A

Foreign the following is a repeat broadcast of Cybersecurity today. Welcome to Cybersecurity Today, our Research Deeper Dive edition. We're trying to do one of these shows per month to take the time to do a deeper dive into a particular topic or an area of research essential to those who work in cybersecurity. The last month we covered some very interesting new research on phishing training and education. This research was sponsored by Boseron Security. David Shipley, the head of Beauceron and a frequent co host on our show, helped us cover that data. So we might have left it at that. We'd done the phishing thing. But right in the middle of cybersecurity month, stories have started to emerge about new complex and frankly, very successful phishing attacks. These new efforts combine AI, very complex setups, unique ways to build authenticity and flawless execution. One IT researcher confessed that he was almost fooled by a recent phishing attempt. And this guy's a pretty sophisticated and knowledgeable person. Whether an educated employee would be able to detect the new levels of phishing, it's an open question. Certainly these would blow by the average worker. But even without that new sophistication, phishing has been and continues to be a mainstay of cybersecurity attacks. It started clumsily and it's evolved attackers, even those with relatively unsophisticated attacks, technically are leveraging human psychology very effectively. And as I noted, it's become more sophisticated and more dangerous. So today David Shipley and I are going to take a deeper dive into fishing. Take a look at some of the research, let's understand it, what it really is, why it works and how it's evolved and hopefully we give you some ideas about how we can combat it. Now, this is not a one way exercise and you know, after the show you can send me comments and ideas of your own and we'll hopefully we'll publish those if we can get some time on it. If we do future shows, we'll get some input from you as well. That's my intro. Welcome David.

B

Thanks for having me.

A

Great. I've asked you to co host this program not solely because you are one of the top 50 cybersecurity experts on LinkedIn. Congratulations, by the way.

B

Thank you so much. And it's an honor to be in the top 50 in Canada. I continue to work really hard to get into the top 50 globally, but there's some rigorous competition.

A

Absolutely. Hey, good for you though. The first time we hit top 10 cybersecurity shows in North America, and the UK it was like, wow, you're the one out there listening. We're going to put that acumen to the test in this show. I didn't invite you because you got into the top 50 on LinkedIn. I asked you because you are like me, a research and news junkie. This is also an area where you have a lot of hands on experience. This is Beauceron's big gig is cybersecurity. In, in cybersecurity is phishing and things like that. So we're in the right spot.

B

Absolutely. I never imagined that in my career, from soldier to newspaper reporter to marketer, that I would become a fisher of men. But not in the religious term.

A

Yeah. Okay, we'll go back to cybersecurity where we're probably on, on better ground. Let's talk about the history of this. You've done a little bit of work to, to describe the, the phishing history. Why don't you run us through some of that?

B

Yeah. Well, welcome back to Hacker History Story time with David. But the very first phishing, very first origin of phishing, and the term goes back to those noble, 70s, long haired hippie hackers known as the freaks. And so these are hackers who used to be incredibly good at getting telecommunication systems to do cool things like long distance calling. Hey, kids back in the day used to have to pay an obnoxious amount to use the phone to call anybody anywhere distant. And people didn't want to do that because it made no sense.

A

And these freaks you're talking about was Steve Jobs.

B

Absolutely. So Steve Jobs, Wozniak, the crew, anybody who is anybody back in the day, to get started, this is how you did your thing. Now when the Internet was first becoming popular, these freaks actually looked at how could we get AOL logins. Now those not familiar, AOL was America Online. It was a dial up Internet service that was not cheap. And again, these people didn't want to pay for long distance. They definitely didn't want to pay for Internet. And so they would figure out how to send emails to AOL subscribers. We need to verify your username and password. And people had no idea and they gave it up. So this whole origin of phishing goes back to the way, way back time, ancient time known as 1995. And so fishing is a portmanteau of freaking and fishing because they lured their victims in. And what's important to know is that phishing is at its core a form of social engineering I.e. the expert use of emotional manipulation to get someone to do something that is in your interest and not theirs.

A

Okay. I'm. I have to say that when I look back on ancient history lessons and we're back in 1995, I feel old. That's all I say. You know, daddy, what did you do in the war? I hijacked people's phones and saved money on long distance. Just the romance is gone. But anyway, back to fishing here. Let's talk about some examples of fishing. You've talked about its origins and I went close. Clever, actually. Thank you for the research of that. It started as a technical trick. It started to extend itself into areas where you were using emotional manipulation. And then we got email. Why don't we start there?

