What is Phishme?
Phishme is the “good guy’s” answer to increasingly simple ways to throw malicious-link-infested email at our employees. An online service requiring no local infrastructure other than an Internet connection, Phishme mirrors the steps a cybercriminal might take to set up a phishing scam against your company. But there is one very important difference. Setting up and running a Phishme mailing actually reduces future risk of your users falling for fake bank, retailer, or company email requests to “click here.”
Using Phishme’s wizard-like approach, anyone can set up a phishing training mailing in minutes. Following the mailing, built-in reports provide statistics showing how many employees clicked on the provided link, and if this was one in a serious of tests, trends showing whether the users are starting to think before they click.
Ease of Use (5 out of 5)
As an IT professional, I’m always ready to face the challenge of learning and configuring a new solution. However, there was little challenge in setting up Phishme. It is so simple, anyone can run tests, even with no technical skills. As long as you use the sample phishing pages and graphics, there is nothing to program, no HTML to write.
Figure 1 shows the Phishme scenarios page. This is the initial window, which appears immediately after login. A scenario is a test configured with a specific purpose, a list of employee email addresses, and one or more training pages. In this example, there are a couple of test scenarios listed my team was playing with. Let’s step through creating a new scenario.
Once you invoke the creation process, the first step is selecting the kind of test to run. Four predefined scenarios are included along with a user definition template, as depicted in Figure 2. I selected Password Survey, entered a title and description, and clicked Continue.
My next stop was the setup window. The header is shown in Figure 3. This is where I entered the email message subject and from address. I also selected one of my predefined recipient groups. Recipient groups contain lists of email addresses to which you send the training email. These addresses can be loaded from email server export files, so you don’t have to manual enter them.
The lower section of the setup window displays the format of the email message. The default message body for this scenario is shown in Figure 4. I added the company name, Erudio Security LLC, to make it look like this came from my security training company. The PasswordCheck link leads to a Phishme predefined page that asks for the user’s password. Click Here allows you to define your own training page to deliver your company’s message, including Phishme-supplied cartoon graphics, about why clicking on the link was a bad idea.
When I finished with the message body, I quickly stepped through the rest of the setup, including modifying the default password collection page (Figure 5) and deciding whether to include the special touch of adding one of the “bait” icons shown in Figure 6. I could have also used any Web page on the Internet by using Phishme to retrieve the desired page format from the target site. This enables me to use the actual Web page of any bank, financial institution, retailer, or other online enterprise to simulate phishing.
Finally, I was asked to schedule the test. I selected to run the test immediately, and clicked Save/Done. Within a few minutes, I received a confirmation message that the test was launched. I also received the test email, since I was in the Recipient Group. To make sure the user experience was what I expected, I opened the email, and clicked on the PasswordCheck link. The password collection Web page appeared, and I entered my user ID and password as shown in Figure 7.
If this was a real phishing attack, clicking on Log In would likely send my user ID and password to the phisher’s server. However, something different happens in Phishme, as shown in Figure 8. This message can be modified.
The fact the link was clicked was recorded for later reporting, but who clicked was not saved. Also, neither the account ID nor the password were recorded.
Price vs. Value (5 out of 5)
Cost is per email address tested, and was lower than I expected. For the ability to run as many tests as needed for 12,000 users during a 12 month period, the cost per tested email address was less than $5. When you consider the phishing related risk involved when untrained users receive countless emails every year–a large percentage of which are spam–this is a very reasonable price.
User Acceptance/Privacy (5 out of 5)
Solutions like this can cause a plethora of problems stemming from the user belief that you are someone collecting data related to their behavior. Data that can somehow be detrimental to their futures. Phishme provides the ability to collect click statistics without storing any personal user data. Personal user data is simply not collected.
The training messages can be tailored to your organization’s culture and HR requirements. If the message is conveyed in a spirit of fun instead of proverbial doom-and-gloom, this can be a positive addition to your security awareness efforts.
Innovation (5 out of 5)
I wish other security vendors were as pragmatic as the Intrepidus Group. To come up with Phishme, they looked at the tools available to the bad guys and tailored their functionality for use against them. Instead of a solution with the look and feel of just another security application, this delivers a simple way to deliver exactly what the phishers do. There is no difference. And the IT team doesn’t have to even be involved. This is a service that the HR staff, for example, could implement on their own as part of the company’s compliance training.
This is a outstanding product. It isn’t often that my entire security team agrees on the value of a control, but this is one of those times. Phishme is easy to use, well thought out, and a great way to use surprise–and maybe a little fun–to train users to be careful of what they click in email or IM messages.
Tables and Figures (hover for caption, click to enlarge)
This post is part of the series: Information Security Awareness
The best way to ensure everyone understands the importance of information security is through awareness.