. This means assessments are modelled after potential attacks that organizations may face from real hackers. We also wanted to make it more transparent and easier for IT to collate and analyse results,” Bansal explained.

“All businesses are susceptible to phishing but cybercriminals tend to focus their efforts on major brands, and niche sites. E-commerce, and banking and money transfer services are also key targets followed by social networking sites and email providers.”

Sophos Phish Threat Attack Simulator is predicated upon testing the vulnerability of an end-user to a set of phishing attacks. It does this by launching a simulated attack for basic phishing, credential harvesting, or attachment-based emails. End-users who click on the simulated attack are immediately informed that in the event of a real attack, company resources might be compromised.

“Users can identify phishing emails by paying attention to a message that contains bogus links or mismatched URLs, poor spelling and grammar, the message has uncommon requests, and the sender is unknown and suspicious to you,” advised Mr., Bansal.

He suggested that a more effective strategy against phishing is to employ a layered approach. Repeated phishing attack simulation and testing should be conducted on the end-users to help strengthen their unique security posture and infuse a culture of security consciousness within the organization.

Leveraging effective email and web security protection, provides “time-of-click” safeguards which blocks malicious email URLs to protect against stealthy, delayed, spear phishing attacks. Lastly, it is important for organizations to employ a next-gen endpoint solution to ensure that exploits or ransomware based attacks are stopped as a last line of defense.

Additional best practices recommended by Sophos’ Bansal to prevent phishing include:

Never respond to emails that request personal financial information. Reputable companies don’t ask their customers for passwords or account details in an email. Even if you think the email may be legitimate, don’t respond until you verify with the company by phone or by visiting their website. Always choose to type the website URL in yourself rather than clicking on a link in a suspicious email.

Keep a regular check on your accounts. Log on to your online banking accounts often to check your statements. If you see any suspicious transactions, report them to your bank or credit card provider.

Check that the website you are visiting is secure. Before submitting your bank details or other sensitive information, there are a couple of checks you can do to help ensure the site uses encryption to protect your personal data. For example, check the web address in the address bar. If the website you are visiting is on a secure server it should start with “https://” (“s” for security) rather than the usual “http://.”

Keep your computer secure. Some phishing emails or other spam may contain software that can record information on your internet activities (spyware) or open a ‘backdoor’ to allow hackers access to your computer (Trojans). Installing antivirus software and keeping it up to date will help detect and disable malicious software, while using anti-spam software will stop phishing emails from reaching you.