B

Yeah. So let's start with phishing in the form of email. So general phishing, it's like a large ship with a broad net trawling the ocean. They're looking to cast it as wide as possible and get what they can haul up relatively cheaply. It's not specifically targeted to you, including specific elements about you, your role, your Internet habits, et cetera. It's. It's just tossing your grenade out there to see what could float up in the pond. And the next kind of fish is a spearfish. Now this is highly targeted to you. It uses things like your first name or your full name. It potentially comes from an address or a service provider or something you would know about with topics that are highly relevant to you. And what people often make the mistake about is thinking that spear phishing implies a one to one attacker to victim relationship. Like it's craft phishing. We make each fish with love and care for each victim. It doesn't. You can mass spearfish. And thanks to AI, which we'll get into, and so many data breaches being out there, it's faster and easier to do this kind of spear phishing, but.

A

More sophisticated at times. Right. Your first level is the famed Nigerian prince. I send an email out to thousands of people. It may be stupid. Some people used to say that the reason why they put spelling mistakes in so that only the people who are stupid enough to fall for it would go forward, was a filter. I don't know if that's true. But then you're saying we move on to spear phishing, which is where we start to get this targeting based on psychology, based on a real approach that's going to win people or at least fool them by appealing to emotions, their psych, psychological responses. Is that fair?

B

That is absolutely fair. And so I think we'll talk more about our hypothesis about why people click later, but spear phishing becomes dramatically more effective. Now. The next area of phishing is whaling, and this is also known as business email compromise. And yes, I acknowledge right now the inevitable comment that's about to come. Whales are not fish. It's called whaling because you go after the big targets or the big paydays and with CEO impersonation or other key executives, CFOs, others looking to do fraudulent wire transfers or payments. Now, a Ukrainian hacker once nicked over a hundred million dollars from Google and Apple using this technique with fake invoices. Eventually got caught because by the way, kids, when you hit a hundred million, that's real money and the cops will hit them for you. University almost lost $10 million to this kind of attack. Where attackers created a fraudulent website for a construction company with one letter difference. They built up slow and slow relationships with the accounts payable folks. Started with ten thousand, a hundred thousand, then got their ten million in. And by the grace of God and prompt police action and the university moving quickly, they were lucky. They got 10 million of the 11 million back. But it costs them a lot now after whaling, which, by the way, some people do not consider business email compromise phishing. And I deeply disagree with the subcategorization. Phishing, at the end of the day is about deception and lies that cause harm. So yes, they didn't get account credentials, they didn't install malware in an endpoint, but by God, did they hurt that business. Right? So Beck counts when we talk about.

A

Phishing, and they I cannot agree with you more. The minute we start to tighten up our definition and get really tenacious about our definitions, we miss the fact that people are going to be incredibly creative and they're not going to follow the formula that we put out in a podcast.

B

Absolutely. And when you look at the damage, the FBI estimates it's almost $3 billion. That's three times the global ransomware take this is an incredibly successful form of phishing. It's why I get so angry about some security tools, talking about how they're phishing resistant. You're phishing resistant to one small portion of phishing. Not that you've solved phishing for everything. Now next we have a term that we've coined, sharking. And we are making a particular distinction about. This is when criminals are using tragedies like war, natural disasters, or highly sensitive breaches like the recent Mua AI powered girlfriend chatbot, which, if you're not familiar, is an absolute smoking radioactive disaster. And it's called sharking because there's blood in the water and heightened emotions are at play. And sharking can be done generically or as a kind of really super awful spearfish.

A

You're not going to drop AI powered girlfriend chatbot on us and not explain that somewhere through this, are you?

B

Oh, okay. So very briefly, there has been an extremely consequential data breach of this service. Troy Hunt's done an excellent job in his blog covering it. He has the data breach set. There are a lot of email addresses with workplaces, government, universities tied to identities tied to sexual preferences. You could imagine that this is 2024's answer to Ashley Madison. But worse, because some of the proclivities that people are describing in here could be best categorized as child sex abuse material. There is already criminal monetization of this and you can bet there's a whole new category of insider threat created inside organizations because of this. And so if you're not tracking that one, it's. I call it radioactive for a reason.

A

This is where you get to the wider definition of phishing and what its impact can be, I would never dispute because we always talk about you fish to get credentials. I think fishing to get what the Russians would call a useful idiot or with some or compromised individual or someone who is being blackmailed, someone on the inside of an organization who's being blackmailed could be your biggest danger. And these sexual things or whatever are one of the ways to blackmail people. That's. It's just one.

