"I don't think we're at risk: we have a very technical and knowledgeable team on the subject, but I would like to be sure..." This is the first conversation we had with Jonathan Brossard, CTO of Monisnap.
Monisnap is a French fintech startup that offers a fast, simple, and ultra-competitive money transfer service in 150 countries.
Financial companies are particularly targeted by phishing attacks, and although Monisnap is made up of highly technical profiles comfortable with the digital ecosystem, Jonathan wanted to ensure the proper behavior of his team in the event of an attack.
This is the heart of the problem: even if we think that our employees will have the right reflexes in case of phishing, how can we be sure?
As part of our phishing test program, we prepared a customized phishing campaign for the Monisnap teams.
A phishing simulation under real conditions
For this campaign, we used the attack scenario that seemed most relevant to us: a login portal using Monisnap's colors, encouraging the team to log in with their credentials.
Jonathan immediately got involved in setting up this campaign.
He allowed us to enhance our scenario by personalizing it based on the topics discussed within the team - in order to improve the scenario - and by providing us with information about the graphic charter to improve our credential collection page - in order to improve visual coherence.
This approach is a very good indicator for Monisnap: rather than trying to minimize our chances and reduce the difficulty of the attack, Jonathan allows us to make the campaign conditions more challenging.
This allows us to observe the results in realistic phishing scenarios, with a certain level of difficulty, enabling us to assess their reaction in a real situation - poorly executed attacks usually don't even reach the inbox.
Once the test parameters were defined and configured, we executed the phishing campaign with the Monisnap team.
Campaign process
After consultation with Jonathan, we opted to launch the campaign, meaning sending the phishing emails around 6:30 pm.
By the end of the day, attention is more relaxed, and colleagues may not be as reachable.
Once the campaign was launched, everything happened very quickly: the emails were received and opened at the same time.
In some cases, the email was first opened on mobile - users are often more responsive to mobile notifications than on their browser - and then on the computer for better examination of the email.
This can happen very quickly, and this is how Monisnap discovered that one team member did not have all the correct reflexes and could temporarily be compromised.
A successful phishing test
Clearly, Monisnap is one of the top performers:
- The attack was detected and reported very early, limiting its impact.
- The only successful attack was immediately reported.
- Monisnap has learned from this test to strengthen its security.
Reported attack
Firstly, the attack was reported as quickly as possible by several members of the team and through different channels.
Indeed, many people think that if they don't fall into the phishing trap, they have adopted the appropriate behavior.
On average, an employee deals with 90 emails per day. It is completely normal that on a somewhat elaborate phishing campaign, some people get caught.
The right behavior is therefore to systematically report phishing campaigns in order to warn those who have not yet received them and alert those who may have fallen for them.
This is the behavior that the Monisnap team adopted, with reports on Slack and by email to notify all staff that phishing emails had been received.
Reported error
The only person who made a potentially dangerous mistake during the campaign immediately reported it, allowing for a rapid intervention to prevent any further spread or escalation.
This is not only a good reflex but also evidence of a good corporate culture.
There are still too many companies where the fear of punishment leads employees not to report their mistakes.
In a phishing attack, this means that cybercriminals can freely attempt to gain more privileges on the network and strengthen their position with the compromised account.
However, not reporting being caught is a problem: on average, it takes financial companies 3 months to detect a data breach. This is a real problem because no measures are taken to counter the cyberattack during this time.
The important thing is to report the error quickly so that measures can be taken, which was done at Monisnap.
Culture of continuous improvement
Finally, instead of being satisfied with the good results achieved, Monisnap took advantage of this experience to improve its reporting process.
Standardizing the reporting procedure allows employees to know exactly what to do when they want to report an attack: who to contact, how to do it, what to do if the information is not relayed, etc.
In summary, Monisnap successfully passed our phishing test, not only by adopting good behaviors from the first phishing campaign they encountered but also by demonstrating a willingness for continuous improvement that will allow them to reinforce these good results in the future.
And you? Do you want to know how your employees behave in case of a phishing attack? Order a phishing test to make sure.
Sources
* Kaspersky Lab reports: 44.7% of phishing attacks targeted the financial sector in 2018
** Radicati, Email Statistics Report 2014-2018
*** Ponemon Institute x Arbor Network, 2020: on average, 98 days, up to 197 days for the retail sector, are required to detect a data breach.