Phishing 2.0: How to How Stop Cyberattacks Even Pros Can’t Catch
The information gap is broadening. According to Ivanti’s 2023 Press Reset cybersecurity report, over 50% of surveyed security professionals said their organizations hadn’t experienced a phishing incident in the last 24-months – despite virtually every organization getting phished in 2022!
In this webinar, Ivanti’s Chris Goettl sat down with Josh Hohbein, Information Security Lead at CentrexIT, and AJ Nash, VP and Distinguished Fellow of Intelligence at ZeroFox, to discuss ways to take your anti-phishing program to the next level.
They went over:
- Generative AI’s impact on phishing – and how your training must evolve with new tactics.
- Why your organization’s security culture drives your anti-phishing program success.
- Simple ways to make your training more engaging and fun!
Additional webinar resources:
- Full Phishing 2.0 recording [YouTube]
- Press Reset: A 2023 Cybersecurity Status Report [Research]
- 9 Types of Phishing and Ransomware Attacks – And How to Identify Them [Blog]
- Patch Tuesday [Webinars]
Combat AI-based attacks with better training and technology
Cybercriminals are constantly evolving their strategies. Josh from CentrexIT said Chat GPT is a go-to tool for making realistic phishing emails.
“The biggest thing is generative AI is able to generate phishing emails that don't have the typos, misspellings or grammar errors that we're used to seeing,” Josh said.
When cybercriminals evolve, so should your training
Not only are phishing emails becoming more intricate, but the attempts are getting more creative and varied, increasing the need for continuous and comprehensive training.
“I think [user training] has to be a daily thing,” AJ from ZeroFox stated. “This has to be internalized. People have to internalize the threat, not be panicked and paranoid and afraid. But, you have to understand that threats exist all the time, that you are the target – people are the target.”
The panelists agreed that a combination of improved training and use of technologies such as mobile threat defense (MTD) and endpoint detection and response (EDR) solutions can filter and limit the number of phishing emails reaching employees, creating the most effective platform-based defense against even these new forms phishing attacks.
Ultimately, AJ emphasized, "Security is a mindset; it's a culture. It just needs to be who you are.”
New phishing tactics should trigger a new organizational security culture
Great cybersecurity practices need to be a part of your organization’s culture, regardless of department or position.
This security-first culture means challenging leadership is accepted – and that no one is above mandatory security training or repercussions, including for anti-phishing programs.
"I think you need to do something where [the training] actually changes the culture. It’s not just a box you get to check off every year," AJ added.
How to make anti-phish training an enjoyable, interactive experience – not punitive!
Even if you have mandatory annual training, it means nothing if your end users are flying through it just to check a box.
Josh suggested gamifying your phishing training for a more interactive experience and keep employees engaged:
“You need to gamify [your security training], rather than making it a punishment, because security isn't punishment. The end goal is, you're trying to make your organization's maturity level better.
“For example, one thing that I've rolled out multiple times is a phishing game. We ask our users, ‘If you get a ridiculous phishing attempt or some obvious scam, don't click on anything but take a screenshot and then submit it.’
“We then show these real phishing emails to everyone in regular meetings. It makes a fun way for users to just get used to seeing the emails, their format and approaches, so they can spot them outside of training.”
Generative AI and advanced LLMs have changed the game for phishing. But, more emphasis on training, tools like MTD, passwordless solutions and multifactor authentication, and finally getting users at all levels of your organization to care about cybersecurity best practices can help protect your organization – no matter what threat actors send your way.