Psychology of the Phish

yeah thank you everyone um thanks for the introduction one small change since i submitted this proposal and uh when it was accepted so uh i'm no longer a principal consultant i was actually promoted to director so that's that's a small change but again yeah it's as i'm happy to be here it's a pretty early where i'm uh right now i'm in chicago so it's uh 6 10 a.m in the morning uh on on on a saturday but i'm still happy to be here so uh without further ado i'll proceed with my presentation so uh the bunch of letters that you can see under my name there uh that shows i'm good at multiple choice exams

hopefully that translates me to being a better cyber city consultant because that's what i am as was mentioned in the introduction i have 16 plus years of experience in this domain and i worked both as a consultant as well as an operator in industry as in like a so being part of secret teams at different organizations so as an operator working uh working in industry working in security teams i worked at a top three us bank i worked at a very large uh e-commerce startup and as an advisor uh so i was i mean other than ncc group i had also worked with one of the big four forms and in in in that capacity i have been

fortunate enough to advise top 10 wall street banks as well as some very well known names in silicon valley now uh the the picture that you see on the left uh that is uh actually uh 11 years old i think so that's one example where uh i'm okay with using deprecated information which typically obviously we don't like in security right i mean if something is that old but uh now that you see see me on screen you can obviously see there is a lot of difference uh between how i look now and how i looked a decade earlier one thing you will obviously realize is that i'm not a psychologist right even though the topic

the title of the presentation says psychology of the fish and the reason i'm going to talk about this topic is one because it is interesting and something that i find personal personally interesting as well so it combines uh elements from my experiences as a consultant as well as a student during my mba days when i was when i was first introduced to these principles of influence during a class on leadership and organizational behavior so this presentation kind of combines lessons learned from both these experiences so before i uh move into the psychological elements of fishing right uh and how they're exploited by the cyber criminals i just want to take like a few mo a few minutes to discuss why is

fishing popular so i first want to kind of start over this quote by kevin mitnick obviously if you're in the security world you know who kevin mitnick is right so uh he said uh most of the computer compromises that we hear about use a technical spear phishing it's extremely difficult to defend against and the reason is that even with the most advanced of tools and technologies there's still the human element right which uh falls prey to fishing because if you think about it fishing uh being a part of social engineering uh its success is predicated on exploiting normal human behavior right so it's uh and i know you can't really change that a lot you can a bit by training an

awareness but not a lot and this is kind of the core message of this presentation so phishing by the numbers i mean if you have an email and obviously you too right who doesn't you must have received emails like this right where like uh dancers in distress or deposed princes they offer to kind of share a lot of wealth with you as long as you pay like a few thousand dollars in processing or euros or dollars or euros in processing fees now now an email like this is very easy to kind of detect that it is a phishing email right i mean the language is bad right the english grammar etc there are some obvious red flags

but you may have also received phishing emails which look like these on the right and these are much more sophisticated right i mean they're using the right logo they're using the right language and also run things through spell check so that uh the spelling errors are not there so you can you can see like uh phishing emails kind of span the maturity right of uh of the maturity spectrum right so so i mean it's not that they are always as immature as like princess offering you like millions but they can be much more subtle and much more nuanced and obviously much more effective so in terms of numbers and i even go back a few years you can see like 2017

76 percent of organizations were targeted by phishing emails personally i think that that number may be even higher today in 2017 around 1.4 million new phishing sites were created each month i have also linked the sources and i believe the presentations the recordings will be shared so you can always uh find them google them up so in 2018 phishing accounted for 32 percent of data breaches and 78 of cyber espionage and then the last data point that i have here unlike the previous ones the last one is sourced from law enforcement right so one well the source of information for the first three bullet points are industry reports and this one is by the u.s federal