B

It's high speed digital compromat where you've got the Russian word for compromise and material. We have a new category and this is something where we're vaguely calling trolling attacks. And these are phishing campaigns purposely disguised as email spam. And they're designed to see what gets delivered inside an organization. It's almost like a bit of a sonar pig. What got it, who reported it? What address did we send to that then prompted a scan back on us so we can eliminate them from the data set. Where did they click on an email? We saw one that was designed to attack a government institution. Looked like a Japanese knife set, had a typo, an extra U in the name. It was registered to a dot homes domain. So it wasn't even for the knives registered by Russians. Hi, we see you. And they were testing three different links in there to see which ones people would click on the image, the text, and they went to different areas to track that. And it was incredibly clever. And so when we tell people to report something, seems Weird or odd. Don't worry if they that they're reporting spam or phish, just have them report, have them say why they think they're reporting it so you have some context. But just look forward everything.

A

And I don't want to drive us off track, but I'm getting a lot of texts from you Russians out there. So are these other ways of testing us?

B

They are. And so they're. We'll get to that in a second because. Because phishing is no longer just about emails. One of the last.

A

Sorry to drag you off track, but.

B

Yeah, yeah, no worries. One of the last ones. And I'm now out of tired ocean references. We have an odd duck. See, I'm not done with the animal kingdom called QR fishing or quishing, which I really hate. And we saw an explosion of these in the last few months of 2023 as attackers leveraged email templates that were often used identical to the ones that were used to help people set up security tools like MFA on their phones. Criminals are clever man. They use what people are familiar with that helps them be successful. And the irony is not lost on anyone that they used what we were trying to teach people against them. Now, according to Microsoft's brand new hot off the presses digital defense report that dropped this week, QR code phishing skyrocketed up the charts. I feel like a radio announcer now. Number two with a bullet to just be underneath link based phishing, which was 56% to be 25% of fishes in 2024. That's amazing. And it speaks to the rise in popularity of QR codes as a result of the pandemic and other things. So QR code phishing, it's here with a vengeance. Now that's a lot. And as you mentioned, phishing happens outside of emails. And here's where my eyes may begin to roll like a 14 year old teenager because again we've gone crazy with more portmanteaus vishing, which stands for voice phishing, which is ironic because freaking was about telephone in the beginning part. But anyway, this is the end of the history lesson. This is best done still live person to person. This is what caused havoc in the MGM breach. And now we're seeing more artificial intelligence cases involving voice cloning, particularly the so called grandparent scams that use loved ones voices and calls about desperate situations involving kidnapping, law enforcement, travel accidents and more. And phishing is sometimes combined with phishing. These are phishing emails with no links, attachments or reply purpose. Instead you're going to get a 1-800-1833 1888 Pick youk Poison type number. And usually a lure about your credit card being charged. Symantec, McAfee, Norton Geek Squad for several hundred dollars. Enough to piss you off. And once they get you on the phone they do things like remote access attacks of sending you a link in an email to get you installed malware or remote access tool like TeamViewer whenever so they can really dig in or they'll just steal your credit card information. But bad news bears with these telephone attack destinations and again not hacking the system, going after the person.

A

Next we have and also the killer thing on these is that they're exploiting a new behavior which is that nobody answers their phone anymore. You wait till you get something and you, you click through and you return calls. And, and, and that's how I, I, I got caught on one of these. That number looks familiar and I actually got somebody and it was obvious from the first two minutes I didn't know this person. And they tell me that give me started to give me their story and I got out of there. But I can see on a busy day or somebody just not aware of this how easily that sort of thing would work.

B

Absolutely. And remember a lot of people at home have subscriptions to McAfee, to Norton, LifeLock, to They've used Geek Squad to set this up and then they get this bill they're not expecting. It's not kiddersops. We're in a cost of living crisis. Everyone's budgets are pinched, credit cards are maxed out. Make no mistake, these are targeted for a reason. They're designed and they've picked that number with the same kind of thought and care that marketers try and sell us stuff. But in this case they're not trying to make us happy, they are trying to piss us off. When we get off, our rational brain becomes impaired and our emotional responses take over. That's the name of the game. Now next we're going to get to what you were just referring to, which is text message based shenanigans known as smishing.

A

Yeah, this is even bending me to, to a point of going how many names can we have for this stuff?

B

Absolutely. So text message phishing. Now this isn't a James Bond Soviet spy program. Seriously kids, if you're interested, look up smersh. It stands for SMS Phishing. And what's fun is I will note now that SMS is on the sunset because this was the old school way of sending multimedia messages. And we now have RCS Coming the way. Does that mean the security awareness industry is going to have rickshaw rcs? God help me. But that's the state of the ways. And by the way, pick your poison. WhatsApp, Facebook messenger, other ways, if it's an electronic form that I can communicate with you. LinkedIn, North Korea did a great job with LinkedIn and social engineering.

