Security Awareness

SMS Phishing Scam Results in Zendesk Data Breach

An SMS phishing attack on Zendesk employees has allowed access to be gained to sensitive customer data. The data breach highlights the importance of implementing a defense-in-depth approach to security that includes multiple layers of protection against all forms of phishing.

Phishing is most commonly conducted via email; however, improvements in email security solutions have made it harder for malicious actors to get their emails delivered to inboxes. Advanced email security solutions such as SpamTitan incorporate many layers of protection, including machine-learning algorithms to predict novel phishing attacks. Advanced malware protection prevents the delivery of malicious files, combining signature-based antivirus engines with behavioral detection through sandboxing, and the solution also scans emails for malicious links and blocks those messages.

Over the past couple of years, there has been an increase in other forms of phishing that take advantage of the paucity of protection against malicious messages sent via the SMS network and instant messaging platforms and the lack of protection against voice phishing. Businesses typically lack technical defenses against these forms of phishing, which allows employees to be reached more easily.

SMS phishing – or smishing as it is commonly known – involves malicious SMS messages, typically including a link to a malicious website where credentials are harvested. This type of phishing is employed by many different threat actors, including a threat group known as 0ktapus. In 2022, the group conducted a campaign targeting more than 130 companies, including Twilio and Cloudflare. An analysis of the campaign revealed the group had successfully compromised at least 9,930 accounts at more than 130 organizations. That campaign saw credentials stolen as well as multi-factor authentication codes.

While it is currently unclear which threat actor was behind the attack on the customer service software provider Zendesk, the phishing attack was conducted via SMS messages. Zendesk has yet to make an official announcement, but the cryptocurrency trading firm Coinigy said it has been notified by Zendesk about the data breach and said it was informed that several Zendesk employee accounts were compromised, in what Coinigy said was “a sophisticated SMS phishing campaign”. Those accounts contained unstructured data from a logging platform from September to October 2022. Other cryptocurrency platforms appear to have also been affected.

SMS phishing takes advantage of a common hole in businesses’ security defenses that is difficult to address with technical solutions. The best defense against these attacks is security awareness training for employees. This is an area where TitanHQ can help. TitanHQ offers businesses a comprehensive security awareness training platform called SafeTitan, which provides training on all aspects of cybersecurity and phishing, including email phishing, SMS phishing, and voice phishing. The platform provides training in short modules of no more than 10 minutes, with the training content gamified to improve knowledge retention and make it enjoyable. Training courses can easily be developed and automated to provide constant training to employees, teaching them the signs of phishing and other malicious attacks and training them on how to respond when threats are encountered.

With phishing attacks becoming more sophisticated and taking many forms, it has never been more important for businesses to ensure that they have appropriate defenses in place, which should include spam filtering, web filtering, and security awareness training, all of which are provided by TitanHQ.

7 Benefits of Online Security Awareness Training

In recent years there has been a shift from classroom-based to online security awareness training. Although some of the shift is attributable to the social distancing requirements of the COVID-19 pandemic, it is noticeable that many organizations have not returned to classroom environments to deliver security awareness training having witnessed the benefits of providing training online.

This article discusses seven benefits of online security awareness training. Not all will apply to every organization, while other organizations may find more than seven benefits. If you would like to find out more about how online security awareness training could benefit your organization, do not hesitate to get in touch to request a free demo of SafeTitan´s security awareness training platform.

1.      Online Training is Easier to Organize

Organizing large groups of employees to be in a classroom at the same time can be an administrative nightmare. Who is late? Who is absent? Who needs to leave early to attend a meeting? Who needs more training than time is available to provide? With online training, system administrators can remotely send training modules to each employee for them to complete in their own time.

2.      The Completion of Training is Quantifiable

The completion of each module is recorded via a simple acknowledgement or the modules can have a quiz attached to them for employees to answer. This enables system administrators to see not only who has completed each training module, but also how much of the information has been absorbed in order to assess whether more training is required and on what subject(s).

