Page 124 - Cyber Defense eMagazine December 2022 Edition
P. 124
Worldwide fraud gangs raking in millions
Spear phishing is one of the most dangerous and most common cyber-attack method today. These
attacks are increasingly being carried out by international fraud gangs and can cost companies a fortune.
The best-known examples include the German automotive supplier Leoni, which lost around 40 million
euros through CEO fraud in 2016, while the Austrian-Chinese aerospace supplier FACC lost 50 million
euros in this way.
Alarmed by recurrent stories of this sort in the media, many companies naturally want to make their
employees aware of the dangers posed by spear phishing. One common method they resort to is security
awareness training, which focuses on classroom training, e-learning and webinars. These provide
participants with theoretical knowledge of how spear phishing attacks work, how to recognize forged
mails and how to behave in the event of an attack. This is certainly important to know, but it is not enough
to effectively arm users against attackers’ psychological tricks.
Two highly different systems of thought
The reason for this lies in the two different human thought systems, as described by psychologist and
Nobel Prize winner Daniel Kahnemann in his bestseller “Thinking, Fast and Slow”. According to this,
system 1 - fast thinking - is guided by subjective feelings and empirical values and tends to make
impulsive decisions "based on gut instinct". System 2, on the other hand - slow thinking - takes objective
data into account and proceeds systematically, rationally and logically when making decisions.
By imparting objective knowledge about spear phishing methods, conventional security trainings target
the second - slow - thinking system. In doing so, they neglect the first thinking system, which is
responsible for spontaneous clicks on incoming emails. Therefore, training urgently needs to be
supplemented with learning content that promotes employees' fast thinking and intuitive decisions.
Simulated attacks strengthen awareness
This can be achieved with spear phishing simulations. These use real company and employee
information to fake attacks. If an employee is taken in by a fraudulent email, he or she is immediately
taken to an explanation page. Here, they receive information about the features that would have enabled
them to recognize the mail as fake on closer inspection: from misspellings in the sender address to the
use of subdomains and suspicious-looking links.
Phishing simulations are a proven method to sustainably increase employees’ security awareness. This
is because they take advantage of the "teachable moment," when a user is most receptive to new
lessons. Since the employee’s error is immediately made clear to him or her, they will be more careful
with incoming emails in the future. To keep the employee on guard, it is advisable to repeat spear phishing
simulations regularly and adapt them to the attackers' ever-changing methods. The goal here must not
be to monitor or trick employees - instead, the focus must be on training. For this to succeed, the use of
security awareness training must be communicated correctly.
Cyber Defense eMagazine – December 2022 Edition 124
Copyright © 2022, Cyber Defense Magazine. All rights reserved worldwide.