A

And it serves the initial point. And I'm glad we went through all of that because it goes to the idea that I think we're putting together that it's not one particular tactic. They'll change their tactic and sometimes they'll go back to the old tactics, you know, so the, these, these attackers, whoever, they are going to try lots of different things and, and will. This will not be the end of this invention. I just propose that no matter what we've said today, no matter how, and I think you really put a great list together, there's going to be one more and one more.

B

Right. Because as we're going to get into the how it works, in this case, the methodology is more important than the delivery mechanism and the fact that it's deeply tied to how we're wired as human beings.

A

Okay, so let's talk about that. This phishing is really based on social engineering. Was that a fair piece that I would say that the core of all of this is that it manipulates us. You've talked about being pissed off. I'm going to do some anger work with you. That's not the only emotion. There's also fear and others. But you've been in cybersecurity too long. You think that anger is the only emotion. There's also fear, there's shame, there's all kinds. But I think these people are experts at working on our emotions, right?

B

Absolutely. And what I will say, unfortunately for Star wars fans, is that the dark side, the dark emotions, fear, disgust, anxiety, these are the quick and easy ways to power. And damn if they're not orders of magnitude more effective than dangling something positive, which is really interesting. So social engineering is at the core of things, but we're working on a new hypothesis. See, we're still in the research episode. So research starts with hypothesis. And we're building a new research capacity to test this hypothesity hypothesis around three primary reasons why people click. So we're actually building a fish failure survey into our platform. Actually, developers are coding right now, building new models to do this on a sample size for all our different organizations. And we'll be publishing this research in 25. So here's our hypothesis that there are three buckets that we want to look at. The first is accidental. So this is where people see something comes in the inbox they meant to hover over and then they clicked. Or they're super busy, they're distracted, there's too much going on in that inbox. They did not have intent. It was the nature and circumstances that were really leading to that. The second is what we're calling serendipity. And these are fishes that occur when people are actively expecting something similar. So you ordered something from Amazon prime and then all of a sudden you get a fish that's related to Amazon Prime. And how does that influence your propensity to click on that? By how effective it is mimicking what you were already primed to expect. And so that's just really interesting to see that. It's also why we really encourage organizations to have policies that say keep your personal life in your Gmail, your Hotmail, your personal accounts, don't do your shopping at work.

A

And then I'm going to go over this because we got one of these yesterday. I still haven't figured it out. I won't detract from that. We'll talk about tearing these apart later. But it just blew me away. Linda ordered something from the us she was expecting it and we got two customs types emails for her to go back and apply and do some stuff. I just, I have no idea whether they're true or not, but I just said we're not responding to that. And the whatever it was arrived anyway. So we didn't do any great deep dives into that. But we got that delivery with no customs intervention at all. And yet we got letters from American customs and from Canadian customs, purportedly. I'm going to go back and look at the emails when I get some time. But there's. This is clever. They know what you're ordering. They've figured this out or they're getting it by chance, I don't know. But they're very good.

B

And this is where we're going to get into the dangers of big AI data sets and how smart they're getting. So we, we saw this spike of Amazon prime impersonation domains and in fairness to folks listening to this research episode, we don't know if those were created for security awareness platforms like Boseron and others or by criminals because just a bunch of them appeared because we're all thinking the same thing. Everyone's gathering by the watering hole that is prime days. Now's the time to start Picking off the antelopes. And so they time these things really well. They know that we're expecting these things. If they know from previous breaches. You are an Amazon shopper, you can be damn right. That's why data breaches that leak important context that are about your commercial relationships set people up for phishing, and this stuff gets fed into an ever more efficient criminal machine. Now, the third reason is the compelling emotional reason. And this is where social engineering really ramps up. And we can use a framework like Robert Cialdini, six Principles of Influence, to understand how these are working. And by the way, these six principles of influence are well understood by criminals. They are researched, cited, and thought of on that side of things. And they are taught to defenders. We can talk a little bit about Cialdini's framework if you'd like.

A

These are things that are taught and they can do incredible things. The. The heart of magic is understanding how we do this. These things are much more powerful than you think. I think it'd be worthwhile just taking a walk through them, if you don't mind.

B

Absolutely. And one of the things I will say to this, for those who are technically oriented listening to this, what I'm describing to you with psychologies and techniques is to humans what understanding what memory buffer overflows do for malware. If you understand the principles of the system that you're operating within and then can leak, use those known vulnerabilities, that's the exact same play. It's just that we're talking about the hardware in the human skull. So let's start off with reciprocity. Reciprocity is innately tied to our instincts, and it varies from human to human, particularly around fairness. So we often feel obligated when someone gives us something to give back to them. And there's a famous study in the 1970s where a researcher sent Christmas cards, unsolicited Christmas cards, to a whole bunch of people. And 20% of people with no idea who this person was took the time to send them a Christmas card back. This is again, research.