bureau of investigation and they mentioned that in 2019 business email compromise which is a subset a kind of phishing attack cost more than 1.7 billion dollars in losses and this number i'm sure has gone up since then now the economics of email fraud that we obviously know that fishing is successful phishing is popular in the sense that there's a lot of it happening but why does it work why why is it popular well if you think about it the popularity of fishing is driven not only by its success but its success relative to its cost right so if you think of like being if you think of a legitimate business right you invest money you invest time you

invest effort and you get returns right so as long as these returns are more than what you put in that means the business is successful now i mean obviously uh phishing is not a legitimate business but sophisticated the cyber criminals operate it like a business in other words the time and effort that is put in and the results that are obtained the results are significantly more and that's why it it continues that's why the the business of phishing continues and here are some numbers so uh there was an actual experiment conducted uh and this was around 13 years back 2008. so researchers for university of california berkeley and university of california san diego they infiltrated

the storm botnet the botnet as you know is basically a a network of zombie computers right i mean they have taken over that i guess i've taken over control of the computers to run like mass campaigns like denial of service or even like fishing fishing campaigns and they uh the researchers took over they infiltrate the storm botnet and they used it to run fake spam campaigns i mean fake spam this is pretty much like same as fishing here spam may i mean when you see a spamming you think like it is kind of uh irritating but not harmful but here we are talking about a harmful use case so then they send 350 million emails

over 26 days and made these like 28 sales of around 100 each now if you think about it 350 million emails but only 28 seals right so that seems to be a very poor return of return on investment however think about it so even with that 0.001 percent response rate it was still yielding around 100 dollars a day which is obviously not much but the researchers used only one point five percent of the botnet so not the entire thing so if they had used 100 that hundred dollars per day would have actually resulted in seven thousand dollars per day which is obviously a pretty good uh amount of money and especially considering that the effort is not much right there is so

much automation and obviously now it has increased so due to like this mass emailing tools obviously i mean you can use them for legitimate purposes and mailing lists some of which are again legitimate i mean i mean when we when we sign up for things we often agree as for the terms of service that our email addresses can be shared and they are kind of bought and sold so that that's a legit uh example however in certain cases a lot of the information is also sold on the dark way which is illegitimate right but using those emailing tools right using those software as and those mailing lists that information about all of us it's quite inexpensive to carry out a

phishing campaign and you can see that the returns on investment can be very very high and that's why fishing is still there and continues to grow now for the core part of this presentation the seven principles of influence and how they are leveraged by cyber criminals so again i like to start off with a quote and this is uh a quote by john hancock i should have mentioned uh it's the u.s declaration of independence uh he was one of the one of the kind of founding fathers of the united states of america signed the declaration of independence and he once uh said the greatest ability in business is to get along with others and to influence their actions

so as i said a cyber criminals did treat phishing as a business right and that's why it is very important for them to to be able to influence people especially uh for for a business which involves influencing people to click on those fishing links so this work this this presentation is inspired by this person uh professor robert saldini so he he is kind of considered the guru of influence marketing and you can see uh from from the text on the screen that he has uh published a lot of bestsellers like best-selling books in this in this area and also advised very well loans like like google microsoft coca-cola etc so obviously you can see that unlike me

he is definitely a psychologist and this presentation leans heavily on his work so the principles of influence so dr saldini wrote a book where he talked about these uh principles of influence initially he he included six principles and he later on added a seventh principle i'll go through all of these and the way i'm going to do this is i'm going to talk about the principle right then i'm going to talk about how it is used in like um like in in in the world outside of fishing and then i'm going to talk about how this principle is leveraged in fishing itself so the first principle of reciprocity so this is very simple to understand right

it's like you give something and you expect something back right so if you do a favor you expect it to be reciprocated if someone else does you a favor that person also expects that you will do something good for them so there are some uh some very interesting uh uh nuances here right so if you want to um if you want to get something right to get a favor from somebody it's always good to kind of act first right so basically do that personal favor first and do it again and again so that you kind of create a bank of favors so that when you ask that person for something there's a less chance that that that

