User Behavior Key to Defense
Several high-profile experiments have proven that user behavior provides the foundation for defense against spear phishing schemes. Mass-phishing campaigns are often caught by anti-spam or phishing filters. But spear phishing attacks, which are low-volume and closely resemble legitimate emails, often go undetected. That's why organizations have to rely on humans for detection and resistance.

"I often perform investigations for my clients where the initial point of entry into the victim's computer network comes from a phishing email," said Keith Jones, senior partner, Jones, Dykstra & Associates.  "Phishme.com is a breakthrough service that provides corporate security teams with the ability to spread user awareness about this email plague by testing their own user base. Phishme.com provides the auditor with an extremely easy to use interface to conduct a phishing scenario and excellent reporting capabilities complete with summary graphics.

I was able to complete a phishing scenario for our employees at Jones, Dykstra & Associates in less than 10 minutes of use.  I will be highly recommending Phishme.com to my clients to help them continue their fight against phishing attacks."

In one experiment, New York's chief information security officer, William Pelgrin, and his team sent mock phishing emails to nearly 10,000 New York state employees. The messages appeared to be official notices asking them to click on Web links and provide passwords and other confidential information about themselves.

With the first run of the email 75 percent of employees opened the email 17 percent followed the link, and 15 percent entered data. Pelgrin and his team let users who had proven vulnerable know they'd been scammed and then sent another mock spear phishing email. With the second run only 8 percent even opened the email. In an interview with the Wall Street Journal, Mr. Pelgrin said, "This is not a one-shot deal. I've got to reinforce that behavioral change to make it permanent."

And, in a study at Carnegie Mellon University, volunteers who had proven susceptible to mock phishing emails were presented embedded training materials, then sent another email. In the second run, the volunteers identified 64 percent of the phishing emails. This compares to a mere 7 percent identified by volunteers who had received teaching materials through other mechanisms.
For more information, to view a demo or sign up for a trial account, go to http://phishme.com.