A

And if you want to see the power of this, simply stick your hand up to somebody and watch. They'll go to shaking. And if they don't, you'll be offended. Highly. That's simple behavior.

B

Absolutely. And so here's the phishing examples. Phishing emails might offer something seemingly valuable. Free software discounts rewards in exchange for some small, simple action like providing personal information or clicking on a link. And you might be thinking, right at this particular moment. But David, don't Marketers use this too. Abso freaking lutely. It's the same principle. What's different here is intent and harm. A criminal is using the exact same tried and true marketing techniques, but they're going to cause you harm. Now you might see phishes that come to claim your free gift card worth $50. Just fill out this survey to receive it. The survey takes you to a website and maybe that's got malware or other things. So here the attacker provides a reward and then enticing you to provide information. Like for example, they might ask you questions in a survey like what street did you grow up on? And what was the name of your first pet? Which often people use with either creating their passwords or their Facebook contest names. Scarcity is the next one. This is all about fomo. We are literally wired as human beings to value something that is more scarce. If we think it's plenty, we really don't care about it. And that's why you will hear again in marketing and advertising, limited time offer while supplies last. That is exactly the same approach here. And so phishing example, they'll use urgency and scarcity to make fast decisions. For example, your account is about to be suspended. Oh God, I'm going to miss out. This is terrible. I'm scared. Or it's something really enticing. This Amazon gift card is going to expire tomorrow. So that's another example.

A

When the dock workers strike was announced, what went out? Shelves disappeared. Toilet paper. Why? Toilet paper's made in Canada and the U.S. it's not coming off the docks. But this whole idea of scarcity, Gotta have it. And you can wipe out an entire supply chain with something that simple.

B

Absolutely. And by the way, this is where disinformation and market manipulation are all potentially part of this world. Now that we live in terms of causing buyer panics and market moving. In the 80s, it was all about boiler rooms trying to get people into penny stocks and other types of scams. That's the wolf of Wall street kind of shenanigans. This just happens by email now.

A

And this is also fear of loss, right? This is also driven by fear of loss, the thing that makes us do really stupid things. We'll hold on to stocks longer than we should because we will do all kinds of things that are incredible behaviors. I once used a relatively minor example of this. I sold a 20 bill for $100 just by playing on the scarcity piece. People will buy amazing things if they think that they're limited in supply.

B

You got to Give it. This is capitalism taking advantage of human biases writ large. And criminals do the exact same thing. So next, this one's really powerful authority. So people are much more likely to follow instructions from authoritative figures or institutions. We tend to trust individuals in positions of power. There may also be elements of if I don't obey this person, survival instincts are going to kick in about your long term prospects in your job, et cetera. Phishing example it often is the back emails I mentioned before impersonating executives, government officials, even IT personnel to get people to comply. A common one, this is the IT department. You must update your password to avoid account suspension. Click here to update. Bam. By the way, much more interesting criminal innovation that seems to be work really well is telling people Click here to keep your password. The next is consistency. And consistency is all about people tend to stick to their commitments and act in ways that are consistent with their past behavior. Once someone agrees to do something small, they're more likely to agree to large requests. Remember that university attack I mentioned earlier? They started small ten thousand, then it became a hundred thousand, then they went for the big payday. So attackers may often start with something small, seemingly harmless. For example, hey, it's your boss. Can you please send me your cell phone number? And so you've now started to establish you've given them something, they reply back, now you're going to get hit with the hey, thanks so much. Here's a text message to follow up. I really need you to buy me these gift cards. I'm currently in a meeting, you cannot possibly call me. Don't bother me again, I'm super busy. But just go buy me the cards, rub off the back of them and send me the codes. Because that's totally what I would do as a CEO.

A

When you bully people into obeying authority unquestioningly, we get what we deserve.

B

And we're going to talk about that in terms of the defenses. Because some of these things will require more than technology control. So liking people are more likely to be influenced by people they like or have something in common with. And so social engineers will often use flattery or shared interests to create that sense of rapport. I once watched an expert social engineer at a conference do this in real time. And he was listening to somebody. They were having a chat on the stage. And the ways that he was affirming what they had to say, he was slowly building up rapport. He was absolutely brilliant. And by the way, you might be thinking, David, this is what Conman had been doing since time Immemorial, Absolutely. It's the exact same thing. And so this is where pig butchering, scams and other things are foundationally linked into this. And that's how they build people up all about that liking. Last but not least is social proof. And this one is the if you're a parent, if everybody was jumping off a bridge, would you join them too? You've probably said that actually your kid is literally hardwired.

