June 19, 2019

If you’ve ever undergone security awareness training, you’ll already be on the lookout for phishing scams.

Remembering to think twice before clicking email links or downloading attachments is hard enough. Now research from Kaspersky adds a new worry to the list: phishing in your calendar.

Along with phishing emails, texts, tweets, and pop-ups, cybercriminals have found a way to exploit calendar settings, placing ‘mal-events’ laced with phishing links in victims’ diaries.

Scammers sent a wave of calendar event invitations to users. In many cases they were able to trigger notifications automatically, making the infected events seem more legit. The calendar entries Kaspersky researchers observed came from trusted apps like Google Calendar, making scam even more effective.

The goal of calendar attacks is to take advantage of the default setting that allows invites to be added automatically, along with a scheduled notification.

Cybercriminals preload the text of the event entry with a phishing link, and a short subject line to entice targets to click.

Old tricks, new format

So far the scammers have been pushing links to fake surveys, adding short event descriptions like, “Get your cash reward,” or “There’s a money transfer in your name.”

The idea of course is to get victims to click and then enter personal, banking, or credit card information into a malicious form.

These are pretty recognisable as phishing/spam plotlines so the tactics may not be fully honed. But if criminals get better at making events and invitations look like they’ve come from work or family, the threat will become more serious.

Cyber rogues continue to innovate

Phishing attacks often try and fake the look and feel of trusted organisations, using branded display names, or look-alike domains to add credibility to their attempts.

Using calendar entries as a vector of attack – relying on their safety and blandness – is clever. Its designed to not only trick the unsuspecting, but also to get around security awareness training, which may not address calendar entries in phishing simulations.

If an infected calendar entry looked like it arrived from the office, you could easily imagine someone absent-mindedly clicking ‘accept’.

It just goes to show how exploitable the technologies we take for granted can be. Which is why organisations need to continually update staff security awareness programmes in order to keep up of the latest exploits, malware, and phishing techniques.

Regardless of the level of sophistication, phishing attacks are on the rise. The latest numbers show that 83 percent of cybersecurity teams had to defend against phishing attacks last year, up from 76 percent in 2017.

If employees can be trained to spot phishing attempts as they happen, and sustain their level of awareness, the risk of a security breach diminishes. The report noted that companies with a security awareness training programme — nearly 60 percent — saw an increase in detection when staff knew how to recognise potential attacks.

Simulated attacks can strengthen phishing defences

The pace of innovation in malware and phishing techniques is more evidence that training needs to be updated regularly.

And the manner of training is important. Forget about classrooms and textbooks. With detection resting on the ability to catch ever more nuanced techniques to build trust, simulations that put the end user directly in front of a new phishing attack is the best way to test their real-world reactions.

Phishing simulations are fake attacks designed to help employees understand the different forms phishing can take so they are more likely to avoid clicking malicious links or inadvertently leaking sensitive data.

Security teams create their own artificial phishing emails, texts, web pages (and now calendar invitations), then send them to employees. The objective is to observe people’s reactions and measure behaviours in real time.

Done right, simulations can quickly raise risk awareness and give security teams important baseline metrics – e.g. what percentage of the workforce caught the phishing attempt and what percentage didn’t —that they can work to improve on over time.

Employees get to experience a phishing attack in the wild, but without any of the risk. They’re also given a chance to improve their security behaviour in the context of their day-to-day duties.

How to do phishing simulations right

But the way simulations are executed can impact their effectiveness. Poor planning and uninformed assumptions can skew results or make it less likely that staff see the exercise as worthwhile. To get the most out of simulations, organisations should:

Cover all bases

As we’ve learned today, email isn’t the only mode of phishing attack. Simulations need to be run for all the relevant threat vectors, calendar invites, SMS, social media, and even voice – as some attempts at phishing and social engineering happen by phone.

Back up simulations with a broader programme of awareness training.

They will be more effective if executed as part of a larger programme designed to alter behaviour and empower teams to recognise threats independently.

Simulation design should also consider how employees address security and privacy issues at home, and emphasise the skills and know-how an end user might employ to protect their families or secure their own personal cyber space.

Don’t over-do it.

Making employees phishing-aware shouldn’t happen at the expense of smooth and efficient operations. Show the threat in proportional to the risk, otherwise people may learn to fear their own in box, or have IT checking every email from an unknown sender.

Phishers are clever, but so are we

Real-time phishing simulations have proven to double employee retention rates over more traditional training tactics.

Empowering your employees won’t happen overnight however. Simulations need to be part of a broader programme of security awareness training where the focus is on showing instead of telling.

Done right, they can strengthen an organisation’s culture of security-awareness by giving employees with tangible, real-life scenarios to better understand their own security instincts when a new phishing email lands in their in box.

Want to learn more about making employees phish-proof?  Why not sign up for a free demo and find out how we’re already helping organisations just like yours.

Share this: