Skip to Navigation
University of Pittsburgh
Print This Page Print this pages

October 27, 2016

PhishMe founder: Users are key to cybersecurity

Rohyt Belani

Rohyt Belani

In 2015, mean annual revenue growth of publicly traded cybersecurity stocks went up 22 percent — which means security software is selling — but at the same time, cyberattacks in excess of $20 million rose 92 percent.

So, why isn’t the software that people are buying stopping these attacks? asked Rohyt Belani.

“Technology today in security focuses on identifying malware — malicious software,” but many successful scams don’t contain file attachments or embedded hyperlinks that will launch malware when a recipient clicks on them, he said.

Belani, founder and CEO of PhishMe, delivered the keynote, “The Most Important Defense Against Cyber Attacks? You,” Oct. 25 at Computing Services and Systems Development’s cybersecurity symposium.

In use at Pitt, PhishMe includes simulated phishing emails to raise University computer users’ awareness of real scams and report them to (See May 26 University Times.)
Simple schemes are paying off for the attackers: They may send email impersonating someone in authority, instructing a finance employee to wire money to an offshore account.

“All the attackers have to do is go on LinkedIn to see who works in the finance department at Company XYZ,” then send email that appears to come from their boss’s boss.

And it works: The scam brought in $3 billion in the United States in a single year, he said.
“There is no malware here; it’s old-school social engineering,” he said.

“It’s gotten to the magnitude where the losses are to the tune of billions of dollars every year in the U.S. alone,” he said, noting that business email compromise (BEC) scams have increased 300 percent.

Ransomware attacks — in which malware locks up data or critical systems until a ransom is paid — have increased even more, up 400 percent, he said.

Attackers often demand payment in hard-to-track alt-currency such as bitcoin. And they keep the ransom low enough that law enforcement won’t take the case and that large companies consider chump change compared with the disruption to their business.

“The attackers know that. It’s a really solid business model,” and it’s one that bypasses most technologies, he said.

University users are a valuable target for credential thieves seeking to steal usernames and passwords for spamming purposes or, more sinisterly, to gain access to cutting-edge or classified research.


Awareness isn’t the problem: Nearly everyone knows that clicking an email link has the potential to infect your computer. “It’s behavioral change that’s the problem,” he said.

Given the volume of email people receive, messages often are dealt with without much deliberate thought — just the laziness that cybercriminals are relying on.

“How do we get to a point where we can get the right amount of skepticism when interacting with email, knowing the volume of what we’re dealing with here?” he said. At PhishMe, “our business is about conditioning humans to be better against phishing attacks,” he said.

Given that some cyber attacks are well resourced — with the backing of foreign governments or organized crime rings — some will get through no matter what. But it’s imperative that attacks are discovered sooner. Belani said that although the time is decreasing, one industry estimate found it still took 145 days, on average, last year to detect a breach.

Attacks typically are detected at the action stage, or worse, after the fact, he said. “We need to start detecting attacks when they’re being delivered.”


He offered an example from his own office: It took his vice president of finance only seven seconds to spot and report a spoof email that appeared to be a request from Belani to wire money.

When the security team asked what prompted him to report the message, he cited three things: With regard to the email’s greeting: “Rohyt never says hi to me.” The second reason: “Rohyt never asks me to send money to people.”

And the third red flag: The authentic-looking “sent from iPhone” footer in the message didn’t ring true: “He’s of Korean origin and takes real pride in the fact that I use a Samsung,” Belani said. “He thought ‘Unless Rohyt swapped his phone last night, he’s on Samsung.’”

Said Belani: “Unfortunately, technology isn’t at the place today where it can quite replicate this line of thinking. We’re not quite there yet. Hence we need all of you to be skeptical and call things out when you see them suspicious.”

The goal is to develop an added line of defenders in front of IT security who won’t click in emails or open attachments without thinking, who are aware that a request could be a social engineering attempt and who will report suspicious messages when they see them.

“With a conditioned workforce that realizes situational awareness is important, you get an order of magnitude more people reporting as compared to falling prey,” he said.

There is a side benefit as well: When employees develop knowledge and skills to identify phishing attempts, it not only benefits the organization but the individuals themselves, who can use that understanding to better protect themselves at home.

Simulated phishing campaigns help raise the level of skepticism. And those who fall victim to the phony messages learn from being made aware after the fact that they’ve done something potentially dangerous.

Repetition is key. While some may become repeat victims, “by the fourth simulation the repeat victims start tending toward zero,” he said. Ultimately, “if you can get more people reporting and fewer people falling prey,” that’s true success, he said.

—Kimberly K. Barlow 

Filed under: Feature,Volume 49 Issue 5

Leave a Reply