{"id":16263,"date":"2019-09-09T08:10:05","date_gmt":"2019-09-09T16:10:05","guid":{"rendered":"https:\/\/www.palada.net\/index.php\/2019\/09\/09\/news-10005\/"},"modified":"2019-09-09T08:10:05","modified_gmt":"2019-09-09T16:10:05","slug":"news-10005","status":"publish","type":"post","link":"https:\/\/www.palada.net\/index.php\/2019\/09\/09\/news-10005\/","title":{"rendered":"When corporate communications look like a phish"},"content":{"rendered":"<p><strong>Credit to Author: William Tsing| Date: Mon, 09 Sep 2019 15:36:11 +0000<\/strong><\/p>\n<p>Many organizations will spend significant sums of money on <a href=\"https:\/\/blog.malwarebytes.com\/101\/2019\/02\/business-anti-phishing\/\" target=\"_blank\" rel=\"noreferrer noopener\" aria-label=\"phishing training (opens in a new tab)\">phishing training<\/a> for employees. Taking the form of regular awareness training, or even simulated phishes to test employee awareness, this is a common practice at larger companies.  <\/p>\n<p>However, even after training, a consistent baseline of employees will still click a malicious link from an unknown sender. Today, we&#8217;ll look at a potential reason why that might be: corporate communications often look like <a rel=\"noreferrer noopener\" aria-label=\"phishes (opens in a new tab)\" href=\"https:\/\/blog.malwarebytes.com\/101\/2017\/06\/somethings-phishy-how-to-detect-phishing-attempts\/\" target=\"_blank\">phishes<\/a> themselves, causing confusion between legitimate and illegitimate senders.<\/p>\n<h3>Corporate communications templates<\/h3>\n<p>Below is an email template found on a <a rel=\"noreferrer noopener\" aria-label=\"Microsoft technet blog (opens in a new tab)\" href=\"https:\/\/blogs.technet.microsoft.com\/smeems\/2017\/12\/13\/protecting-email-ios-android\/\" target=\"_blank\">Microsoft technet blog<\/a>, used as an example of how a sysadmin can communicate with users.<\/p>\n<figure class=\"wp-block-image\"><img decoding=\"async\" data-attachment-id=\"40319\" data-permalink=\"https:\/\/blog.malwarebytes.com\/business-2\/2019\/09\/when-corporate-communications-look-like-a-phish\/attachment\/notificationemail\/\" data-orig-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/09\/notificationemail.png\" data-orig-size=\"762,1024\" data-comments-opened=\"1\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}\" data-image-title=\"notificationemail\" data-image-description=\"\" data-medium-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/09\/notificationemail-223x300.png\" data-large-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/09\/notificationemail-446x600.png\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/09\/notificationemail-446x600.png\" alt=\"\" class=\"wp-image-40319\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/09\/notificationemail-446x600.png 446w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/09\/notificationemail-223x300.png 223w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/09\/notificationemail.png 762w\" sizes=\"(max-width: 446px) 100vw, 446px\" \/><figcaption>https:\/\/blogs.technet.microsoft.com\/smeems\/2017\/12\/13\/protecting-email-ios-android\/<\/figcaption><\/figure>\n<p>While well meaning, and providing users with pretty good instructions, this template falls afoul of phishing design in a few ways.<\/p>\n<ul>\n<li>The large &#8220;Action Required&#8221; in red with an exclamation point creates a false sense of urgency disproportionate to the information presented.<\/li>\n<li>There is no way provided to authenticate the message as legitimate corporate communications.<\/li>\n<li>The email presents all information at once on the same page, irrespective of relevance to an individual user.<\/li>\n<li>The link for assistance is at the bottom and suggests a generic mailbox rather than referencing a person to contact.<\/li>\n<\/ul>\n<p>So what&#8217;s the harm here? Surely a user can ignore some over-the-top design and take the intended message? One problem is that per <a rel=\"noreferrer noopener\" aria-label=\"Harvard Business Review (opens in a new tab)\" href=\"https:\/\/hbr.org\/2019\/01\/how-to-spend-way-less-time-on-email-every-day\" target=\"_blank\">Harvard Business Review<\/a>, the average office worker receives on average 120 emails per day.  