A fellow security professional asked if he could use some of my anti-phishing material in a presentation he was preparing for an upcoming CSI conference. Revisiting the presentation I gave at IPComm 2004, I recalled (and related) a dialog I had with an attendee about an interesting behavior modification program .
"We Phished Our Company"
The attendee was an IT admin. With the approval of management, IT created a phishing email and hosted its own bogus web site based on a real attack, then emailed every employee in the company. Employees who responded to the link and completed the form received a subsequent email from IT advising them that they had fallen victim to a phishing attack, and they were now obligated complete "remedial therapy", in the form of a 30 minute anti-phishing seminar after close of business (mandatory attendance).
Two weeks later, IT modified and the re-attempted the phishing attack. The numbers of respondents were smaller. Again, employees who fell victim were required to attend a seminar.
IT now repeats the process routinely, and the number of phishing victims is now dramatically reduced.
I wish I could acknowledge the attendee since this is a simple but creative phishing countermeasure, and someone deserves kudos for dreaming it up. I'm just paying it forward...
Originally posted 11 April 2005 as http://www.securityskeptic.com/arc20050401.htm#BlogID383
Comments