3.      Online Security Awareness Training Can be More Specialized

While it is not impossible to provide specialized security awareness training in a classroom environment, online security awareness training can be delivered by group or department according to their roles and any unique threats they may encounter. This may be particularly relevant for employees working in finance or with escalated administrator privileges.

4.      Online Training Can Reach Remote Workforces

With classroom training, workforces in satellite offices or in the field may have to take considerably more time away from producing for the organization to attend training. Alternatively, organizations may have to send trainers and training materials out to remote workforces. Online security awareness training overcomes these issues by standardizing training across the whole workforce.

5.      Micro-Training has Higher Retention Rates

It is difficult to find unbiased sources that prove online training has higher retention rates than classroom training; however, there is evidence to suggest that micro-training – which is only realistically providable via online training – is more effective for information retention due to the average adult having a maximum attention span of around twenty minutes.

6.      Online Training Supports Greater Interaction

Interaction with the content of any security awareness training can help trainees better understand the content of the training, put it into context, and apply it in their daily roles. Due to the nature of online security awareness training, there are more opportunities for interactive training via (for example) videos, quizzes, and simulated phishing tests.

7.      The Success of Online Training is Measurable

Online training platforms such as SafeTitan include enterprise level reporting that demonstrate behavioral change and how this has improved organizational security. From these metrics, it is possible to calculate a monetary return for the investment in online security awareness training and facilitate informed decisions about security moving forward.

As mentioned previously, if you would like to know more about SafeTitan online security awareness training, do not hesitate to get in touch.

The Importance of Customizable Phishing Awareness Solutions

There is little doubt that the volume of phishing attacks is increasing and that phishing attacks are becoming more sophisticated. To counter the threat from phishing, many organizations are implementing phishing awareness solutions. However, some phishing awareness solutions fail to reduce the susceptibility of users in real-life scenarios.

The reason for some phishing awareness solutions failing to reduce the susceptibility of users in real life scenarios is that the solutions are provided with a library of phishing scenarios that does not reflect the organization´s operations or that are easy to spot as phishing simulations due to being delivered to an email address the apparent sender of the email would not be aware of.

For example, if an organization does not use Microsoft365, a simulated phishing email alerting a user that their Microsoft365 password is about to expire is going to easily be identified by the user as a test. Similarly, a simulated phishing email advising a user of unusual activity on their personal social media account is not going to be treated as genuine if sent to a corporate email address.

Limited Templates Can Result in a False Sense of Security

The other issue with phishing awareness solutions with fixed libraries of phishing scenarios is that, if an organization only uses the phishing templates appropriate for the organization´s operations, the organization has less scenarios to choose from, and the likelihood increases that users will recognize simulated phishing emails as a test, because they have seen the simulations before.

When simulated phishing emails are easy to spot or the same tests are used repeatedly, employees score highly in phishing susceptibility tests – giving organizations a false sense of security that their “last line of defense” is stronger than it actually is. Consequently, phishing awareness solutions with fixed libraries could actually exacerbate the threat of phishing rather than help prevent it.

Many Solutions Also Overlook the Threat from Inside

An often overlooked threat from phishing exists when an external bad actor takes remote control of an employee´s corporate email account. Once in the control of an external bad actor, the corporate email account can be used to conduct spear phishing or business email compromise attacks on selected members of the workforce or to phish the entire workforce into revealing credentials.

However, despite the potential seriousness of the threat from inside, many phishing awareness solutions do not account for this possibility in phishing simulations. Therefore, any phishing awareness solution deployed by an organization not only has to be customizable to reflect the organization´s operations, but also to account for the possible threat from inside.

Customizable Phishing Awareness Solutions from SafeTitan

SafeTitan is an enterprise-scale security awareness training and phishing simulation platform within the TitanHQ portfolio of cybersecurity solutions. The phishing simulator includes more than 1,800 customizable templates for conducting real-life phishing tests on employee, with automatically generated training content delivered immediately if a user falls for a simulated phish.