person is going to say no also another another interesting uh example uh is that let's say that you want to get something or get get a favor from something if you ask for a larger favor initially right and that person says no the possibility that if you ask for a smaller favor the possibility of that person saying yes is very high just because they refuse that larger favor they are more uh open to actually uh saying yes to this to the request for a smaller favor so some examples here uh dr salini the professor that i mentioned earlier he sent christmas cards to strangers right absolute strangers he doesn't know he didn't know them at all

and many of them sent him sent cards back so this is interesting right just because they received christmas cards they sent they sent them back right they send like they send the original sender they send that person cards as well so this is the principle of reciprocity in action also another example is that when people were asked to volunteer right and they were asked to volunteer let's say like a few hours every week over a year so so not a lot of people said yes right because it's a long term commitment however if they were asked for a few hours only for that week just because they refused the first request they were more amenable to

saying yes to the second request so an example in phishing an email promises to give you access to valuable information if an attachment is downloaded or a link is clicked right so something like click here to access your new salary right obviously we want to know our new salary and it says that if i click this link then i'll get access to the information so in other words i am doing something in the expectation of getting something right so this is this principle of reciprocity in action within fishing moving on to the next principle scarcity again you know there's something that we know uh know by intuition right i mean if people want what is difficult to get right i

mean something which is exclusive which has limited availability that is automatically perceived as being very valuable right and another uh like an interesting nuance to this is the fear of losing out is more than the joy of winning right so i mean obviously both are strong strong emotions i mean you feel happy at getting something the the disappointment that you get on losing out on something is actually more than that happiness which is very very interesting example in real life so television commercial ad advertised a product saying that okay over 500 sold right so that means obviously this is in demand however it it was more successful when it tricked the messaging and saying that only 25

left to sell in other words it is not only in high demand but there's this fear of losing out right so uh like people who are watching this commercial they don't want to lose out right as i said the fear of losing out the disappointment is more than the joy of winning and that's why they're more likely to call up the number and order this product now an example in phishing email stresses that an access is available only for certain action is taken so that means that you already have something but if you don't do something you will lose access to that right so as i said the fear of losing out right so this example install this microsoft

outlook patch to continue having access to your email in other words if you don't do it the the email is saying that you will lose access to your inbox obviously a phishing email and something that is very very successful because it uh leverages this principle of influence by the way i hope you uh the audience here likes those cat memes i have one for each of those seven principles principle three authority so people defer to authority right i mean even if it is whether it is actual or just like somebody's acting people want to want to follow leaders right uh and and we have seen this a lot right i mean unfortunately in wars right where

soldiers commit crimes right which they normally wouldn't do just because their leadership tells them to right i mean most perhaps the most most impactful example is the holocaust right where a lot of german soldiers committed crimes right just because of their leadership the the nazi military leadership asked them to and these people are the soldiers were obviously normal people good people in a lot of in a lot of instances but they just went along and did those bad stuff just because they were ordered to do so now uh there was an experiment conducted in 1961 much after the much of the second world war which basically validated this so uh this professor uh milgram he conducted an experiment where where

he had two sets of volunteers right one set was designated as prisoners and one as the the jail wardens right basically guarding those prisoners so what professor milgram showed is that if those if those volunteers were acting as the as the jailers if they were asked to behave cruelly to the prisoners right just because it came from someone in authority these people right not perfectly normal people who would normally be kind and everything they would they would actually do those stuff right they would actually behave cruelly to the volunteers who were acting as the prisoners they would behave badly with them they would torture them and everything just because they were asked to do so by someone in

authority now an example in phishing and this is that business email compromise that i mentioned excuse me email from the ceo not exactly from the ceo but somebody who is impersonating the ceo instructs accounts payable to make an unusual payment right so pay hundred and five thousand dollars or euros to buy wire transfer to this new vendor now just because that email seems to be coming from the ceo obviously an authority figure very high in the org structure there is a very high likelihood that someone in the accounts department is just going to act on that without really confirming whether this this email is legitimate again this is something which uh as i mentioned the the us federal bureau of

