Too bad it doesn’t exist. I mean really exist. Here is how an anti-phishing day that is designed to be a highly effective educational deterrent to phishing would work.

Google, Facebook, Hotmail, Yahoo, Twitter, Myspace, Banks, Online Gaming sites, such as World of WarCraft, and others would all send phishing emails to their users. Yes, phishing emails to their users. The idea is very simple. Make the emails look like any number of successful phishing attacks and then follow up with the educational component. The users who go to the phishing site to enter their credentials are the users who need to learn what they did wrong.

Recently Microsoft cited a dramatic reduction in autorun malware successfully infecting computers after they had automatically updated computers to change the way in which autorun works, effectively taking the bite out of autorun malware. Of course Microsoft knew for years that what they did would dramatically decrease the effectiveness of this attack vector. Well, the same principal can be applied to phishing attacks. A few years ago Carnegie Mellon performed testing that demonstrated users who had been phished were magnitudes more likely to learn to accurately identify a phishing attack than users who did not receive such training.

Facebook probably has the ability to reach at least 1 in 10 computer users in the world. Combine the resources of Facebook, Microsoft, Google, and other large players to actively phish and then provide access to well designed educational materials and the results are as easily predictable as the results of Microsoft disabling autorun.

Perhaps Mark Zucherberg, who has stated that he will eat no meat other than that which he has killed himself, could make the connection between that perspective and the urgent need to reduce phishing scams on the Internet. Most people consider fish to be meat, so maybe he could go fishing to educate users about phishing!

For those of you in corporate environments don’t expect these major organizations to have the guts to step up to the plate anytime soon. I recommend you phish your users to identify who needs more education. It is important that when doing this style of training extraordinary efforts are made to demonstrate that the training is for the benefit of the student and not a humiliating experience. You will better protect your business and make employees safer at home.

Randy Abrams
Director of Technical Education
Cyber Threat Analysis Center
ESET North America