With regards to the “threat from inside”, SafeTitan´s enables organizations to change the sender email address to a corporate email account with a simple modification to the SPF record, and every user interaction is recorded so that system administrators can identify repeat offenders, specific weaknesses, and high-risk departments to direct training where it is needed.

To find out more about SafeTitan´s customizable phishing awareness solutions, do not hesitate to get in touch to discuss your requirements with one of our security experts. Alternatively, you are invited to book a demo of SafeTitan in action to see how SafeTitan security awareness training can help protect your users and your organization from email-borne threats.

Which Laws Mandate Cybersecurity Awareness Training?

There are many states in which cybersecurity awareness training is mandated for state employees when they first start working for the state or when they reach a certain paygrade. In these states, training is usually developed and provided by the state´s Chief Technical Officer or a team working on the CTO´s behalf.

For private organizations, cybersecurity awareness training is usually optional unless the organization operates in a regulated industry which mandates cybersecurity awareness training or is a contractor to a federal agency – in which case the organization may be required to comply with various training requirements depending on the federal agency.

This article looks at some of the laws that mandate cybersecurity awareness training in regulated industries, some of the Rules that affect contractors to federal agencies, and the EU´s General Data Protection Regulation, which potentially mandates cybersecurity awareness training for every large organization that collects, maintains, or processes personal data relating to EU subjects.

The Gramm-Leach-Bliley Act (GLBA)

The Gramm-Leach-Bliley Act requires all financial institutions under the jurisdiction of the Federal Trade Commission to implement safeguards to protect consumer information. One of the required safeguards is an information security program (16 CFR §314.4), and one of the standards relating to the information security program requires organizations to:

“Implement policies and procedures to ensure that personnel are able to enact your information security program by:

(1) Providing your personnel with security awareness training that is updated as necessary to reflect risks identified by a risk assessment;

(2) Utilizing qualified information security personnel employed by you or an affiliate or service provider sufficient to manage your information security risks and to perform or oversee the information security program;

(3) Providing information security personnel with security updates and training sufficient to address relevant security risks; and

(4) Verifying that key information security personnel take steps to maintain current knowledge of changing information security threats and countermeasures.”

Health Insurance Portability and Accountability Act (HIPAA)

The Health Insurance Portability and Accountability Act applies to most health plans, health care clearinghouses, healthcare providers, and organizations that provide a service for “Covered Entities” that involves the creation, receipt, storage, or transmission of “Protected Health Information” (individually identifiable health information and any identifiers maintained in the same record set).

Without exception, all Covered Entities and their “Business Associates” are required by 45 CFR §164.308 to “implement a security awareness and training program for all members of the workforce (including management)”. Although not specifying the frequency of training, the inclusion of the word “program” implies the cybersecurity awareness training should be ongoing.

Payment Card Industry Data Security Standard (PCI DSS)

The Payment Card Industry Data Security Standard applies to all organizations that accept credit card payments. Throughout the Standard there are multiple references to data security that organizations need to take into account; however in the context of mandated cybersecurity awareness training, §12.6 is the most relevant inasmuch as it states:

“Implement a formal security awareness program to make all personnel aware of the cardholder data security policy and procedures.”

Again, the inclusion of “program” implies that, rather than being a one-off event, cybersecurity awareness training should be ongoing. It should also be repeated whenever there is a change to policies and procedures or when a risk assessment identifies a need for refresher training. As with GLBA training and HIPAA training, it is also a requirement that PCI DSS training is documented.

FISMA, FedRAMP, DFARS, and CMMC

Every organization that supplies goods or services to a federal agency is required to implement a cybersecurity awareness training program. However, the content of the training can depend on what agency goods or services are being supplied to. For example, the requirements for providing services to the Department of Defense are more stringent than those of the Small Business Administration.

