The MSP Event of the Year! Aug 27 - 30

Phear the Phish

Phear the Phish: How to Get Your Clients to Take Phishing Attacks Seriously

The goal of this article is simple: we want to help your MSP convey the seriousness of phishing attacks to end clients, so they take a more proactive and vigilant stance. As an MSP owner, you know all too well just how big of a problem phishing is for the business world, and how good threat actors have gotten at digital deception. So we’re not going to waste any breath convincing you.

Instead, we want to share some resources that we think will help you light a fire under your clients’ proverbial derrieres. Here’s how to get your clients to… PHEAR THE PHISH!

Stats Are OK, But Not the Best

Stats can be a good way to draw attention to the problem of phishing. They’re objective (well, depending on their source), serious-sounding, and they showcase your expertise and involvement in industry matters. Here are some good ones pertaining to phishing (gathered from here). These might give your clients pause:

84% of organizations fell for a phishing scam in 2022.

Employees at small businesses are 350% more likely to be targeted by phishing than those at enterprise-level companies.

A CEO, on average, is targeted by a phishing attack 57x/year.

But these statistics, by themselves, aren’t likely to create any radical shifts in your clients’ behaviors. It’s not your clients’ fault; it’s just how the human brain works. Study after study has shown that we remember information presented in a story much better than information presented in a purely factual manner.

Jennifer Aaker, a behavioral scientist at the Stanford Graduate School of Business, sheds light on this phenomenon:

“When most people advocate for an idea we think of a compelling argument, a fact or a figure. But research shows that our brains are not hard-wired to understand logic or retain facts for very long. Our brains are wired to understand and retain stories.” (source)

So true. Stories make an emotional impact, and that’s precisely the sort of impact you need to make if you want your clients to actually start behaving in a new way – in a more skeptical, alert, and vigilant way, to be specific.

To help you convey the serious threat that phishing attacks pose to your clients’ livelihoods, here are some resources that we’re confident will elicit a visceral response.

The Friendliest Hacker in the World

If you want your clients to wake up and smell the phish, there may be no better video on the internet to show them than this one (we recommend watching the whole video, but the link takes you to the craziest part).

It features Jessica Clark, an ‘ethical hacker.’ She meets with Kevin Roose, a journalist, at DEFCON, the world’s largest hacking convention held annually in Las Vegas. Roose gives her permission to demonstrate the power of social engineering. Her challenge: try to obtain Roose’s email from his phone provider.

What ensues is truly impressive, as well as downright terrifying. You can see the shift in Roose’s demeanor as Clark effortlessly persuades the customer service rep to divulge the journalist’s sensitive personal information. When Clark finishes, smiling and triumphant, Kevin says, “Holy sh–!”

We think your clients might have a similar reaction.

Tell Them About Roger Grimes

Like Jessica Clark, Roger Grimes is an ace hacker. And like Clark, Grimes uses his skills to help rather than hurt people. In his 30+ year career in cybersecurity, Grimes has encountered a lot of folks who are confident they can’t be phished. He then tells them to give him two weeks to see if he can’t successfully phish them. Want to know Grimes’ success rate?

100%.

That’s his own claim at least; over multiple decades, Grimes has never failed to phish someone who challenges him to try and do so. Not once.

This is scary. When a determined hacker decides to phish you, there’s a good – no, a great chance – they will succeed. As Grimes puts it, “Anyone can be tricked into clicking a link. We are just human.”

Even Grimes himself isn’t immune to phishing. So, in the spirit of using stories to motivate your clients to get proactive about cybersecurity, tell them this one:

Grimes got hired by KnowBe4, an IT security company, shortly after publishing Data-Driven Computer Security Defense. Grimes calls the book his “magnum opus.” Needless to say, he’s proud of it, and stands behind the claims made in that book, such as this one:

Social engineering is the leading root cause of malicious breaches, involved in 70-90% – and second place isn’t even close.

Anyway, Grimes received an email that appeared to come from his CEO. To give some context, Grimes knew his CEO had read his book and had hired him largely because of how much it had impressed him.

And yet, the email, which was sent out to the entire company, said that a new survey showed “unpatched software” to be the primary root cause of malicious breaches. It also provided a link to the survey details.

What?! Unpatched software! No way! That’s only a root cause in 20-40% of breaches!

Grimes was, as he himself admits, “incensed.” So he hurriedly clicked the link to see what preposterous study was peddling such a lie.

If he’d taken his time and hovered over the link, he would’ve seen that the URL was: “ThisisafakeURLtotestyou.”

This is a great story – read the extended version in Grimes’ own words here – because it illustrates the fact that anyone – even the savviest security professional – can be phished. It also shows the role that emotion plays; Grimes clicked the link because he was angry.

But if you tell your clients that anyone can be phished, might they not throw their hands in the air and say, “Well I guess I’m screwed then. What’s the point of trying?”

This is a legitimate concern, so it’s crucial to emphasize that cybersecurity isn’t about ‘all or nothing’; it’s about probability. It’s about mitigating and minimizing risk. So tell your clients this:

“No matter what you do, you can be phished – you’re only human, after all. But if you do nothing – or way less than is recommended by security experts – you WILL be phished.”

Emotion Leads to Motion

Emotion is at the heart of why phishing is so powerful. Like any type of social engineering, phishing preys upon our psychological tendencies – on our very humanness.

However, emotion is also at the heart of defending against phishing attacks. It’s not enough to get your clients to appreciate the dangers of phishing on an intellectual level. You have to get them to feel it. And you do that by sharing stories, not just stats.

Emotion leads to motion. The question is what type of motion. Emotions can lead your clients to click unsafe links. But if you do a good job of conveying the dangers of phishing, their emotions can also lead them to do the opposite: to be hyper-vigilant and ultra-skeptical of any message they receive with links, attachments, or requests for sensitive information.

And remember, the stronger your relationship with a client, the more readily they will consult your MSP before taking any questionable actions online. So build those relationships!

And get them emotionally involved in their own digital safety, because that’s the only way to empower them to make the right choices.

Thanks for reading and stay tuned for another cybersecurity-themed blog next week, as we wrap up #CybersecurityAwarenessMonth.

Stay safe out there, y’all!