- Employee awareness
- 5 min read
We all know that an ongoing challenge is to get all employees to ‘stop and think’ before following a link in an email or social media post, or indeed to pause before proceeding to download documents contained within an unexpected email. In our threat seascape, these are the equivalent of common carp, but new breeds of phish are constantly emerging in our seas.
Researchers have found one that is targeting hundreds of organisations. There are no requests to click on links or downloading documents here. Rather the attack tricks people into granting permissions to an ‘upgrade’ app. The malicious app then goes to work reading and writing emails and changing inbox settings. This is known as a consent phishing attack.
Consent phishing uses open authentication (OAuth) permission requests to trick people into granting access, which then allows an attacker to retrieve information from connected applications. While OAuth does not request passwords it does grant permissions to information.
This then opens a broader debate about Bring Your Own Device (BYOD) policies and downloading and use of unauthorised applications, which we will explore in a different article.
The IT Security team’s world is dominated with controls, measures and monitoring protocols which are essential in the prevention and/or detection of newly evolved attacks. It will be common practice to configure consent settings to only allow user consent for apps from verified publishers. No doubt apps are audited, ensuring they are only accessing data that is needed for the function of the app and there is bound to be monitoring of third-party app behaviour.
Each of these measures will strengthen your organisational defences.
But what about your employees – do they think the threat is only present in those links to fake sites and documents containing malware? Has your training evolved along with the new threat seascape?
Are you confident that your employees know about consent phishing? Do they know what should be included on a consent screen? Do they know how to spot a fake domain name and spoofed app names?
Knowledge of these things may need to be improved across your organisation, but you can have confidence that you can build on your employees current cyber security skillset.
The greatest challenge remains in changing people’s behaviour – for example, getting people to ‘stop and think’ or to ‘pause before they proceed’ with any action.
After decades of successful phishing attacks, we are often still asked why people still click on links and download documents, after all, employees know the risks, what they should do about them and have the skills to do it.
The reason we still face these challenges is that positive secure habits have not formed. Indeed, the ‘I accept’ cookie culture has worked against any IT Security teams’ drive for secure habits. Research undertaken by PwC for the Department for Culture, Media and Sport shows that 25% of all people decide instantly on whether to accept a cookie notice. The drive for immediacy and fast paced engagement with software and information is working in direct opposition to the messages of ‘think before…’ and ‘pause before…’
In changing existing or embedding any new habits, people need to be surrounded with positive messages about why the change should happen. We need to hear about other people who have successfully changed their habits, it needs to be supported in the working environment, including policies and procedures.
Human nature is fundamentally driven by competition and the need to succeed, so even small successes need to be acknowledged. So, one small tip that might result in a change is to regularly (i.e. monthly) tell people how many phishing attempts were stopped by your defences and how many suspicious emails were reported. You could even create an inter-team challenge to see which team can spot the newest phish in your seascape.
To create an internal cybersecurity training and communications programme, work with us by clicking here or calling 01234 708 456 to discuss your requirements.
© The Security Company (International) Limited 2023
Office One, 1 Coldbath Square, London, EC1R 5HL, UK
Company registration No: 3703393
VAT No: 385 8337 51