Getting to know the new lure sophistication classifications, and how they can help your next campaign.
In 2017, Symantec reported that phishing rates had increased across most industries and organisation sizes. News sites consistently report on the biggest and scariest malware attacks and data breaches, and then ultimately attribute the increased susceptibility to one of many new phishing trends. But what in fact constitutes a highly-sophisticated phishing message? And how can this knowledge help you strategically plan and execute your next test campaigns.
Phishing is a no-holds-barred threat, and responsible companies take this risk seriously and prepare accordingly. As a CRA customer, you understand that the more that your end users are aware of the risk and are trained to identify the signs of a scam, the better they are able to mitigate the threat.
Of course, the cyber threat landscape is ever evolving, and our understanding must grow with it. It is never enough to conceptualise a criminal hacker without understanding the dimensions of his motivations and objectives.
In view of our dedication to continuous improvement, CRA has released new e-mails and new email classification levels, incorporating the latest research and learnings from current phishing trends.
This new content includes a focus on trending subject areas, like social media or file sharing sites; as well as a focus on new techniques, like internal drive hyperlinks, and a greater variety of email attachments.
Strategy on - High Medium Low
In addition to the added email template content, CRA has enhanced its phishing platform to include email template classifications. All lures will now be classified as either low, medium, or high sophistication.
For training purposes companies can begin their baseline testing with the lowest sophistication lures. From there, it is often most strategically efficient to slowly climb the steps of sophistication once your results prove that the testing group is prepared to advance to the next level.
What constitutes a higher sophistication message can range from increased design on a lure, to industry honed messaging, to known attack vulnerabilities.
You will be able to see their category of complexity in the email template list, or use the drop down to sort by phishing type and then sophistication category to see what is available. We welcome you to review and explore these new messages. More will continue to be published on an ongoing basis, in each level of sophistication.
One more piece in the CRA toolkit
Lure sophistication is only one piece of the puzzle. Individual susceptibility can be linked to internal messaging, threats or rewards, even directives from authorities.
According to an UltraScan AGI 2013 report, in that year alone, The Prince of Nigeria scam netted $12.7 Billion.
Rather than be incredulous as to the financial success of such a simple scam, it is important to understand the human complexity of factors behind social engineering. CRA developments, in new lures, greater messaging choices, options for reporting, and new testing techniques will usher in greater opportunities to train and prepare your staff. We look forward to discussing these in the coming quarters