investigation recognizes as a very very uh potent and harmful uh kind of attack and uh and the losses are in the billions moving on to the next principle consistency so this is all about exploiting our normal behavior in terms of like the habits that we form right everyone is a creature of habit so i mean if if if you make a request which is consistent with how that person behaves normally right it is more likely that that person will say yes and an example uh uh and the example that i'll mention here so as i mentioned i live in chicago and there is a very exclusive restaurant called charlie charters so it was it was facing an

issue with no shows right so people would call up to reserve tables right but then their plans would change and they were just not sure obviously this is bad for the restaurant because if a table is is reserved it cannot be reserved by someone else right and obviously even if even if a customer walks in without a reservation they cannot be seated at that table because that table has already been reserved so what this restaurant did was when they would receive these telephone calls for for the reservations they would end the conversation by saying that okay if your plans change can you please call us to let us know to cancel the reservation so this is normally implied right i mean

uh that if plans change a customer should call but as you saw as as i mentioned this was not happening and that's why the restaurant was facing losses so they made this implied promise as some as something explicit right they said that can you please call see and when on and obviously the customer would say yes just the fact that the customer said yes right made them more likely to actually call up the restaurant the reason is that normal people right unlike politicians right if they make a promise they like to keep it so the fact that they said yes that yes i'll call if my plans change that made it a promise and people as i

said are more likely uh to kind of follow up if they make a promise that is normal behavior that is that is a habit and that's why this restaurant the this problem of no shows after reservations this problem reduced substantially now how this is used in phishing email from a familiar brand ask for confidential information right so something like uranus and package is on the way please click here to confirm your shipping address now pretty much all of us order stuff from amazon right so this is i mean this has become a habit so if we receive an email which shows that it is from amazon or looks like it we are less likely to really dig deep

and see that okay is this a legitimate email it's just that we expect emails from amazon to arrive right saying that okay your order is on the way and stuff like that and we are more likely to click on that phishing link i mean this this happens even if we have not actually ordered something on amazon we still receive an email which says that your order is on the way a lot of people will actually click that link just because it is by force of habit again this is a a psychological thing that is exploited by the cyber criminals principle five consensus this all about the power of the crowd right so people tend to follow the crowd if a lot of

people are doing something then well it must be good let's i should also do that so this is seen at like uh during riots right like mobs and everything as well as like people at a rock concert right so everybody is like moving like this or putting up their phone uh moving it around or moving around like the lighted screen so people people go along with the crowd so an example in marketing so tv commercial ended with the call to action that okay you've seen the product now if you want to order operators are standing by please call this number however their rival they were more successful by saying that if operators are busy please call again

in other words they're implying that a lot of people are buying our stuff right and that's why the phone lines are busy so that means the crowd is with us so you should also follow along an example in phishing an email says that how many of the recipients colleagues have already done something right so if you receive uh an email that okay 544 of your of 800 employees in your organizations have already updated their operating system click this link to download so the recipient feels that okay so many of my colleagues are doing this so this must be a legitimate thing so i should click as well right so uh i i love this meme especially which says i'll tell you

when to patch right meow so right now right meow again with the cat memes and again this is a tactic that is very very successful excuse me let me get a small drink of water

all right the the sixth principle of liking by the way this picture is from a very famous and popular american comedy series called friends and the reason i have it because this principle aligns very well with friendship so people make requests to people they like or those who like them right and because they feel that the chances of getting a positive response are higher right so i mean this is again this is like something that we know from common sense right so people like you right uh they will say yes to the request similarly if you want to be liked you are more likely to say yes to the requester so an example uh i mean here the example is

just the fact of life right i mean if you ask your spouse or partner for a favor and and typically you would ask them for a bigger favor than you would ask a colleague right of course that that depends that that may change based on how your relationship is with your spouse and how your relationship is with your colleague but in general you do can uh kind of ask bigger favors from your spouse so an example in phishing an email from hr i mean obviously not not actually from hr but which looks like it came from hr it asks a new employee for confidential information now this new employee is obviously eager to be liked right he or she wants to uh kind

