March 28, 2013, 1:36 PM —
Image credit: flickr/London Looks
Could you say no to these adorable kittens? Apparently, you’re not alone. Nearly half of all people who receive an email containing an image of a cute cat will automatically open it, according to security training firm PhishMe. But behind those fallacious felines lies danger – or at least, the potential for it.
The Wall Street Journal’s Geoffrey A. Fowler has a fascinating story today about how companies are using faux phishing attacks – including links to bogus cat videos -- to teach employees how to handle real ones. Per Fowler:
Many big network breaches begin not with brainy hacker code but with workers who are tricked by so-called social engineering, which manipulates people into revealing sensitive information. So companies are trying to get workers to act badly before the bad guys do.
Interestingly, last week I interviewed the CEO of a company that does just that. Stu Sjouwerman is CEO of KnowBe4, which trains employees at mostly small and medium size businesses to detect cyber attacks before they do any damage. Sjouwerman knows of what he speaks; he’s the founder of security software firm Sunbelt Software (now called ThreatTrack Security).
For months, Sjouwerman worked with famed hacker-turned-journalist Kevin Mitnick to devise phishing tricks that would fool all but the savviest users. He then sends these bogus emails to employees using a fake return address, and notes which ones take the bait.
Sjouwerman’s tests are tough. They’ll sometimes look like they came from the company’s HR department and contain information about employee benefits. But when employees click the link inside the message, they'll see something that looks like this:
Typically 20 to 30 percent of users automatically click on links and attachments in his test emails, says Sjouwerman. Those “phish prone” users are the ones companies need to focus on training. KnowBe4 charges $15 to $20 per user annually to teach them how not to become victims. He says that after a few weeks of training the rate of people who reflexively click on potential phishing links drops by 70 to 80 percent.