Employee Awareness of Phishing & Social Engineering Attacks
As written by Rob Walker.
Employee behavior is considered one of the main reasons why phishing attacks can be effective. With proper education your staff can be made aware of how to spot phishing attacks and stop them in their tracks.
Alert your staff to look for these red flags when they receive e-mails that are requesting some form of payment, account password authentications, or account deletions:
- Be aware of spam and adopt special cautions for emails that:
- Request confirmation of personal or financial information with high urgency.
- Request quick action by threatening the user with frightening information.
- Are sent by unknown senders.
Tips & Ground Rules
Alert your staff to follow these rules when it comes to suspicious activity:
- Never divulge personal or financial information via phone, email, or on unsecure websites.
- Do not click on links, download files, or open email attachments from unknown senders.
- Be sure to make online transactions only on websites that use the https protocol -- look for a sign that indicates that the site is secure (e.g., a padlock on the address bar).
- Beware of links to web forms that request personal information, even if the email appears to come from a legitimate source. Phishing websites are often exact replicas of legitimate websites.
- Beware of pop-ups; never enter personal information in a pop-up screen or click on it.
- Beware of emails that ask the user to contact a specific phone number to update user’s information as well.
In addition to these tips, it could be a good idea to put Microsoft Defender to use company-wide. It is a part of Office 365 that can protect your staff from malware attached emails as well as unsafe links embedded in emails.
Certified Security Awareness Training
It is also a good idea for you to obtain certified security awareness training. A reputable company that provides this service is KnowBe4 and they provide the following:
- Old School Security Awareness Training Doesn’t Cut It Anymore: Today, your employees are frequently exposed to sophisticated phishing and ransomware attacks.
- Baseline Testing: testing to assess the “phish-prone” percentage of your users through a free simulated phishing attack.
- Train Your Users: The world's largest library of security awareness training content; including interactive modules, videos, games, posters and newsletters. Automated training campaigns with scheduled reminder emails.
- Phish Your Users: Best-in-class, fully automated simulated phishing attacks, thousands of templates with unlimited usage, and community phishing templates.
- See The Results: Enterprise-strength reporting, showing stats and graphs for both training and phishing, ready for management.
Educating your staff is key. They are often the only line of defense when it comes to sophisticated phishing attacks. Contact us to learn more about getting your users fortified with the knowledge and support they need.
If you’d like to read more on phishing and cyber security, read our blog on How to Prevent, Detect, and Protect Yourself from Phishing Attacks.
5 commonly overlooked security threats
5 commonly overlooked security threats
The Internet is a vast place that brings amazing information to our fingertips in a matter of seconds. While this is a wonderful attribute, it also can be dangerous to your personal information or business’s data. That’s because there are hackers out there just itching to access your information and email is still a common way they accomplish this feat. And as we’ve seen through several recent examples—including the 2015 Pentagon and 2014 Sony email hacks—simply having a “strong” email password isn’t enough to keep your data from being compromised.
While some may jokingly (or not-so-jokingly) call for less email usage and more frequent use of the phone to communicate important information, it’s not always possible in our highly digital world. So in addition to being cautious about what is communicated in your emails, it’s important to understand how to protect those emails in the first place. To ensure secure email on your personal and work devices, you first have to recognize threats to your email system—including the less common ones.
Here are five often overlooked threats to your email security:
Social engineering schemes that use your mobile number—Did you know that attackers only need your mobile number to trick you into giving access to your email? Essentially, they’ll send you a text posing as your email provider (e.g., Outlook) and tell you you’re about to receive a code to ensure your email account is secure. This text will then ask you to reply with the code to confirm. Then, they’ll trigger the password reset process, you’ll receive a real message with the unlock code—and if you send it to the attackers unknowingly—they’ll use it to reset your password without your knowledge. Check out this video if you want more specifics on this scheme.
Sharing your access credentials with others—It’s common for some employees to share their credentials—including their password—with a fellow employee or manager when they’ll be out of the office, whether on vacation or during short-term or long-term disability. If organizations don’t have defined security policies for these situations, a lack of accountability could lead to compromised email security.
Loss of a phone with pertinent information—Password management applications are wonderful tools that help you keep track of all the passwords for all of the email accounts you undoubtedly have. But if this application is installed on a phone that is lost or stolen, that can be a problem. Of course, it’s important that your phone is also password-protected, but organizations should take security one step further when it comes to work or personal devices that carry business data or information. Specifically, a business should standardize acceptable use policies regarding the local storage of files, remote wipe capability and network connectivity.
Lack of email encryption—Just because data is passed via a secure email server doesn’t mean it’s 100 percent safe. To add an extra layer of protection, companies should invest in an encrypted email service, which seals email messages and ensures only those with a decryption key can read and access sensitive information.
Crypto-ransomware—Ransomware is nothing new, but it’s a nasty way for hackers to operate. They essentially take the files on your computer or devices hostage until you pay a ransom to have them released. Crypto-ransomware is even nastier, as the hackers encrypt your computer’s files and will only surrender decryption keys upon payment. How is this related to email? These attacks are typically triggered through the opening of some sort of email attachment (e.g., an invoice, energy bill, image, etc.) and they often look legitimate. According to Symantec’s 2015 Internet Security Threat Report, attacks of this nature are highly profitable (bringing in approximately $34,000 per month for one group alone) and growing in popularity.
Whether through phishing schemes or direct malware attacks, email security threats are prevalent—and as we’ve seen, even the mighty can fall prey to them. That’s why it’s more important than ever for organizations to invest in a secure email service that will help them keep their data safe. In addition, employee education is a large part of maintaining a secure email environment. When people know what to expect, they’re better equipped to protect themselves and their companies from liability.