A

Is the answer. That's why I rode my bike down that hill.

B

So if others are doing something, we think this must be the right choice or we don't want to lose status among that group, which can actually be physically painful for us. So in phishing, for example, attackers may use testimonials or references. You see this all the time in crypto scams, right? And look, all these people are doing this and making money. And by the way, Cialdini's techniques aren't like one. I have to send social proof. This is like a build your own adventure. I'm going to use a little bit of liking, a little bit of social proof. I'm going to use some FOMO and I'm gonna tune this sucker to be as effective as possible and it works.

A

Really well and you don't even have to double dog dare them. So that's a pretty good picture. And I, I think the, the point here is that as you said, con men have been doing this from the beginning of time. These are foundational principles that people have talked about. Even if we're, we think of ourselves as technical, it behooves us to actually start to think about these principles because as you pointed out fishing, the technical part of phishing I think personally is a minor part. The psychological part. What you can get people to do is the powerful part.

B

Absolutely. And let's go back. We started with simply emailing the person saying give me your username and password. So we've come a long way since 1995. We've had a proliferation of hacking tools that make it so fast and easy. Like the latest version of evil Jinx now has got live MFA capture. There were service agencies, criminal as a service operating a whole agency to called OTP agency to do this, outsource this work and get credentials and get access and then commit the crimes on top of it. So this isn't going away. And when we're seeing from the reporting that you've been covering better and better fishes. Gone are the days of the Nigerian prince as the dominant form of phishing in the so called Nigerian scam. Nigerian lottery scams.

A

Yeah. And this is where we got to this topic this week. Was I. There was a couple. We covered them in on the podcast and I've written some articles on them. These are incredibly sophisticated attacks. I'll phone you supposedly from Google and leave a message if you're not there. I'll send you a note saying that this is going to happen a week later. I'll call you and ask questions in a form that actually banks will legitimately ask you the questions. Have you been traveling? Because we've seen this or the other one that. But we've just received a death certificate and someone's trying to recapture your account. And there should be a special place in hell for people who manipulate the death of people. We've had two deaths in the family in the past two weeks. So fish me now if you want. I wish you to burn in hell. But I clicked on something I would not have normally clicked on. Thank God my endpoint security caught it as I was clicking on it because it was just. And it was sad news about your friend X. And these things are well constructed. They use. And I've talked a little bit about this. They're using Google forms. So the return address of this form looks okay. That Google, let's Google something. And they. Okay. And these are really well done. As I pointed out, the one story we did think. I think I give the person credit to say I'm a tech researcher and I would have fallen for this. He just picked out one thing as I did and went that's wrong.

B

And I think you're onto something really important. As we move into what we can do about this. The first step here is to understand that falling victim to phishing has nothing to do with your intelligence. It has nothing to do with how smart you are. You could be unlucky. You could be human. But it is not about how smart you are.

A

Yeah. And it's not with not everything that you know. They're manipulating you at levels that. And our training has to reflect that. Let's talk about fighting back. And there are some things that I think people can do. I'm going to start with the technical because I think there are some elements that I can't see why we're not quicker to adopt those. One of them you'll talk about, I think for sure. Mfa.

B

Yeah. So MFA absolutely raises the bar on fishing. And it has been an amazing addition to the tools that we have. It is in an auto safety analogy, the equivalent of the introduction of airbags. In terms of the life saving nature and an improvement, this is a massive step forward. But the kind of MFA matters, right? In one way of fact, when we rushed MFA out in the first iterations and we optimized for convenience and we did text message MFA to phone numbers, we put a giant bullseye on phone providers who were now had the phone becoming the digital equivalent of the safety deposit box and criminals knew it. And so we got into things like SIM swaps and other things targeting the infrastructure to attack the mfa. Now I'm not a purist, any form of MFA is better than no mfa. But the best kinds of MFA now are evolving to be based mfa. And in particular when we first moved to app based mfa, a lot of organizations again maximized for convenience because this did introduce a lot of friction and a lot of complaining inside businesses and individual accounts. In fact, banks in Canada only in the last few years adopted it because they were stuck in this Canadian standoff trying to figure out if we make it more inconvenient at Big bank A, they're all going to go to Big Bank B, so we couldn't possibly do this. And then eventually someone blinked and thank God where we're at. But initially it was all about push notifications. And then we had breaches like what happened to Okta where someone got MFA bombed. There were so many different push notifications. Eventually someone clicked make the stop and the criminals got in. Number matching, which Microsoft has done now requires a little bit more effort and is much more resilient. Great. But the last thing about MFA is now with like I mentioned with Evil Jinx, there are the opportunity to capture the digital keys that are often used to build and establish and automate trust associated with MFA logins and so called session cookies. And now how often we force people to mfa, how long we let those MFA tokens, that's a new level. MFA was amazing. It was a sandbag against an incredible flood of social engineering. But the waters are now rising again with AI and other automation tools. So we need to think about new ways of doing this as well.

