As the manager of a security awareness team, whose primary goal is to educate users on how to spot phishing attacks, I often get asked, “can you make the phishing simulations look like real-world phish?"
This is when I show people what real-world phishing attacks look like.
Because our SOC analyzes millions of phishing emails each year, we have a great data set to choose from. Outside of the phishing threats that we find on our own - whether that is phishing sites or phishing emails, the problem is that most of the real-world malicious phishing emails that get reported aren't very compelling or well done, which is why they got reported in the first place.
When I show our clients screenshots of real-world phishing attacks, they roll their eyes at how bad a majority of them are. Because of this, I recommend educating their employees with simulations that mirror real-world tactics, techniques, and procedures (TTP) in some areas, and improve on them in others.
Hacker's Tactics, Techniques, and Procedures: Mirror Some, Improve Others
If you have ever been to the gym, you have seen people who know less than you and are using equipment wrong, doing a lift dangerously due to lack of knowledge, or doing some crazy movement that just makes you nervous. I am sure I was that guy when I first started (and maybe occasionally still am as I try to expand my workout routines). One of the best ways to not be that person is to get a trainer, or, if you are cheap like me you can just watch people who are in great shape and do what they do…just not right behind them, right after them, or even the same day (that could get creepy).
Likewise, when it comes to the TTP of cybercriminals, there are some aspects of their tactics worth mirroring and some that need to be improved upon to create beneficial phishing simulations. One tactic is topic selection as cybercriminal's phishing attacks cover a wide gamut - from electronic voicemails, to tracking numbers, to docuphish, and more - all of which make great topics for phishing simulations because that is what our clients are going to see.
Keep in mind, not all phishing attacks are work-related, so we don't limit ourselves to work topics. I am a firm believer that the best way to prepare users for real-world phishing attacks is to replicate real-world scenarios by mirroring the topics in cybercriminal's phish.
However, many of the real-world phishing attacks fall short in the tactics of grammar, aesthetics, formatting, etc. To mirror this tactic from real-world attacks in my simulations would be doing our clients a disservice, as there are organizations who offer to design better phishing attacks for cybercriminals and they will be faced with sophisticated and polished phishing attacks. Therefore, I believe that if we can test users with simulations with better aesthetics, formatting, and grammar, then they will be better prepared to spot the easy and the professional phishing attacks.
Finally, one of the most effective tactics used by the best real-world phishing attacks, that is worth mirroring in our phishing simulations, is creating emotional engagement that elicits an emotional response instead of a rational one. Outside of obfuscation techniques, emotion plays a big role in the difficulty of a phish (real or simulated).
When I create phishing simulations, I use the level of emotional engagement, whether positive or negative (I refer to it as carrot or stick), to be a determining factor of the difficulty rating of the simulation. I believe employees are better trained when phishing simulations cause an emotional response, replicating real-world scenarios, allowing the practice under fire so when that real phishing email that is emotionally charged comes in, they have learned to PAUSE and analyze the email before engaging with it.