How Phishing Simulations Work - NXT Up! Live, Episode 1

Category: Data Security , Video , NXTsoft Live
Author: NXTsoft

Watch the very first episode of our brand new Live interview series, NXT Up! Live, featuring Elizabeth Jaimes from NXTsoft's ThreatAdvice Operations Management team. Elizabeth gives an insider's perspective on how phishing simulations work and the value of regular cybersecurity education for employees. Enjoy!

Watch the ThreatAdvice vCISO demo

Full transcript below:

Ben Halbrooks:
Hey, welcome to our very first NXT Up! Live interview. This is a new thing for NXTSoft. My name is Ben Halbrooks and I am hosting. So, this is the very, very first NXT Up! live, online interview. What we're doing with this series is we're actually going to be looking at the industries that NXTSoft has expertise in, which is cybersecurity and data protection, APIs, and everything in between, fintech and the like.

Ben Halbrooks:
So, today we're going to be looking at some cybersecurity stuff. Before I get there, first things first, we're going to be talking to NXTsoft employees across the full spectrum, getting a little bit of a window behind the curtain as to what they do, how they do it, and some of the interesting things going on at NXTSoft. So my very, very first guest is Elizabeth Jaimes, and here she is. Elizabeth, Thank you for joining me.

Elizabeth Jaimes:
Thank you, Ben. Thank you so much for having me.

Ben Halbrooks:
I'm going to tell you a brief introduction about who you are before we launch into this interview. Elizabeth is part of our ThreatAdvice platform operations management team, which means she does lots of neat and interesting things. But one, one key thing that I wanted to talk to her about this morning that I think you guys would be interested in, is phishing and that's fishing with a P-H, not fishing with an F. So for all I know, maybe you do go fishing Elizabeth-

Elizabeth Jaimes:
That's right.

Ben Halbrooks:
... but that's not the phishing we're talking about today. She and the rest of the operations team run our internal phishing simulations and you also run phishing simulations for a number of companies that of course are ThreatAdvice users. So anyway, so phishing, let's talk phishing. First of all, for anyone who doesn't know, what is phishing?

Elizabeth Jaimes:
Well, phishing is just a fraudulent attempt to obtain sensitive information or data via email. So this can come in a variety of ways. Mostly, like I said, via email.

Ben Halbrooks:
Okay. And so I know that you enjoy being sneaky at NXTSoft. You enjoy tricking people into clicking on things that maybe they shouldn't, because it's a simulation. It's not the real deal. Hopefully, if they fail the simulation, they'll wise up and they'll get a little bit more aware of security protocol. But tell us a little bit about the process of how you guys actually do it. How do you run a phishing simulation either internally with our company or externally with a ThreatAdvice company?

Elizabeth Jaimes:
Absolutely. So there are different steps that we take in order to schedule a phishing simulation. The first thing that we do is we send out our domains and IPs to the client and that way they can white list them. White listing is just the process to make sure that the emails get through and that they don't get stuck in spam filters, and so on. After we do the white listing, we send out a test to make sure that they are getting through. And then after that, we set up the settings and the settings can be from the date, what day you want it to run. Also the template, what kind of template you want? Also, we do credential capture to see, not only if a user clicks on the link, but also see if they would enter credentials. After we set up the settings, we run the phishing campaign and those results get posted back into the platform. So that way anyone can see them such as the admins and also us on our side.

Ben Halbrooks:
Okay. So if someone within one of those companies actually clicks on the phishing link, what happens? What do they see on their end?

Elizabeth Jaimes:
So there are two options. They can either see a 404 error page, and this all depends on the settings, or they can see a warning page letting them know, Hey, this is a phishing campaign and you have been phished. So that's always a good one to let them know, Hey, I did something wrong. But yeah, so there's two options there.

Ben Halbrooks:
Yeah. So this is my own confession, but I've been working at NXTSoft for over two years, but my very first month, I think working with the company, I failed a phishing simulation. And I tend to think of myself as pretty tech savvy. And I think maybe this is a misconception a lot of people have with phishing is they think that phishing is for people that they're not tech savvy or maybe they're older people or they're just very ignorant. And I think phishing has become much more sophisticated. And I'm not calling myself extremely intelligent here, but I'm just saying, a lot of people that would think, well, I'm never going to fall for a phishing email. They do. And I know, because I know you guys, I've seen the results you guys see, and how effective you've been at phishing people. And it's good because it wakes them up. So anyway, so do you have a favorite phishing strategy or template that you've used in past?

Elizabeth Jaimes:
My favorite template I would say is Amazon, just because it's something everyone's familiar with. I would say that would be one of my favorite templates, but as far as a strategy, I would say something that a company recognizes. So for example, like maybe they use ADP or a specific web call conference site, so that be WebEx, or Go To Meeting, or something that the company is that they will recognize as soon as they get that email. So that is the strategy I usually go for.

Ben Halbrooks:
Yeah. And that's not really far-fetched. Right? Because if the real bad guys, the real hackers, will get inside a company's network and they'll they'll camp out there for a while, right?

Elizabeth Jaimes:
Yeah.

Ben Halbrooks:
To learn their weak spots, and they'll learn like which systems you're using, and so they'll impersonate something that looks very, very believable. So, the Amazon template, describe that one. Is that one like, Oh, you have a package and it's getting held up by the mail?

Elizabeth Jaimes:
Yeah.

