Don’t take the bait!

Last Updated 06 July 2021
Don’t take the bait!
Downloadable assets

Campaign detail

Spear phishing attacks are becoming increasingly common and more sophisticated. Because attacks can be cleverly tailored, traditional IT network defences alone are often not enough to detect and prevent them.

You can reduce the vulnerability of your organisation by working with employees to dispel the perception that, ‘if something gets through the firewall, it is probably genuine’. Your employees have an important role to play in protecting your organisation as a second line of defence, after technical measures.

What is spear phishing?

Spear phishing is a targeted type of social engineering attack. An attacker gleans information about an individual which allows them to masquerade as a trusted source in an electronic communication. This may lead the individual to click on links, accept software updates or open attachments via email, social media messages or electronic popup messages. In doing so, the individual can unwittingly compromise sensitive information, provide access to organisational finances or facilitate technical attacks on company networks.

Phishing Attacks: Defending Your Organisation

This joint NPSA and NCSC guidance contains advice on how organisations can defend themselves against malicious emails that use social engineering techniques.

It outlines a multi-layered approach that can improve your resilience against phishing, whilst minimising disruption to user productivity. The mitigations suggested are also useful against other types of cyber attack, and will help your organisation become more resilient overall.

This guidance is aimed at technology, operations or security staff responsible for designing and implementing defences within for medium to large organisations. This includes staff responsible for phishing training.

NPSA ‘Don’t Take the Bait!’ campaign

The campaign is based on the principle that if you can increase awareness of the scam techniques that are often deployed, then employees will be less likely to fall for them. The campaign encourages the idea that employees have a role to play in keeping the organisation secure by not falling for, or being tricked by, spear phishing.

An important aim of this campaign is for employees to feel encouraged and supported in reporting suspected spear phishing attempts to their organisation – even if this is after they have clicked.

The campaign materials consist of the following:

  • An introductory guide for organisations: to outline the threat and provide further details on how to run the campaign
  • A guide for organisations on how to design phishing simulations: to test the susceptibility of your organisation to spear phishing
  • 4 x posters to signpost an in-house campaign: phishbaittrapsmarter
  • 2 x posters to raise awareness of spear phishing techniques:urgencyauthority
  • An animation (available below and on YouTube) to raise awareness of the influence techniques used by spear phishers
  • An infographic: to reinforce the messages delivered within the animation
  • quiz: to provide an opportunity to spot phishing attempts

For further information on the materials, to share feedback, or for editable versions (as Indesign files) please email [email protected].

You may find NPSA’s 5Es framework useful for planning and maximising the impact of your in-house behaviour change campaigns.

‘Don’t Take the Bait!’ video

Don't Take the Bait video

View Video Transcript

Spear phishing: Don’t take the bait

Most of us have probably been sent a phishing email before… [teeth crunching sounds]

Does this ring any bells? [sound of bell ringing]

randomemail @gmail.com

RE: You’ve Won!!!

Sir/Madam, [sound of keyboard typing]

Congratulations, you have won the lottery!
To claim your prize, please click on the link below and provide your details.

Click this link here

Many thanks,

Bla Bla Bla

[1] Phishing is when an attacker looks to exploit a user in order to bypass security measures.

[2] It’s pretty easy to spot, right?

[3] Spear phishing, however, is more sophisticated…

The phisher has done their homework. 

The attack is targeted at YOU.

And it’s getting increasingly hard to spot.

[1] They may know the types of email you expect to receive…and when [sound of ticking clock]

[2] They may have researched you online to discover details about you [sinister laugh sounds]

[3] They can tailor messages to your interests

(mouse clicks on Compose email)

dave@ mycompany.com

HR@ almostmycompany.com

RE: Urgent! Update your HR profile

Dear Dave [sound of keyboard typing]

We’ve identified that your HR profile needs updating, please update this immediately to avoid any problems with your next month’s wage.

Click here to update: 

www. very-strange-link.almostmycompany.com

The consequences of a spear phishing attack can be serious…

Financial impact, cyber attack, lost information

But it can be difficult…We live very busy lives.

When we’re in work mode, we often click things without even thinking…

1] How do you know when you’re being baited?

[2] Do you know the signs?

URGENCY!

Spear phishers use tight deadlines to distract you from the rest of the message… [sound of ticking clock]

Please respond ASAP or you will lose access to your IT support account.

www. itsupport.almostmycompany.com

AUTHORITY!

Spear phishers might pressure you to respond by: [pointing at a on logo email]

Pretending to be a senior executive

[pointing at the ‘from’ address, which is CEO@ almostmycompany.com] [sound of keyboard typing]

Pretending to be a trusted colleague

[pointing at mymate@ almostmycompany.com]

Pretending to a be trusted company 

[image of blablabla logo]

MIMICRY!

Spear phishers might exploit your daily habits by sending the kind of email you would expect at a particular time.

End of month Invoices!

Supplier meeting!

Please review!

CURIOSITY! 

“Welcome our newest recruit!”

“Breaking news from HR”

“Look at this cute cat!” [sound of cat miaowing]

“But what can I do?”

[1] Think before every click

[2] Verify the communication is genuine without replying

[3] Check with a colleague, seek advice

[4] Don’t panic if you do click and then become suspicious

We know it can be tough to spot {spooky noise]

Just make sure you ALWAYS…

Report it to IT.

Don’t take the bait.

NPSA [logo]

Public Guidance