It is also the case that the training requirements are frequently changing to respond to evolving threats and advances in cybersecurity defenses. Therefore, organizations required to comply with mandated cybersecurity awareness training in order to supply federal agencies should review the pages relevant to the services and agencies they are supplying:

The General Data Protection Regulation (GDPR)

Although a European regulation, GDPR applies to most large organizations anywhere in the world that collects, maintains, and/or processes personal information relating to EU citizens. Importantly, the EU citizen does not have to be in the EU at the time data is collected, maintained, and/or processed for the personal data to be covered by the regulation.

There are many training requirements within the Regulation, but their applicability can vary depending on the nature of an organization´s operations and can be limited to only personnel with access to personal data rather than the entire workforce. However, organizations transferring data between the US and EU may also need to comply with the Privacy Shield requirements.

How to Comply with Mandated Cybersecurity Awareness Training

Although different laws and regulations, many mandated training requirements share similar components. For example, organizations subject to any of the above will need to train workforces on password security, email security, and mobile device security. However, while many off-the-shelf training programs include these components as standard, it is important to implement a program that is relevant to your organization´s operations or that can be customized to be relevant to your organization´s workforce.

This is why organization´s should evaluate the SafeTitan security awareness training and phishing simulation platform. SafeTitan gives organizations the opportunity to tailor a comprehensive library of training material to their unique requirements, conduct awareness tests and quizzes, and assess the impact of cybersecurity awareness training via an intuitive dashboard with a full reporting suite. To find out more, contact SafeTitan to request a demo of the platform in action.

5 Reasons Why Phishing Simulations Don´t Always Reflect Real Life

If your organization has tried to improve your workforce´s security awareness by using phishing simulation software but have found it not to have been effective in reducing susceptibility to phishing, there are several reasons why phishing simulations don´t always reflect real life.

Phishing simulation software is a great tool for improving a workforce´s security awareness, but it is not always as effective in real life as some vendors claim it to be. There are several reasons for this depending on the type of software deployed and the software´s capabilities.

Unrealistic Phishing Scenarios

Most phishing simulation software is provided with a library of phishing templates which are supposed to reflect real life situations. Too often this isn´t the case. Many include topics users will likely ignore (i.e., HR policy updates) or “put aside to read later”, but never get around to.

For this reason, simulated phishing emails don´t always get opened; or, if they do, the attachments or phishing links in the email are rarely interacted with (because users don´t care what the new dress code is). Consequently, the “pass rate” for phishing simulation tests is misleadingly high.

Repetitive Phishing Simulations

Another reason why pass rates can be misleadingly high is because the same phishing tests are used time and time again. This may be because the organization is limited in the number of templates it has to use or because they have no way of recording which tests have been used before.

The date on which phishing tests are sent can also be a giveaway that – for example – an email requesting a password reset is a phishing simulation. Consequently, an employee receiving a password reset request on the 2nd of each month knows not to interact with it.

Every Phish Gets Sent at the Same Time

A big issue with many phishing simulation solutions is that phishing tests are sent at the same time. As soon as one person realizes the phishing email they have just interacted with is a test, word spreads through the organization so everyone knows not to interact with the test email.

Because of the communication between employees and departments, the phishing simulation test returns a high pass rate. However, in real life, cybercriminals do not send warnings that everyone will receive a phishing email, so simultaneous phishing testing is fairly meaningless.

Emotional Triggers Are Not Sufficiently Granular

Most phishing awareness training revolves around the five emotional triggers of greed, loss, curiosity, helpfulness, and fear of missing out, yet many phishing templates lack the granularity to tempt recipients into interacting with them because they lack the right type of trigger.

For example, one employee may be more curious about playing in a department softball game than attending a department dinner (even though both would be categorized as social events), while another might be more inclined to an animal charity than a disaster relief charity.

Simulations are Too Often One-Step Events

Whereas the preceding four reasons why phishing simulations don´t always reflect real life are likely to skew phishing tests to show more positive results, the fact that they are too often one-step events can have the opposite effect and record an employee as susceptible when they are not.