Ben Halbrooks:
Okay. Click here to-

Elizabeth Jaimes:
Exactly, it's the shipment. So you have a shipment or you have an order that has arrived, please click here and you click on it. Did I order something? I don't remember. So you they'll click on it, thinking maybe it is theirs, maybe it's not, and you know, they fall for it. So I would say the Amazon one is my favorite.

Ben Halbrooks:
Yeah. And that's fairly universal too. Because most people use Amazon at least at some point. So, yeah. Sneaky! Sneaky, you guys are so sneaky.

Elizabeth Jaimes:
Exactly.

Ben Halbrooks:
Before you actually were kind of on the inside of crafting these campaigns, have you ever fallen for one yourself? Can I ask you that?

Elizabeth Jaimes:
I have not. I actually have not which I'm really proud of. Let me pat myself on the back here. I have not. I remember my first. My first phishing campaign, I got an email. I'm like, okay, this looks fishy. Let me go ask our IT guy. So I go and they're like, shh. So I thought it was pretty fun. I went, okay. I didn't fall for it. So yeah, I have not. Not that I know of actually. So the ones that I did that they did go out, I did not fall for them.

Ben Halbrooks:
Okay. Well let's hope I didn't just jinx you then. So, tell me this, why do we do this at ThreatAdvice? Why are regular phishing simulations so important for a business?

Elizabeth Jaimes:
So they're important just so the company can see where they stand as far as security wise and also for employees to be able to recognize any of those attempts. So for example, they become more aware and start looking out for senders, signatures and the content, suspicious links. So the more they're familiar with these phishing campaigns, then the more they'll be able to spot an actual phishing attempt.

Ben Halbrooks:
Yeah. Always better to fail the test than to fail the real thing. Right?

Elizabeth Jaimes:
Exactly. Yeah.

Ben Halbrooks:
And I do know because we of course use ThreatAdvice at NXTSoft. All of our employees are required to do our education and pass our phishing simulation. So I know that you see, we have a score, and you see that score and you really want to get your score up. So you're very aware, you're very alert and that after you fail one, I feel like you're probably not going to fail the next one.

Elizabeth Jaimes:
Exactly. So it lets just a company know who are your riskiest employees? It gives them a score for high, medium and low. You really want to be a low risk employee, but yeah. So it just lets the company know where they stand at as far as their employees and who they need to look out for.

Ben Halbrooks:
Yeah. And depending on the data that could be compromised for businesses, there's a lot at stake.

Elizabeth Jaimes:
Yeah.

Ben Halbrooks:
There's a lot at stake for just one click. Right?

Elizabeth Jaimes:
Yeah. Exactly, let's say you have-

Ben Halbrooks:
Go ahead.

Elizabeth Jaimes:
I was going to say, especially someone who has more admin privileges to different platforms and you know, depending on who you are or what position you have in a company, it can be really harmful if you have access to all that information and then someone gets your credentials to, to those different platforms.

Ben Halbrooks:
Yeah, absolutely. So what, besides the phishing simulations, besides that, what else do you do at NXTsoft with ThreatAdvice?

Elizabeth Jaimes:
So, I also do client engagement and support. And all that is, is that I just stay up to date with our clients, see if they have any questions, if there's anything I can help with. And as far as support, just stay to day tasks, setting up passwords, or setting up education, and so on. So a little bit of everything as far as ops goes.

Ben Halbrooks:
Okay. So, when you're doing client support, do the companies trust you? Did they figure out you're the one that's actually fishing them?

Elizabeth Jaimes:
Yeah. So we assign a specific account manager to each company. So I'm really familiar with my clients and they know who I am, so they can always reach out to me. They have my email, my phone number, they can always reach out to me to help them out with anything they need.

Ben Halbrooks:
Yeah. And I know you guys do a great job because I always hear good things from the clients. So here's the one thing I was going to ask you kind of as a closing question is this. Because I know for me, I have a lot of things I could say, but before I got into the cybersecurity industry, before I started working for NXTSoft, there was so much that I was not aware of. And I feel like there's so much now more happening. It's such a rapidly developing field. It is the Battlefront, the modern Battlefront, really. So for you, what is the most fascinating thing about working in cybersecurity?

Elizabeth Jaimes:
I think exactly what you said, it's ever changing, so you're always learning and also the fact that I get to help people and teach people, because like you said, you might think you're the most tech savvy person, but then again, you can get an email thinking it's from someone within your company, you click on it. Oh, there you go. You already gave out credentials to a fraudulent or a cyber criminal. So I would say mostly it would be me being able to teach people, help them learn, and also I'm learning as I go. So like I said, it's ever changing. I'm always learning, trying to keep up to date.

Ben Halbrooks:
Great.

Elizabeth Jaimes:
So a combination of those three.

Ben Halbrooks:
Great answer. Great answer. Thanks for your time, Elizabeth. That's been really, really informative. I hope the rest of y'all watching have enjoyed that and I'll let you get back to your phishing and the rest of your work, Elizabeth, but thanks for your time today.

Elizabeth Jaimes:
Thank you so much, Ben, for having me and I hope this helped out. People with any questions, and if you guys do have any questions, feel free to reach out to us.

Ben Halbrooks:
Absolutely. And this is the very first of our NXT Up! live series. We will have more to come from here. Thanks for tuning in.

Elizabeth Jaimes:
Thank you.

October 7, 2020
Back
Share this post on social media