This Newark cybersecurity firm helps companies phish their own employees

If you think you can spot a phishing email from a mile away, consider the case of Barbara Corcoran of “Shark Tank“: A scammer learned the identities of her assistant and bookkeeper, then created a real email address that was almost indistinguishable from her assistant’s email, which they used to email the bookkeeper — resulting in the (since recovered) theft of nearly $400,000.

“They’re getting so much more complex and more targeted,” said Connor Swalm, one of the founders of Anchor Security Team, a Newark cybersecurity firm that specializes in helping companies reinforce security on the front line — the employees who receive phishing emails every day.

A huge percentage of cybersecurity events start with phishing emails, said Josh Simmons, a team member for Anchor Security, citing data that is backed up in the 2018 Verizon Data Breach Investigations Report. “As the technology gets better, the human becomes the weakest point.”

When Swalm, a 2018 graduate of University of Delaware, spun off a software company he started as a student into a cybersecurity company with partners Dr. Andrew Novocin and Dr. Jamie Swalm, its primary focus wasn’t phishing. But when they, like virtually all companies, started receiving complex phishing emails, they found existing software solutions on the market to be inadequate.

“We realized very quickly through talking to large organizations that were already using products in the marketplace that the current products weren’t getting the job done,” Swalm said. “We decided at that point that there was an opportunity to build a better product that focused on training employees, preparing them for these eventual attacks, because they’re the ones that get really taken advantage of.”

Typically, educating employees on phishing involves a watching a video and checking a box — but employees “typically just mute and continue working on other stuff while they check the box that they need to get IT off their back,” said Swalm.

Anchor Security’s platform, which recently finished a pilot program and is now serving clients, allows companies to create their own custom simulated phishing emails to send out to their own employees at different times, without warning. When simulated phishing emails are typically used in cybersecurity training, the same email goes out all at the same time to all employees — but that, Swalm said, does not accurately represent a real phishing scenario and is far too easy for employees to catch, not least of all because word spreads to not click the email.

“[The Anchor platform] can customize all of the templates, the email, the reports, which individuals get which phishing emails and what information you’re going to put in those emails of that individual,” said Swalm.

When employees click on a simulated phishing email — and, in its pilot, even cybersecurity team members were fooled by some of them — a browser opens, taking them to what they call a Learning Moment. “The second an employee clicks a phishing email, they go through an automated tour of the email that they just clicked, telling them which things in the email they missed that would have showed them that it was a phishing email.”

Unlike a training video, Learning Moments are interactive demos the employee can’t ignore.

Focusing on people rather than technology isn’t the most common defense in cybersecurity, Swalm said.

“There are a lot of companies that focus on securing the software, hardware and the infrastructure with enormously expensive machine learning tools that read emails and try to predict if they’re phishing,” he said. “But at the end of the day, the only way to defend from a complex phishing attempt like [Corcoran’s] is to train your employees in a better way.”