I’m sure you know that phishing is a leading method of exploiting people by online criminals. In fact, it’s the way $47 million was stolen from Ubiquiti Networks in 2015 and $54 million was stolen from Austria’s FACC (a parts supplier to companies such as Boeing and Airbus) in 2016.
Chances are, either you or your organization has suffered a phishing attack. The question is, what should you do to keep from becoming a victim?
More than anything else, you need to train all your people, including (particularly?) the CEO and their direct reports. And the best way I know to do that is to actually send them test phishing attacks. There are commercial services you can subscribe to like Phishme or KnowBe4. Obviously, these service cost real, green dollars. And, you need to test people in a way that will encourage them to trust management. (I guarantee that surprise testing followed by public shaming will destroy trust.)
But now there’s another way that I just discovered: gophish an open source phishing test framework that was launched in early January 2016. gophish appears to be especially good for organizations that have a “do it yourself” culture and an intense desire to avoid spending money without a “no-brainer” business case.
By the way, in case you need help to make your business case, here are some current phishing stats I found over at the PCI Security Standards Council blog:
- 13% of the annual cybercrime cost globally for companies is due to phishing and social engineering.
- Phishing costs the average U.S. organization more than $3.7 million annually.
- Every day 80,000 people fall victim to phishing scams from 156 million phishing emails sent globally ‒ 16 million of which circumvent spam filters ‒ resulting in 8 million scam emails being opened.
Anyone out there want to take gophish out for a spin? Let me know what happens…