A

And I think these are stopgaps. Inevitably these make the person who's using them's life more difficult. They don't just make the attacker's life more difficult, which accounts for resistance. And I'm not opposed to them at all. Matter of fact, I would say in the current iteration of what we have for technology, if you're not willing to curse at some security method, if you're not angered at least once a day, you don't have appropriate security and that may be just something we have to suck it up. Buttercup. But there are better ways to do this. Pass keys. FIDO have come up with a new standard to make using pass keys more transferable to be able to make them used between vendors, used between devices so that you can get that pass key. And if I've got it right a passkey is really the completion public key and a private key. It's probably the best way you're going to do it. Ties with biometrics so that you have no password to give away and you have an authentication which I mean I gotta have your phone in my hand, right?

B

Yeah. So couple of thoughts on passkeys. I think there's absolutely a use case in very specific scenarios where passkeys are absolutely what you should have. And then there's that usability challenge. Let's just step back and explain it. And by the way, one thing I don't like about the FIDO alliance is that they often say it's password less and I like to refer people back to it's usually less passwords because there still is some root central password somewhere that you still have access to as a human. And that's why I'm glad they've moved on from saying it was phishing proof to phishing resistance because they've been schooled a few times on that. Great. Let's talk about this. The public key infrastructure exchange is creating a machine password. That's what it is. It's a password you're not allowed to know. The machine technologist solution, human problem. Cut them out of the loop. Okay.

A

Forget what you don't know.

B

Can't give away to phishers which you never had in the first place. So that makes sense on a certain foundational level. But what are the trade offs? Because there's always trade offs. There's a reason passwords have been around for 60 years. They are a balance of convenience for the user and appropriate ask security. The time over evolution. What do I mean by that? For a lot of people, everyday folks, their threat model with respect to account security may now be more balanced towards Billy ran over his phone and his entire digital life is now gone. This goes back to the problem of transferability of those passwords. Right when the Silicon Valley what I like to call the silicon bias crowd computers better than humans. I'm not on that team. I'm just going to lay that line right here. They were like put it on the device. Can't trust the human. Put it on the device. The devices are fallible too, right? Imagine if all of your passwords were on your Windows PC that had CrowdStrike installed earlier this summer. Not a fun time for you.

A

Or if you're a LastPass user and they get compromised and they send you a note six months later saying, oh, by the way, we're encrypting all your passwords now you are whacking. I think we can sum this up. Don't fall in love with technology. It'll only break your heart. If that's your only barrier, then you have a bigger problem. And I think we would both agree on that.

B

Absolutely. And it presumes that someone somewhere is not going to think the next generation of malware to attack this problem. Yes, they will. Just like MFA was a sandbag wall built up against the flood. The cost will increase, which is good for all of us in terms of the cost of crime. But the root cause of cybercrime is not going away. We have an international system set up that is encouraging this crime. So we are taking Tylenol for a we. We live in the jungle, is my analogy. We live in a jungle full of dengue fever and other things. And we are taking Tylenol to manage our symptoms. We are not changing the environment. We are not doing structurally to become safer.

A

But likewise, this is not to diss any technological piece you can put in because the. It's like water flows downhill. Hackers go to the place where it's easiest. So anything you could do to inconvenience them. Unfortunately, we often inconvenience ourselves doing that. But anything you do is going to make you at least a little more safe. But. But reality is, some of the things we've talked about, the psychological impacts, the training, those things, and you've talked about culture, those types of things are the things we really also have to put in place.

B

Absolutely. So I look at my account security the same way I look at my rrsp. I have a diversified portfolio. Do I use an Ubikey for some things? Damn. Do I use my password manager for a lot of other stuff? Absolutely. And do I keep certain things in Mark one human brain only there. And with a lot of mfa. Abso freaking lutely. And that was what worked for me. So we've talked about technology controls training, and I will specifically call out a wonderful research paper done in 2017 called Phishing Attacks using Mindfulness Techniques. And so this is Jensen et al, and it talks about the power of using emotional intelligence training. And they saw significant reductions in repeat susceptibility to phishing by teaching people to listen to their gut, to use emotional intelligence is a heuristic. As you're evaluating emails. We have replicated that research. Over 8,000 population out of our hundreds of thousands of users. We looked at this group that took this training, their click rate before, their click rate after, and it reduced their further susceptibility by 50%. I have, I stand by that. Emotional intelligence, there's some great work coming out of Toronto Metropolitan University in 2021 that talks about some of these things and the limitations thereof. But emotional intelligence, listening to your guide, that is where we have to go. It can't just be about thinking about technical controls. Those are all important. This is the next layer. And then finally the workplace culture size.