of create a positive impact right from the beginning they want to be light right they want to be they want to be successful in their new workplace so if they receive an email asking for information they're more likely to say yes or respond or respond quickly so something like we don't have your ssn in our records can you please reply so uh cyber criminals actually exploit this right very much so they actually go dumpster diving right looking like discarded printouts to understand who the new employees are so that these new employees can specifically be targeted by emails like this which exploit this particular principle of influence called liking again something that is uh very very

successful now moving on to the last principle number seven called unity so this was not on the original list it was it was added later by uh dr saldini so this is all about how people identify with being part of different groups right so the idea is that more we identify ourselves with others the more we are influenced by them and politicians are really really good at exploiting this principle right so politicians always want to show that they are they are they are they're just like the people that they're asking votes from right so they always say that okay i'm just like you right and that's why recently uh uh you may have noticed that politicians are

very okay with opening up about their faults right so like if they have if they have taken drugs in college right or if they have like cheated they are open about it because it it it shows that they are just human right there that they have faults like a human so again this is this is how politicians basically leverage this principle of influence uh now another example that i would like to mention here so the same dr saldini right who who formulated these principles he once asked his students parents to complete a questionnaire but the the response rate was very low only around 20 then he offered one extra point right which if you think about it

one point on a single test right on a single on a single paper in one semester it's not really that important i mean if you think about like the four years of a typical college that i mean at least in the us right then one paper in one semester in across four years is inconsequential to the overall grade point overall grade or whatever the rating the student will get but just because uh he made that request and saying that he will do something uh positive for the students and obviously the students and parents are part of the same family the response rate jumped to 97 percent the reason is right because the parents they identify as being part of the same

family unit as their children obviously and that's why they want to do something good for them it's all about being part of the same group so in phishing it may be like an email from someone with a shared interest so an email says okay hello as a fellow cat lover can you please sign this petition obviously the fishers would do their research right they may actually go on social media to see that okay you're a cat lover or a dog lover right based on pictures on facebook so and then they can send very targeted phishing emails like this which basically says that okay you and me are very similar right and that's why why don't you do this for me so it's all

about as i mentioned being part of that group so these are uh the seven principles how they are used in in in life outside of fishing and then how they used in fishing as well now i want to take a few minutes to kind of discuss how you can protect yourself against fishing so first i would like to talk about the castle approach it is also called like the layered security or defense in depth but the idea is that um it's basically multiple layers of controls right to protect against attackers so what you see on screen uh that's like the the attackers from the medieval age and a castle which has those different controls such as um limited entry points

outer wall inner wall mouth guards checking identity etc so uh in other words this is like defense in depth with multiple layers so a similar approach is used today obviously uh the attacker has changed as has that treasure that is being safeguarded so earlier it may have been it may have been gold the castle itself now it is data right i mean important data and uh the attacker is obviously a hacker and similarly we have these different layers of controls they can be kind of segregated into administrative physical and technical controls right and here the csos the chief information security officers are the lords of the castle the castle being the enterprise the reason i mention this is because i

want to address this question of protection against phishing through this lens of administrative physical and technical controls well i mean physical controls are there aren't any right because i mean unless you actually physically grab the person and prevent that person from clicking on the link physical security controls doesn't really apply here so i'm going to talk mainly about technical and administrative controls so with technical controls there are many right and i'll i'll quickly go through them i'm not going to read the entire content um you can always look at look back and look back at it later in the recording but you have different control like spam filtering right which which will flag certain keywords or

blacklisted urls uh it can also do a checksum comparison to determine if that email is part of a mass email campaign which is obviously a red flag which which makes it a little risky there's also ip blacklisting which can block emails from specific ips or ip ranges such as north korea right under normal circumstances you won't be receiving any emails from north korea right if it is it is a very high likelihood it is a phishing email then you have a web proxy which doesn't block the email itself but blocks access to the the phishing sites and also it uh executes any uh any executable content like java and flash script it executes in the sandbox

