Phishing Drills Teach Employees to Dodge the Hook

A security consulting firm expects customers will hire them to conduct faux phishing drills.

A security consultancy in February will launch a portal to automate the infliction of faux spear-phishing attempts on one's own work force—an educational tactic that experts are increasingly pointing to as one effective method to stem the tide of information being unwittingly handed to thieves.

The site,, will be launched by Intrepidus Group, a consultancy with offices in New York and Chantilly, Va. It will feature templates for crafting customized faux phishing attacks and WYSIWYG workflow. In addition, the service will provide educational error message warnings to employees who attempt to enter sensitive information.

Intrepidus will provide statistics on how many employees open the faux phishing messages, how many of them open links directly from the phony phishing e-mail, how many copy and paste the URLs into their own browser windows (considered a safer method to check out an e-mailed link than clicking directly from the e-mail), how many employees ignore the messages altogether, and how many attempt to enter sensitive information. No sensitive information will be collected or allowed to be entered, according to Intrepidus Managing Partner Aaron Higbee.

Phishing scams proliferated in 2007, to put it mildly. During the first half of the year, Microsoft's Malicious Software Removal Tool detected 31.6 million phishing scams—an increase of more than 150 percent over the previous six months—according to the company's biyearly Security Intelligence Report, released in October.

In fact, the SANS Institute included spear-phishing as one of 19 top security issues on its SANS 2007 Internet Threats List. "This year for the first time we're reporting that one of the most critical risks is attacks against people, where attackers focus on executives," said Alan Paller, director of the SANS Institute, when the list came out in late November.


The spear-phishing of executives and rich people even rated a new term in 2007: It's called "whaling," drawing on the Las Vegas habit of referring to rich gamblers as "whales." Targets have increasingly included military and government agencies, such as the recent, successful targeting of national labs.

In early December Oak Ridge National Laboratory reported that it had been bombarded with a coordinated spear-phishing attackaimed at multiple national labs including Los Alamos.

Oak Ridge may have unwittingly handed over to attackers the personal information of anybody who visited the lab over a 14-year span, including Social Security numbers, due to workers having fallen for e-mail crafted to look like industry conference brochures and other legitimate-looking communications. That attack has been linked to Chinese scammers.

SANS advises anti-phishing education and in its Top 20 list of threats for 2007 went so far as to recommend that organizations do exactly what PhishMe will soon offer: i.e., send out phony phishing scams targeting one's own workers.


Click here for a slide show on SANS' top Internet security risks of 2007.

It's not a new concept. In 2005, the state of New York sent e-mail messages that appeared to be official notices to 10,000 employees. The messages asked that employees click on links and type in passwords and other sensitive information.

Some 15 percent did so, typing in passwords and only stopping when a message informed them that they had fallen for a faux phishing attempt, according to a news accountin the Wall Street Journal.

The military in particular is taking the threat of spear phishing to heart: The Department of Defense in November 2006 mandated that all personnel undergo spear-phishing awareness training by January 2007.

In spite of the growing awareness of the need for spear-phishing training, administering a phony attack on one's own crew hasn't been particularly easy. As a New York official told the Wall Street Journal when the state conducted its ersatz phishing attack in 2005, the state hired an outside Web consultant to design the bogus e-mail lure, then it brought in the services of AT&T to route the e-mail so it came from outside the state's own network, as would a real phishing attack.

Thus the appeal of an automated service that can be set up to do it all automatically while collecting statistics on how well an organization's doing, Higbee told eWEEK.

Page 2: Phishing Drills Teach Employees to Dodge the Hook Intrepidus first started offering the service—in nonautomated form—to clients around 2004.

"We had been doing [penetration] testing for clients for a while. The way attackers were breaking in back then was port scanning, or finding vulnerabilities and exploiting them," Higbee said. "But things changed: People got their firewalls in line … and attackers starting changing tactics.

"They [searched for e-mail addresses] off of the Internet, then they tried to sneak attachments into organizations, trying to trick people into giving up passwords [and other sensitive information]. We started seeing [phishing attempts] on incident response reports. We said, 'We need to do these mock phishing tests in order to see where you really are as far as security goes.'"

There is only one word to describe clients' reactions after agreeing to try out the service and then seeing how their work forces fare: shocked.

The first guinea pig back in 2005 was a health care organization with 70,000 employees. Of that employee base, about half clicked on the link offered in the phishing come-on, which purported to be a check to see if a given employee was eligible for a free computer.


Of those 35,000 or so workers, 60 percent entered their user name and password when prompted to do so. The scenario lasted about a week, with employees who fell for the scam receiving a message saying they'd been phished by way of an authorized test.

The health care organization didn't stop there. One lesson Intrepidus had learned was that the phishing attack had been a little too authentic. The client requested a second test that introduced spelling and grammar mistakes that would make the phishing site look a bit more bogus.

On the second go-round, 25 percent of the employee base still fell for the scam. Better, but still: It only takes one employee to fall for a scam and hand over the keys to a network, Higbee pointed out. A third test for the same client went back to sporting an authentic look. In spite of its lack of spelling and grammar errors, only 4 percent of the health care organization's increasingly wary work force fell for the scam.


Click here to read about a employee who was duped into handing a customer list to a phisher.

New employees are particularly vulnerable to being phished. One of Intrepidus' clients, an insurance company, targeted only new hires in a bogus phishing campaign. Nearly 100 percent of the targeted employees fell for the scam. Not surprising, given that a new employee is used to receiving a barrage of e-mails telling him or her to go here or there to register for a 401(k) plan, for a health care plan, for intranet access, etc.

The results were so appalling that the insurance company decided to no longer send links via e-mail for human resources-related activities, Higbee said. Instead, when announcing a new plan, the company puts the details on the intranet but doesn't send out a link—instead, it only tells employees where to go on the intranet and what to click.

To address the ease in which new hires are duped, templates on the automated PhishMe portal will generate e-mail come-ons that say, for example, that an organization is about to change its 401(k) plan or that employees can review their pay stubs if they go to a phishing site and enter their information.

Intrepidus hasn't yet worked out pricing. Higbee said that this type of campaign generally takes about a week of consulting services to set up, send out an e-mail campaign and then to collect statistics. The automated portal approach will be less expensive than a week of consulting, he said.

Check out's Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK's Security Watch blog.