KnowBe4’s Roger Grimes has been in the cybersecurity business for decades. His books, including A Data-Driven Computer Defense, are prized resources for security professionals around the world.
But no one—not even Grimes—is immune from phishing attacks.
“I got phished twice this year!” Grimes told Virtru’s editorial team, referencing KnowBe4’s internal phishing simulations. “I thought I was unphishable—and after the first one, I thought I was unphishable. The second one, I realized: I was phishable.”
Thankfully, internal simulations like these serve as a valuable learning opportunity, as social engineering attacks are quickly evolving—becoming so sophisticated and targeted that they can be extremely difficult to detect.
“There are a lot of ways you can be hacked,” Grimes said, “but social engineering and phishing is the number-one way, and has been for quite a while. It seems that it will be for the foreseeable future.” Unpatched software is the next-most-common way organizations are hacked, which we saw with the Microsoft Exchange Server vulnerability brought to light in early 2021.
Grimes is a firm believer that, in order to be resilient against cyber attacks, organizations need to foster a culture of security awareness and education, making it a core part of how they operate.
While security teams should ensure they have a comprehensive ecosystem of technology to safeguard enterprise data, it’s also vital for individual employees to understand the impact of their security behaviors, like approaching emails with caution and encrypting data shared in emails and via file-sharing platforms. In a conversation with Virtru’s editorial team, Grimes shared some valuable insights into the tactics that make social engineering so effective—and guidance for how to spot a phishing attack before it’s too late.
The prevailing advice for preventing phishing attacks used to be, “Don’t open an email from someone you don’t know.” But Grimes says that’s no longer enough.
“A lot of times, the emails are coming from people you’ve done business with for 10 years. So now the new training is: If it’s an unexpected email—even from somebody you do business with—and it’s asking you to do something they’ve never asked you to do before, and that thing they ask you to do could be potentially dangerous to you or your company, then you slow down.”
Slowing down is easier said than done, especially as people move quickly through their day, tapping on emails and links on their phones and tablets, perhaps while distractedly listening to a call and not devoting their full attention to the email in front of them.
But approaching emails with a healthy sense of skepticism and attention to detail is a powerful behavior change, and it can make the difference between a close call and a data breach.
“Years ago, when you got a phishing email, it would have all kinds of typos in it, and it would be from some weird-looking email address,” Grimes said. “You’re like, ‘There’s no way this is my boss,’ or, ‘There’s no way this is Microsoft.’ But, these days, they’re a lot more sophisticated. They’re more and more often actually targeting particular industries.” Phishing attacks are starting to use industry-specific terms, jargon, and client scenarios to foster a false sense of trust. As they learn, hacking groups can make these emails look increasingly realistic.
These attacks are effective—and hackers can use a single successful incident as a jumping-off point to compromise the victim’s organization, contacts, colleagues, and partners.
“Now, we’re seeing these highly targeted things that are appearing to be from people’s bosses—and that boss is referring to a project the individual is on. So they’ll say, ‘Hey, you know that project you’re working on with Cindy in HR?’ I’ve had people email me asking, ‘How did they know the name of the person who approves checks? That person’s name is not known outside the company, it’s not on any public documents. How did they learn that Cindy is the one who approves wire transfers?’ And sometimes they find out, that person’s name was mentioned in a public document, or the hacker has compromised a partner that dealt with Cindy.”
“We wish for the older days when it was the misspelled typo emails.”
Playing on emotion is exceptionally common in social engineering attacks, because it clouds people’s judgment and gets them to act with a sense of urgency. An email from your boss, or your CEO, asking you to immediately complete a business-critical wire transfer may make you act urgently and without fully thinking the request through.
This is exactly what the hacker wants.
And with the onset of the coronavirus, health information (and misinformation) can cause people to click on a link out of frustration, concern, fear, or anger. In fact, this is what happened with Grimes’ first phishable moment this year.
“A trick that we saw as being highly successful is an email saying, ‘Come get your COVID shots now,’ and this was before the COVID shots were available. People were getting mad because they were being told to come get a vaccine that didn’t exist, or they’re being told, ‘You’re not going to be able to take the vaccine for six months,’ or ‘You’re not going to be allowed to come back into the office,’ or ‘You didn’t take the vaccine, so you can’t come back to the office.’ And the person is like, ‘What do you mean? I got my vaccine!’ And, boom, they’re clicking. So, making the person angry means they’re far more likely to not look at the email in totality, than if it’s just some gentle email.”
“Hackers are really becoming really great consumers of human psychology,” Grimes said. “They’re using it against us, and it works.”
Data breaches happen all the time, and often they leak user credentials, including passwords. This can be hugely damaging for people who reuse the same passwords across accounts. It’s absolutely worthwhile to use long, complex and unique passwords for each of your accounts. Grimes recommends using a password manager to help generate and keep track of these passwords, so users don’t have to remember them. “No matter how you do it, you need to encourage people not to reuse the same password,” Grimes emphasized. “Because every second additional website you use it on, is exponentially increasing your risk.”
However, reused passwords can be difficult to enforce. “How does work know whether an employee is reusing a work password on their banking website, or Amazon, or Instagram? They don’t,” Grimes said. “So you have to make them care, change the culture, because sometimes that’s all you’ve got.”
Multifactor authentication and password managers can help mitigate some of these challenges. The complex, long, and unique passwords created by a password manager can help insert an additional step between the individual and the hacker, because people simply can’t remember dozens or hundreds of complex passwords and passphrases. “I know I’m not going to be phished out of a password because I do not know it,” Grimes said. “There’s some comfort in that.”
It’s important for people to realize that ransomware doesn’t just affect an organization: It also affects employees and their livelihood.
“The average ransomware product is in a company for an average of 200 days before it goes off, and during that time it’s collecting all the passwords of all the employees,” Grimes said. “So, if you go to Amazon and order something, if you go into your bank account to check your 401(k), your healthcare accounts, they’re getting all those passwords.”
Breaches also have downstream impacts on employees. Security leaders can share examples of major incidents and emphasize that, because of the financial impacts (the average data breach costs $3.86 million), those employees probably aren’t getting bonuses anytime soon.
“It’s really tough to be perfect, right?” Grimes laughed. “To fight these guys, you have to be better—and what hackers like is inconsistency. But if you can build in a culture of consistently doing the same things over and over and over again, it makes it harder for the weaknesses to seep in.”
Strong security behaviors come down to continued communication, reinforcement, and a culture that makes security a core part of how teams operate and collaborate from day to day.
“If you can change the culture, you’re more likely to make people care about it and change their own habits for themselves—and for the safety of the company.”
Roger Grimes is the Data Driven Defense Evangelist for KnowBe4, a security awareness training company, and the author of several books, including A Data-Driven Computer Defense.