environment so it is not uh executed at that end user's uh browser and their and and that endpoint that laptop so it just keeps it safer so these are all different mechanisms to prevent or protect against phishing there are a few more uh sender policy framework or spf this is a authentication to detect if the sending address has been forged uh dkim domain keys identified email uh this is also authentication email authentication it goes beyond spf uh or basically checks whether that email is digitally signed and then verifies that digital signature and then demarc or domain based message authentication reporting and conformance with uh kind of combines spf and dkim and again based on the authentication

uh you can the the administrator can actually specify what action needs to be taken whether it can be delivered uh whether it will be quarantined or where it will be blocked straight away the reason i mention all these tools is because in my experience as a consultant a lot of organizations are actually pretty good at enabling this different enabling these different tools however people still get phished right you hear about that all the time right why is it why does that happen that happens because as bruce schneier once said and he is a pretty well known name in the security world cryptography etc he said that amateurs hack systems professionals hack people in other words

if you look at this cartoon right even with all the technology we still have human error and as i said phishing as part of social engineering it exploits normal human behavior right so that's why even with all these tools and technical controls people will still get phished so how to stop that or how to at least reduce that and that is where administrative controls come into play now administrative controls are all about like having the right rules right and also awareness and training so a lot of you may be aware of this quote that i've mentioned at the top i hear i know i see i remember i do i understand now nothing creates understanding of

phishing than actually falling victim to a phishing attack uh basically you learn from that experience obviously that's not an ideal situation so the next best way to learn about fishing is basically to be subjected to phishing simulations right this is where the the security person in the organization will send out mock phishing emails and see whether people actually click if they do then they provide additional training that okay this is this is the reason you shouldn't have clicked and there's a this is the reason why you should have realized that this is a phishing email or even suspected it to be a fleshy email so my recommendation is that when these phishing simulations are being conducted

and they should be irregularly conducted you can't just send you you can be consistent that you're sending out a mock phishing email the last ride of everyone every every month then the employees will obviously realize right they will come to expect that this is going to happen and they will easily detect that it is a mock fishing email so this fishing simulations should be conducted irregularly and they should leverage one or more of the principles of influence that i just went through those seven principles and anybody who clicks should be required to take additional training some of the common indicators of phishing uh so if you're using if if a sans serif font is being used

right something like ariel then the uppercase i for india looks exactly like the lowercase l so in other words uh if if that email says google in area in aerial font it may actually be saying g o g g i e and not g o g g l e so again these are these are some flags that organizations can train their employees to catch also sometimes unicode characters can resemble ascii characters so what you think as the letter a in the english alphabet may be something completely else nowadays browsers actually take care of a lot of these uh discrepancies but in order to kind of have that advantage the organization should mandate that employees always use the latest versions

of the browsers in general it is always good to kind of distrust and verify and the basic rule of thumb is if it is too good to be true it probably is moving on to kind of the last section of the presentation anecdotes and lessons learned and here i want to quote this rapper he's is very well known in the us so he once uh said that i was never really good at anything except for the ability to learn i think that really applies here and personally i want to mention some of the mistakes that i have seen and also made myself so this particular attack chain at a at a particular client of mine

this is exactly the business email uh uh uh sorry not the business requirement this is exactly what i see at a lot of my clients right not just one of them and this is where executives right the senior people they are often more likely to click on phishing links right the reason is that a lot of these executives are not very tech savvy even if they think that they are and also because they are targeted more just because of the fact that they have more privileged access right so an executive will possibly have more access to the different systems will have more authority to kind of uh decide on any payments or stuff like that than any new employee and that's

why they're targeted in fact there's an actual term for this called whaling right so whale as in the the larger uh so by the way i mean fishing as you know the word phishing comes from actual phishing as in f-i-s-h-i-n so fishing for information so whales i mean they are the largest uh well technically whales are not fish right but they are the largest uh animals in the ocean and these executives right they are called whales and a specific fishing campaign targeting senior executives that is called as whaling uh even in casinos right uh like in las vegas in in the us the customers who are betting more than a million dollars they are called whales right so basically a