An example of a one-step event is when an employee is sent a simulated phishing email with a link to click on. As soon as they click on the link, they are informed the email is a phishing test which they have failed. However, some phishing simulation solutions take the employee to a landing page where they are asked to complete login credentials.

The second step of asking for login credentials can often prompt the employee to consider whether or not this is a good idea. If they choose not to enter their credentials and report the email as a phish, the employee should be considered to have passed the phishing test – or at least passed with concerns about clicking on links in unsolicited emails.

If These Reasons Seem Familiar To You … …

If these reasons why your existing phishing simulation software have not been effective in reducing employee susceptibility seem familiar to you, you might wish to consider SafeTitan – an enterprise-scale security awareness training and phishing simulation platform from TitanHQ. SafeTitan has the capabilities required to simulate real life situations, and includes:

  • Customizable phishing templates, including the option to send phishing tests from internal sources.
  • An intuitive administration dashboard that shows which phishing tests have been sent to who and when.
  • A “burst” capability that sends a mixed selection of simulations to a mixed selection of the workforce at mixed intervals.
  • Granular reporting to identify which type of emotional trigger prompts interactions from each employee.
  • The option to add a second step to each simulation, plus a one-click plug-in to simplify the reporting of suspicious emails.

To find out more about SafeTitan or to organize a free demo of our phishing simulator in action, do not hesitate to get in touch. Our team of cybersecurity experts will be happy to answer any questions you have about reducing the susceptibility of your workforce to phishing emails and discuss any issues you have experienced in the past with phishing simulation software.

Why Your Cybersecurity Training Needs to be Flexible

Off-the-shelf cybersecurity training courses often claim to do a, b, and c, because they have done so in the past. These claims should come with the caveat that past performance is no guarantee of future results because it is very unlikely the exact same off-the-shelf cybersecurity training course will achieve the exact same results with a different audience.

Furthermore, in a different audience, there may be a different range of knowledge and susceptibilities – from employees who will click on any link in a Facebook post that arouses their curiosity to seasoned cyber-veterans who have experienced the consequences of a cyberattack and are always on alert for the next one.

Educating people about cybersecurity who are at different ends of the awareness spectrum is difficult when you attempt to use a “one-size-fits-all” training course. Social media devotees tend to think cybersecurity is the IT department´s problem, while seasoned veterans may not give training their full attention when they feel it is light and flimsy.

Consequently, cybersecurity training needs to be flexible so it can be tailored to appeal to everyone in the organization. But how do you convince a social media devotee to take responsibility for cybersecurity, or a seasoned veteran that the training is credible? The answer is a customizable security awareness platform with gamification capabilities.

Introducing SafeTitan

SafeTitan is a fully customizable security awareness training and phishing simulation platform that includes more than 1,800 phishing templates and more than 80 animated videos. Each phishing template can have training material automatically sent to employees if they fail to spot a phish, while each video can be followed by an editable quiz with varying difficulty levels.

If you have employees at either end of the awareness spectrum, you can tailor the platform´s capabilities to encourage them to engage with your cybersecurity training. For example:

  • Share a phishing link purporting to come from Facebook with social media devotees so they reveal their account login. Then take control of the account as any cybercriminal would (This is not illegal provided an employer does not use any information on the Facebook page to discriminate again an employee).
  • Change the SPF record in the platform so it appears an email to seasoned cyber-veterans requesting the donation of a (low value) Google Play gift card comes from a trusted work colleague. It is a good idea to let the “trusted colleague” know you are doing this and be ready to refund the cost of the gift cards.
  • For practically everybody else, send a phishing invitation to an after work free bar for employees who respond to the phishing email with their email username and password. You might still have to provide the free bar, but this will give you an opportunity to discuss why your employees fell for the phish – as well as reminding them to change their passwords in the morning.

It is surprising what you can do – and what you can achieve – with flexible cybersecurity training; and, if you would like to know more about the SafeTitan platform, do not hesitate to get in touch and request a free demo of SafeTitan in action.