Phishing is a problem everybody is confronted with every day. It is not only limited to email also telephone calls, SMS or even DNS-Changes fall into this category. But let us focus on emails as the authors did. The border line between a phishing email and regular spam is hard to draw these days. In addition the amount of phishing emails send every month increases steadily. The consequences of clicking on a malicious link or opening an attachment containing malware increase as well

• just remember the cryptolocker trojan reports when even police stations lost all their data and paid the ransom. However the authors start their book with explaining how to recognize a phishing email and illustrate it with a lot of examples. Step by step they work the reader from verifying the senders address to finally validating the mail-headers. Their approach seems to very simple and elegant. The basically follow the reading behavior for reading email - from top to bottom. This dry topic gets extended by minor stories the authors carefully place to enforce a mental picture and to easily remember the step. The second chapter continues to explain how the brain of the victim works. Starting off with the various biases everybody has when making decisions. They also discuss how strong emotions like fear, anxiety or curiosity diminish your possibilities to make a serious decision. As in the previous chapter this part is well illustrated by various stories that happened to the authors
• remarkably outlining the basic message and helping you to remember / recognize a similar situation. I still cannot forget the story about surfing on a cold day and breaking the board.

After this emotional and psychological lecture Christopher Hadnagy and Michelle Fincher return to explain how to protect against phishing emails. The steps here are explained in a way to be reused in your awareness campaigns right away. For everyone working on how to train your employees - that chapter is a must read. While the second half of it describes various approaches to handle phishing emails as experienced by the authors in the wild. They do not hesitate to discuss these approaches fairly. It is interesting to see what has been tried and why it may not be the best choice. The last part of book focusses on how to setup your own phishing campaign or how to manage it in case you decide to buy it as a service. Again as in the beginning Christopher Hadnagy and Michelle Fincher provide an easy to understand and very intuitive step by step approach. Besides technical and managerial aspects they also discuss the ethics or moral part of planning and designing a phishing awareness program. Examples here focus especially on the content / pretext of the emails itself and how the relate to the emotional challenges such an email may pose on certain employees. In one story the authors describe how they fought a company to use a pretext based on the anniversary of 09/11 and finally switched to another pretext on request by their customer - well knowing that the “bad guys” would not hesitate to use such a pretext. Of course a section on tooling is not missing. Christopher Hadnagy discusses various free, open source as well as commercial tools. Besides an analysis of the capabilities of the tools also his personal opinion and experiences with the tools is included in separate sub chapters.

All in all this book is very good starting point for every security professional who is in charge of setting up an awareness program for his or her company and stumbles upon the topic of phishing. You can buy the book from Amazon here.