“It’s All About Culture”: Arnout Van de Meulebroucke On Stopping Social Engineering

Social engineering continues to be one of the most prominent threats that organizations face today. And while we continue to evolve our defenses, threat actors evolve their tactics to try to evade them. 

In fact, a shocking one in two employees are susceptible to phishing attacks, and an estimated 23% that are targeted by an attack go on to enter their details into a spoofed landing page. 

So, how can your organization stay one step ahead?

We spoke with Arnout Van de Meulebroucke, founder and CEO at phishing simulation and cyber awareness training provider Phished, to find out more about why employees are so vulnerable to attacks and how organizations can best support them.

Van de Meulebroucke has worked in the security industry over the past five years, starting out at technology company Bringme, specializing in virtual reception services for the office market, before founding Phished in 2018. Phished is an innovative solution that specializes in using machine learning to create personalized and automated phishing campaigns tailored to the requirements of individual users, without the need for admin involvement.

What led you to founding Phished in 2018 and what differentiates it from its competitors?

I’ve been in cybersecurity for my whole career. One of the first things I had to do when starting off professionally was set up a phishing campaign for Bringme. So, the first thing I did was search the market for existing solutions and guidelines. And it worked really well—40% of the company fell for that campaign.

But something bugged me tremendously—the time that I had to spend in setting up such a campaign. It took me a couple of hours just to get the whitelisting, grades, HTML, email, and a landing page properly set up. And afterwards, I had to collect and analyze those results for management. 

Creating the first campaign felt like a thrill, but I noticed that as the campaigns progressed I lacked time and focus to come up with new tests while results didn’t noticeably improve.

So, that’s where Phished began. I just wanted to automate the entire process and optimize it from an IT security perspective—which meant through optimization and personalization. Since that was my intention from the start, that quickly became our main and our best differentiator from our competitors. Phished was built around automation from the start, and that’s something our customers still know and love today.

Why are employees so vulnerable to phishing attacks? 

I think that, for years, the cybersecurity sector has focused purely on the technical side of things. For example, it’s focused on adding new firewalls with more extensive features—they all worked really well, and still do. It’s also added spam filter after spam filter, which all emails have had to go through.

And users also didn’t receive a lot of phishing emails back then—they were pretty basic. We all know the example of the foreign prince who has a large inheritance they want to share with us. So, for a while it did seem like phishing emails and social engineering threats were going to stay a small issue because people barely fell for them. 

That was until criminals recognized the tremendous potential for them and upped their game. They evolved their emails to a personalized level, which caused employees to fall for attacks in large numbers. 

How can organizations support their employees in preventing social engineering attacks?

To support employees and prevent them from falling for these attacks, it’s important to set up a cyber awareness campaign that positively enforces a cyber awareness culture within an organization. 

Having people feel comfortable to speak out about it—to tell their organization that they received a phishing email and fell for it even—is much better than punishing them for clicking on something they shouldn’t have. If you go about it positively, it’s much more effective for all parties involved.

So, what are the steps an organization should take to create a positive environment where employees feel comfortable speaking up about attacks?

It’s all about the culture that you create. When starting a campaign, an organization should always be transparent with their employees about what they’re going to do, and why they’re going to do it. 

When we start off with a client, we perform a baseline in which we measure how that organization is performing today. But, before we do that, we always recommend that our clients send out a little piece of communication to their employees letting them know what we’re going to do. Just to say, “we’re going to perform a phishing test to see how you react.” This is, of course, without going into too much detail and spoiling it. 

After the test, we also encourage clients to be open with their employees about the results. Usually, over 50% of a certain company will fall for an attack. So, we try to have them send out an email to say, “we know a lot of you fell for this attack, but it’s ok and we’ll work on it. And that’s why we’ve implemented this new phishing platform.”

From that point onwards, our platform focuses on positive reinforcement by default. If a user falls for a phishing attack from us, the first thing they’ll see is, “oops, you fell for a phishing attack,” rather than, “oh no, you clicked on something, you idiot.” Our platform will also encourage them to take a look at quick notes detailing how they could have recognized it, etc. 

I think that message is also supported by our Phished Academy, in which we train employees in an automated, personal and positive manner. 

What are the key topics and threats that organizations should train employees on in 2022? 

First of all, there are a lot of organizations out there that are still yet to set up the basics, and yet to start these types of campaigns. To them, I’d say it’s not too late to start. Criminals will keep evolving—and so should you. 

I think it’s also time for us as an industry to look beyond basic phishing campaigns and look at the other channels that employees are receiving messages on. 

People nowadays are essentially being stalked—ranging from social media to text messages, and even phone messages—which is something that a company has no control over (and they shouldn’t, just for clarification). I think there’s also something to say about, for example, deep fakes, something that’s been in the media for a long time. These are all things that you should train users on and make them aware of the risks involved. 

I think those are the next steps for organizations that are already doing basic campaigns—moving towards training on wider social engineering, like QR code fraud, for instance. We have had clients specifically in the educational sector informing us of attacks using QR codes, where posters hanging around in hallways have had the QR codes switched out to take users to malicious websites. Those are things that will continue to haunt us in 2022. 

What’s your advice to organizations when selecting a security awareness training program?

Besides choosing us, that is?

There are a lot of different vendors out there. The first thing to decide is how much time and effort you want to spend setting up a campaign. Is it something that you want to actively do on a daily basis, for instance? Then basically, any provider will be able to help you. Is it something that you want to set up and forget about? Then you should look at players that automate things—like Phished. 

Start off with basic phishing simulations, create a campaign from there and build upon it. Don’t go from zero to an extensive campaign on day one. It’s a process. It’s not something that you implement in one day, it’s something that has to be done gradually. But it also has to be done consistently to have an effect.

One last thing I would like to reinforce: it’s not too late to start today. It’s a process. And if you start today, you’ll be better off in a week, in a month, or even in a year’s time, but you’ll be better off nonetheless. 

Thank you to Arnout Van de Meulebroucke for taking part in this interview. You can find out more about Phished and their platform via their website.

Expert Insights provides leading research, reviews, and interviews to help organizations make the right IT purchasing decisions with confidence.