Something we’ve been thinking about lately at Wombat is what is going to happen when attackers begin to leverage more trusted messaging platforms, such as corporate chat applications. We inherently trust the messages we receive through these systems because, historically, they’ve been harder for attackers to gain access to. These applications used to be housed within the firewalls of an organization, blocked off from public access. But with more and more of these systems moving to or being native to the cloud, and with products adding API’s to support integrations, the attack surface continues to increase. A fair question to ask is what would happen if — via a compromised account or software vulnerability — an attacker leveraged the real-time ability to communicate via your chat system, built a strong back story (a more believable one than they could via email), and then ultimately shared a phishing link or malicious attachment? Would your users be able to figure it out? Would you?
Ultimately, all of this reinforces the importance of supplementing assessments with comprehensive and in-depth training. The volume and variety of email-based phishing attacks an organization faces alone can be overwhelming, but when you combine that with the increasing number of ways users can be attacked, it’s clear you simply can’t effectively educate via assessments alone. Supplementing simulated attacks with additional security awareness training activities not only helps to fill the email phishing knowledge gap, it offers the most effective way to build generalized knowledge that will help employees understand how attackers can attack them, regardless of the platform.