Security Awareness Blog

How to Tune the Human Sensor To Detect and Report Spear Phishing

One of the key benefits we have been discussing of a strong security awareness program is not just prevention, but detection and response. As humans, soon or later we all make mistakes, sooner or later the most aware of us can be caught off guard and fall victim. As such, we also want to be teaching people that if they fall victim, how to detect and report it. Just think, what would have happened if the victims of the recent RSA spear phishing attack had figured out what happened and quickly reported it to their security team? As such, have your awareness program not focus on just how not to fall victim to social engineering attacks, but how to detect and report them, especially when employees fall victim. Now, like any Intrustion Detection System, you have some tuning involved. Before you start your awareness program, your NOC, help desk or security team is probably getting very few reports of social engineering attacks like phishing. Once you kick off your security awareness program, you will probably have the opposite problem, every employee will be reporting every spam or phish that gets through your filters, once again not a good situation. You need to tune the HumanOS. As such, I recommend you have a policy in place like this.

  1. By default, when people identify phishing attacks, simply delete them. There is no need to report.
  2. If people get a message that they cannot identify if it is an attack or not, then report it.
  3. If people fall victim to a social engineering attack, such as spear phishing, then report it immediately.
As with any other security control, security awareness always takes tuning. However, when trained and tuned properly, people can become one of your greatest assets.


Posted October 20, 2011 at 8:35 PM | Permalink | Reply

Joel Anderson

Regarding #1, in our organization we have a dedicated email addresssand encourage reports because 1) it is a source of information (email addresses, phishing sites to block, report to ISPs) 2) helps us identify spam that our tools are not catching.

Posted October 21, 2011 at 4:26 PM | Permalink | Reply


I agree with Joel. we use a cloud based filtering provider and when things slip through we want them to fix it (or credit against our SLA's). Using a "report as junk" type button in the email reader gives a simple way for people to identify those that slip through to those who need to adjust the filters. We can also track the numbers of reported messages.