Phishing Training Without Recurring Fees

I’m sure you know that phish­ing is a lead­ing method of exploit­ing peo­ple by online crim­i­nals. In fact, it’s the way $47 mil­lion was stolen from Ubiq­ui­ti Net­works in 2015 and $54 mil­lion was stolen from Austria’s FACC (a parts sup­pli­er to com­pa­nies such as Boe­ing and Air­bus) in 2016.

Chances are, either you or your orga­ni­za­tion has suf­fered a phish­ing attack. The ques­tion is, what should you do to keep from becom­ing a vic­tim?

More than any­thing else, you need to train all your peo­ple, includ­ing (par­tic­u­lar­ly?) the CEO and their direct reports. And the best way I know to do that is to actu­al­ly send them test phish­ing attacks. There are com­mer­cial ser­vices you can sub­scribe to like Phishme or KnowBe4. Obvi­ous­ly, these ser­vice cost real, green dol­lars. And, you need to test peo­ple in a way that will encour­age them to trust man­age­ment. (I guar­an­tee that sur­prise test­ing fol­lowed by pub­lic sham­ing will destroy trust.)

But now there’s anoth­er way that I just dis­cov­ered: gophish an open source phish­ing test frame­work that was launched in ear­ly Jan­u­ary 2016. gophish appears to be espe­cial­ly good for orga­ni­za­tions that have a “do it your­self” cul­ture and an intense desire to avoid spend­ing mon­ey with­out a “no-brain­er” busi­ness case.

By the way, in case you need help to make your busi­ness case, here are some cur­rent phish­ing stats I found over at the PCI Secu­ri­ty Stan­dards Coun­cil blog:

  • 13% of the annu­al cyber­crime cost glob­al­ly for com­pa­nies is due to phish­ing and social engi­neer­ing.
  • Phish­ing costs the aver­age U.S. orga­ni­za­tion more than $3.7 mil­lion annu­al­ly.
  • Every day 80,000 peo­ple fall vic­tim to phish­ing scams from 156 mil­lion phish­ing emails sent glob­al­ly ‒ 16 mil­lion of which cir­cum­vent spam fil­ters ‒ result­ing in 8 mil­lion scam emails being opened.

Any­one out there want to take gophish out for a spin? Let me know what hap­pens…

Please note: I reserve the right to delete comments that are offensive or off-topic.