When operating under consistent information overload, that worker is going to be taking cognitive shortcuts to reduce interactions with messages not relevant to them.  <\/p>\n<p>So training the employee to respond reflexively to &#8220;Action Required&#8221; can cue them to do the same with <a href=\"https:\/\/blog.malwarebytes.com\/101\/2018\/06\/five-easy-ways-to-recognize-and-dispose-of-malicious-emails\/\" target=\"_blank\" rel=\"noreferrer noopener\" aria-label=\"malicious emails (opens in a new tab)\">malicious emails<\/a>. Including walls of texts in the body of the email reinforces scanning for a call to action (especially links to click), and a lack of message authentication or human assistance ensures that if there&#8217;s any confusion about safety, the employee will err on the side of not asking for help.  <\/p>\n<p>Essentially, well-meaning communications with these design flaws train an overloaded employee to exhibit bad behaviors\u2014despite anti-phishing training\u2014and discourage seeking help. It&#8217;s no wonder that, <a rel=\"noreferrer noopener\" aria-label=\"according to the FBI (opens in a new tab)\" href=\"https:\/\/www.fbi.gov\/news\/stories\/business-e-mail-compromise-on-the-rise\" target=\"_blank\">according to the FBI<\/a>, losses from <a href=\"https:\/\/blog.malwarebytes.com\/cybercrime\/2018\/11\/business-email-compromise-scam-costs-pathe-21-5-million\/\" target=\"_blank\" rel=\"noreferrer noopener\" aria-label=\"business email compromise (BEC) (opens in a new tab)\">business email compromise (BEC)<\/a> have increased by 1,300 percent since January 2015, and now total over $3 billion worldwide. <\/p>\n<p>With this background in mind, what happens when the employee gets a message like this?<\/p>\n<figure class=\"wp-block-image\"><img decoding=\"async\" data-attachment-id=\"40351\" data-permalink=\"https:\/\/blog.malwarebytes.com\/business-2\/2019\/09\/when-corporate-communications-look-like-a-phish\/attachment\/email_redacted\/\" data-orig-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/09\/email_redacted.png\" data-orig-size=\"986,736\" data-comments-opened=\"1\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}\" data-image-title=\"email_redacted\" data-image-description=\"\" data-medium-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/09\/email_redacted-300x224.png\" data-large-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/09\/email_redacted-600x448.png\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/09\/email_redacted-600x448.png\" alt=\"\" class=\"wp-image-40351\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/09\/email_redacted-600x448.png 600w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/09\/email_redacted-300x224.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/09\/email_redacted.png 986w\" sizes=\"(max-width: 600px) 100vw, 600px\" \/><\/figure>\n<figure class=\"wp-block-image\"><img decoding=\"async\" data-attachment-id=\"40322\" data-permalink=\"https:\/\/blog.malwarebytes.com\/business-2\/2019\/09\/when-corporate-communications-look-like-a-phish\/attachment\/screen-shot-2019-09-03-at-3-12-25-pm\/\" data-orig-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/09\/Screen-Shot-2019-09-03-at-3.12.25-PM.png\" data-orig-size=\"1282,946\" data-comments-opened=\"1\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}\" data-image-title=\"Screen Shot 2019-09-03 at 3.12.25 PM\" data-image-description=\"\" data-medium-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/09\/Screen-Shot-2019-09-03-at-3.12.25-PM-300x221.png\" data-large-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/09\/Screen-Shot-2019-09-03-at-3.12.25-PM-600x443.png\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/09\/Screen-Shot-2019-09-03-at-3.12.25-PM-600x443.png\" alt=\"paypal login notification\" class=\"wp-image-40322\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/09\/Screen-Shot-2019-09-03-at-3.12.25-PM-600x443.png 600w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/09\/Screen-Shot-2019-09-03-at-3.12.25-PM-300x221.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/09\/Screen-Shot-2019-09-03-at-3.12.25-PM.png 1282w\" sizes=\"(max-width: 600px) 100vw, 600px\" \/><\/figure>\n<p>Of note is that both phishes are more accessible to a skimming reader than the Microsoft corporate notification, and the calls to action are less dramatic. The PayPal phish in particular has a passable logo and mimics the language of an actual account alert reasonably well.  <\/p>\n<p>A closer reader would spot incongruities right away: The first phish would be caught instantly. For the second, the sender domain does not belong to PayPal. If you copy the link and paste into a text editor, the link goes to an infected WordPress site rather than PayPal, and the boxed numbers with instructions look weird. But an employee receiving 120 emails a day is not a close reader. The phishes are &#8220;good enough.&#8221;  <\/p>\n<h3>A safer alternative<\/h3>\n<p>So how do we do better?  Let&#8217;s look at a notification email from AirBnB.<\/p>\n<figure class=\"wp-block-image\"><img decoding=\"async\" data-attachment-id=\"40350\" data-permalink=\"https:\/\/blog.malwarebytes.com\/business-2\/2019\/09\/when-corporate-communications-look-like-a-phish\/attachment\/airbnb-new-payment-method-1\/\" data-orig-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/09\/Airbnb-new-payment-method-1.png\" data-orig-size=\"1014,1206\" data-comments-opened=\"1\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}\" data-image-title=\"Airbnb-new-payment-method (1)\" data-image-description=\"\" data-medium-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/09\/Airbnb-new-payment-method-1-252x300.png\" data-large-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/09\/Airbnb-new-payment-method-1-504x600.png\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/09\/Airbnb-new-payment-method-1-504x600.png\" alt=\"\" class=\"wp-image-40350\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/09\/Airbnb-new-payment-method-1-504x600.png 504w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/09\/Airbnb-new-payment-method-1-252x300.png 252w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/09\/Airbnb-new-payment-method-1.png 1014w\" sizes=\"(max-width: 504px) 100vw, 504px\" \/><\/figure>\n<p>First and foremost, the notification is brief.  The entire content of relevance to the user is communicated in a single sentence, made large and bold for readability upfront. What follows are details for the end user to authenticate the transaction, listed in an order of probable descending interest to the user.  <\/p>\n<p>Next is a clear path to obtain assistance, voiced in language suggestive of a person at the other end. Last is a brief explanation of why the user should consider the communication legitimate, with multiple use cases provided to set expectations.<\/p>\n<h3>The myth of the stupid user<\/h3>\n<p>Industry discussion of phishing and click through rates centers largely around how awful and ignorant users are. Solutions proffered generally concern themselves with restricting email functionality, &#8220;effective&#8221; shame-and-blame punishments for clicking the malicious link, and repetitive phish training that neither aligns to how users engage with email, nor provides appropriate tools for responding to ambiguous emails, like the notification template above.  <\/p>\n<p>All of this is a waste of time and budget.<\/p>\n<p>If an organization has a &#8220;stupid user&#8221; problem, a more effective start to address it would be looking at design cues in that user&#8217;s environment. How many emails are they getting a day, and of those, how many look functionally identical? How many aren&#8217;t really relevant or useful to their job?  <\/p>\n<p>When network defenders send out communications to the company, do they look or feel like phishes? If the user gets a sketchy email, who&#8217;s available to help them? Do they know who that person is, if anyone?  Structuring employees&#8217; email loads such that they follow the steps below will both &#8220;smarten up&#8221; an employee quickly and cost nothing. Employees should therefore:<\/p>\n<ul>\n<li>Have a light enough burden to engage critically with messages<\/li>\n<li>Get corporate comms tailored to their job requirements<\/li>\n<li>Have an easy way to authenticate that trusted senders are who they say they are<\/li>\n<li>Be able to get help with zero friction<\/li>\n<\/ul>\n<p>So before organizations engage in more more wailing and gnashing of teeth over the &#8220;stupid user&#8221; and the cost of training and prevention, think for a long while on how communication happens in your company, where the pain points are, and how you can optimize that workflow.  <\/p>\n<p>After all, wouldn&#8217;t you like to get less email, too?<\/p>\n<p>The post <a rel=\"nofollow\" href=\"https:\/\/blog.malwarebytes.com\/business-2\/2019\/09\/when-corporate-communications-look-like-a-phish\/\">When corporate communications look like a phish<\/a> appeared first on <a rel=\"nofollow\" href=\"https:\/\/blog.malwarebytes.com\">Malwarebytes Labs<\/a>.<\/p>\n<p><a href=\"https:\/\/blog.malwarebytes.com\/business-2\/2019\/09\/when-corporate-communications-look-like-a-phish\/\" target=\"bwo\" >https:\/\/blog.malwarebytes.com\/feed\/<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p><strong>Credit to Author: William Tsing| Date: Mon, 09 Sep 2019 15:36:11 +0000<\/strong><\/p>\n<table cellpadding='10'>\n<tr>\n<td valign='top' align='center'><a href='https:\/\/blog.malwarebytes.com\/business-2\/2019\/09\/when-corporate-communications-look-like-a-phish\/' title='When corporate communications look like a phish'><img src='https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2015\/01\/photodune-9896163-hand-wearing-black-glove-touching-phish-icon-with-blue-digital-b-s.jpg' border='0'  width='300px'  \/><\/a><\/td>\n<\/tr>\n<tr>\n<td valign='top' align='left'>Before organizations engage in gnashing of teeth over the &#8220;ignorant user&#8221; and the cost of training, think about how much email users encounter and whether corporate communications look like phishes themselves.<\/p>\n<p>Categories: <\/p>\n<ul class=\"post-categories\">\n<li><a href=\"https:\/\/blog.malwarebytes.com\/category\/business-2\/\" rel=\"category tag\">Business<\/a><\/li>\n<\/ul>\n<p>Tags: <a href=\"https:\/\/blog.malwarebytes.com\/tag\/anti-phishing\/\" rel=\"tag\">anti-phishing<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/bec\/\" rel=\"tag\">bec<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/business-email-compromise\/\" rel=\"tag\">Business Email Compromise<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/corporate-communications\/\" rel=\"tag\">corporate communications<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/email-communications\/\" rel=\"tag\">email communications<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/emails\/\" rel=\"tag\">emails<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/phishing\/\" rel=\"tag\">phishing<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/phishing-training\/\" rel=\"tag\">phishing training<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/training-and-awareness-program\/\" rel=\"tag\">training and awareness program<\/a><\/p>\n<table width='100%'>\n<tr>\n<td align=right>\n<p><b>(<a href='https:\/\/blog.malwarebytes.com\/business-2\/2019\/09\/when-corporate-communications-look-like-a-phish\/' title='When corporate communications look like a phish'>Read more&#8230;<\/a>)<\/b><\/p>\n<\/td>\n<\/tr>\n<\/table>\n<\/td>\n<\/tr>\n<\/table>\n<p>The post <a rel=\"nofollow\" href=\"https:\/\/blog.malwarebytes.com\/business-2\/2019\/09\/when-corporate-communications-look-like-a-phish\/\">When corporate communications look like a phish<\/a> appeared first on <a rel=\"nofollow\" href=\"https:\/\/blog.malwarebytes.com\">Malwarebytes Labs<\/a>.<\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10488,10378],"tags":[18778,14347,1001,11140,22866,22867,13582,3924,22868,20086],"class_list":["post-16263","post","type-post","status-publish","format-standard","hentry","category-malwarebytes","category-security","tag-anti-phishing","tag-bec","tag-business","tag-business-email-compromise","tag-corporate-communications","tag-email-communications","tag-emails","tag-phishing","tag-phishing-training","tag-training-and-awareness-program"],"_links":{"self":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/16263","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=16263"}],"version-history":[{"count":0,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/16263\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=16263"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=16263"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=16263"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}