A

And just call back to was the essence of this show that I'm trying to put together with you, which is if it's good, it's replicable and if it's not replicable, you need to understand why not for anybody who comes back to you and says this is that psychological, blah, blah, blah, whatever they say, no, this is something that gets results, it's proven in common practice. We've given you some examples and you've been able to replicate these effects.

B

Absolutely. I think they've done a wonderful job. I think there's so much more we have to learn. And that's the other part about science. Science isn't religion. It's not. All of a sudden we have found the answer. Amen. And we're there. It's dirty, it's mistaken written, it's iterative, it's complicated. But when it starts heading in a direction, you can orient towards that and see benefit from it. And then I want to move over lastly to workplace culture because so many people will say we're just going to put security tool a passkeys mfa and we've got our security awareness training provider and we've beaten people with modules. So we're done. No, listen very carefully about what I'm about to say next. Humans are human and you have to be humane to them. That means recognizing we are biological, making sure people are taking breaks, getting off of emails like the that it's okay to disconnect is not only now increasingly in Canada, important to comply with laws like what's in Ontario, but really smart from a security standpoint. I can tell you when people are tired, their clicks go up. When they're hangry, like I get hangry. Maybe I do Jim, have some angry issues I gotta work with. I'm a Maritimer. We got a lot of access to.

A

Grind, but it's good for you.

B

So spending time with people and actually having a snack program in your business might be the actual smartest thing you can do for cybersecurity this year and encourage assertiveness and questioning of authority. There's some phenomenal research in a different domain called the Dirty Dozen, which looked at the most common aircraft maintenance mistakes in aviation safety. And among the things they discovered in that groundbreaking research, which was created by a Canadian in Transport Canada, was that assertiveness and making sure that people felt like they could say, this isn't right. I can question this. That's really important. And it's why some cultures around the world are really getting hammered by social engineering based on things like saving face or losing face and perceptions of status and perceptions of authority. Social engineering has a cultural context to it as well. You can build this in your business. It's okay. And in fact, going back to the MGM breach, what's really important is your help. Desk staff needs to know it's okay to tell the CEO, I'm going to need more information before I unlock your account. And not only should the CEO be thanking them for it, they should actually be positively rewarded in their performance review for doing it, because they're doing what's going to make you more resilient to social engineering. So here, end of the sermon, as it were, on technology training and workplace culture.

A

You built culture with positive reinforcement. I'm not saying you don't have rules, you don't have. They don't have consequences. I'm not there. But also, here's the truth. Nobody reads your policies. And you can feel bad about that and you can say, didn't you read that? But you will get nowhere. My wife always says to me, when you're digging a hole, the thing to do is stop. And she's right. And when you find something that doesn't work, don't keep doing it harder. And I think, David, we'll leave it there with this idea of culture, but I think this is another place. And we'll leave this to the listeners. If you want to hear more about this, I think we should dig up some research on culture building and go over that for a future show.

B

Absolutely. And there are some phenomenal research. One of the most interesting research that was done in the last few years was on a survey instrument called the Human Aspects of Information Security, the Hays Q. And I studied this quite a bit over the last few years and trying to understand where things are at it's inspired some of the work we do. Talks a little bit about elements that can be measured for culture. And we're actually working on a brand new security culture score and measurement and dashboard that'll take data that we have in our system and be much more transparent. There's a lot of vendor noise about security culture right now and it's really hard to replicate. So we have work to do worth.

A

Doing, worth doing a show on. So there you go. That's our show on this. I think it's an important topic. Hopefully we gave you something. If you talk to David Shipley for an hour, you don't get smarter. Shame on you. Thank you, David. It's been great doing the show with you.

B

Thanks, Jim, for the opportunity and happy end of Security Awareness Month to those.

A

Who celebrate and thank you to our listeners. You could be spending your weekend doing something else and you chose to, if you got this far, you chose to do that with us. We're pleased that you, if you liked it, but if there were things we could do and improve or suggestions that you got, we're all ears. So you can reach me at editorialechnewsday.ca. that's editorialechnewsday ca. I'm your host, Jim Love. Thanks for listening.