more attractive a larger target so again uh the lesson to be learned here is that executives should definitely be covered in phishing simulations right i i've had so in a previous life i used to run phishing simulations for in an organization where the chairperson would be would click every time right and then they would get that message that you clicked and and the chairman wasn't happy so he basically asked the cto the chief technology officer who is my boss who was my boss that hey i shouldn't receive these emails so the cto asked me to please remove the chairman from the list of employees who would be receiving the phishing simulations now i mean as a

junior employee and obviously i want to keep my job that's why i had to listen but again this is not ideal behavior the chairperson the chairperson should know right that uh they would they will receive a lot of this phishing emails right and not not all of them would be the mock phishing emails that that i would send but something that criminals would send so they shouldn't make this kind of request that they shouldn't be included in this exercise the next example is uh this business email compromise where like uh the accounts payable received an email from the ceo saying that make this wire transfer and they did it just because it seemed to be coming from the ceo but the lesson

to be learned here is that any external payments should always be verified right so let's say the person accounts payable accounts department receives an email from the ceo about this like strange payment they should ask for verification and it should be in a different channel so let's say like the the criminal the cyber criminals has actually hacked into the ceo's account now if they send a request and the the recipient asks for confirmation they can send an email right back from the same account saying yes i made the request this legitimate so what what is required is the verification should be by some other channel so such as like a phone or maybe like a team's chat or maybe like i mean

basically anything other than email so so that reduces the risk i mean it is always possible that the attacker has hacked everything right they have hacked the email they have hacked teams they have hacked the messenger whatever so better to just call up that person right it is it is i mean even though with artificial intelligence you can kind of replicate people's voices obviously it is much more difficult so the secondary verification reduces the chances of this kind of particular attack being successful the third example is for me so i once received an email which looked to be from craigslist that's what the symbol on the left is they use that symbol that says that okay your uh your account

has been hacked uh click here to change your password so i received that email on my phone and i clicked and i changed my password but then i mean i'm a security professional so it kind of clicked hey i mean let me let me look a little deeper and then obviously i saw that it was not a legitimate email so the lesson to be learned here is that even people who are experienced who are typically more knowledgeable than the average people they can still get hacked right even security professionals get hacked and the another lesson is that this uh because i was seeing this on a phone which is like a smaller screen some of the red flags that i would

automatically automatically detect on a laptop on a larger screen they're not as visible on off on on a smaller phone screen so again these are like lessons lessons learned from my experience so in conclusion i would like to end this presentation with a few few core messages one being if click rates in phishing simulations are not going on ideally once you kind of do this phishing simulations be clicking on the link that should kind of trend downwards because people are learning from the exercise right if that is not happening then obviously there's something that you should let senior management know the second lesson is if executors are repeatedly falling victim don't excuse them from training right and hope the

problem goes away i mean unless the executive themselves specifically request right i mean there's only so much you can push but yes try to push back a little by saying that kind of kind of stressing the fact that executives will obviously be targeted just because of the higher access higher privileges that they have as compared to the average employee and finally uh if even with all the tools all the experience all the knowledge right somebody within industry somebody who's working in a secure team they can still suffer from confirmation bias in other words it's kind of difficult to be really impartial when gauging the effectiveness of your own work so in that case it makes sense to

bring in an outside expert and obviously to keep people like me as a cyber city consultant employed so basically someone who kind of asks comes and asks the tough questions and plays the role of the devil's advocate finally i would like to end with this messaging and this is from dilbert a lot of you may actually read billboard i mean i think that i mean those cartoon strips are amazing in the current uh office environment and scott adams the creator of dilbert he once said you don't have to be a person of influence to be influential in fact the most influential people in my life are probably not even aware of the things they've taught me

so i hope that you found this session to be somewhat influential thank you