Do not let the human factor turn your castle into a fortress of glass. Phishing in Dark Waters: The Offensive and Defensive Sides of Malicious Emails discusses why no corporate information security program is complete without addressing the human factor is security. How do phishing scammers to use human nature to their advantage, and why do people fall for it?
I was at Barnes & Noble looking for a book to read for an upcoming camping trip when I came across this book. I had actually gone to Barnes & Noble in a last minute search to find a good book on programing that delved into theory rather than practical application and how-to (they didn’t have anything like that). I found Phishing Dark Waters: The Offensive and Defensive Sides of Malicious Emails nestled in with a heap of books with titles like “Teach Yourself Java in 24 Hours.” The subject of the book caught my attention right away. I flipped through the book and hem-hawed about the price ($35.00, but you can probably get it cheaper on Amazon). I even took a couple more laps around the store, but kept coming back to this book. Eventually, I decided to buy it, and I am glad that I did.
Christopher Hadnagy and Michele Fincher show us how email phishing plays on human emotional responses to get people to divulge valuable and sensitive information that can cost money, compromise security, and cause embarrassment for everyone involved. Hadnagy and Fincher explain that phishers play on fear, greed, ignorance, gullibility, and respect for authority to convince people to take action that might not be in their best interests.
In this book, phishing attacks are categorized by their level of sophistication, from very low level attacks like the Nigerian 419 scam, all the way up to very sophisticated attacks known as spear phishes, which target executives and other high level individuals. Then, Hadnagy and Fincher discuss how each type of attack can be identified by looking for common themes in each type of attack. Hadnagy and Fincher show us how these different types of attacks have been employed successfully in real world situations, such as the Target payment systems breach.
After a thorough introduction to the common types of phishing schemes, Hadnagy and Fincher dive into the psychological aspects of how and why phishing works. Namely, cognitive bias and a technique known as amygdala hijacking. The authors point out that we are pre-programed by our environment to make certain types of decisions a certain way. This is a cognitive bias. It makes it easier for us to quickly make decisions. Imagine if we had to weigh all of the facts every time we made a decision. Trips to the grocery store would be agonizing. This bread has more fiber, but this other bread has fewer calories per slice. Which do we choose? Our cognitive bias tells us we have always eaten Wonder Bread, so we grab a loaf. We like the way the package looks. Problem solved, and the outcome is harmless.
But what about an email that comes from our bank? It has their logo. They have never lied to us. We follow the link and enter our credentials. Except, this wasn’t a message from our bank and the page where we entered our credentials was actually a fake designed to ensnare us into giving away our login credentials. Our cognitive bias blinded us to all of the warning signs because it was triggered by branding that we knew and trusted. In this scenario, the outcome is definitely harmful. Hadnagy and Fincher explain that phishing scammers employe cognitive bias to trick us into making decisions that have harmful outcomes.
Amygdala hijacking is the second major psychological factor in phishing that the authors discuss. By generating an emotional response, phishers are able to short circuit our ability to think logically. For instance, imagine you get an email that says someone has run a background check on you. You haven’t done anything wrong, so you have no need to worry. But you cannot suppress your emotional response. Why is someone doing this? What are they hoping to find out? What if they know something that I don’t? All of these are completely irrational questions when you consider that no background check agency has a responsibility to notify you if a check was run to begin with. Hadnagy and Fincher share methods for overcoming a hijacked amygdala, and how to coach others to employ these methods.
After discussing how and why phishing works, the authors discuss methods to protect from phishing, such as sandboxing emails, hovering over links to reveal the URLs, and reading email headers. For experienced IT folks, these methods might seem like no-brainers, but keep in mind that this book aims to show you how to teach others as much as it aims to teach you. Admittedly, I found myself questioning what I really knew about emails and how they work as I read this book and came to the realization that like many people, emails are something that I take for granted and put very little thought into.
The real meat and potatoes of this book is the multi-chapter discussion of how to design and implement a penetration testing program which will help you evaluate the competency of the target group and train the members of the group to become better at spotting phishing attacks. What I like most about this book was the emphasis on hands on training techniques by running live phishing simulations rather than endlessly sending volumes of policies and hours of computer based trainings to employees in the hopes that they will absorb something from it. I have personally observed companies do little more than issue a new policy or a training after a phishing attack in the hopes that the policy or training will get their message across and resolve the problem once and for all. The problem with this is that unlike a policy about time and attendance where it makes sense to put the burden of reviewing and understanding the policy on the employee, a phishing attack harms the entire company. It simply is not good enough to place the burden of understanding the issue on the employee. Companies need to do more to ensure that employees truly understand how to spot a phishing attack, and what to do.
Hadnagy and Fincher review how to design a phishing campaign, how to gather baseline data, and how to track progress with meaningful statistics. I appreciate the author’s emphasis on ensuring that the experience is positive for everyone involved, and that every effort should be made to avoid embarrassing someone or causing them psychological harm. Believe it or not, some people really do believe that embarrassment is an effective training tool, so this does not go without saying.
My only criticism of this book is the discussion of software choices for launching a phishing education campaign. This chapter will be outdated in no time, and could have been left out altogether. If you come across this review a few years after this book has been released and are trying to decide if you should pony up to buy the brand new second edition, or a used copy of the first addition, keep in mind that the most significant update to this book will be the discussion on software. Hadnagy points out himself that many of the themes used by phishers have been around for hundreds of years. They aren’t going anywhere, and the discussion of those schemes will still be relevant for years to come.
Do I recommend this book? You bet I do, and I will be using the lessons that I have learned in this book to make myself, my family, and the organizations that I provide information security services to more secure from phishing attacks. If you are an IT professional, business owner, or manager, do yourself a favor and get a copy of this book. The day that it will take you to read this book will change your perspective on how to protect yourself and your business from phishing attacks.