Categories
Security

Train Your Team to Spot High-Stakes Phishing

What Is Phishing?

A scam by which an Internet user is duped (as by a deceptive e-mail message) into revealing personal or confidential information which the scammer can use illicitly.

https://www.merriam-webster.com/dictionary/phishing

Phishing

Phishing is typically when a scammer attempts to get private information from a user. This information can be logins, credit card numbers, bank information, etc. Scammers will look for anything they can easily use from unsuspecting victims. Mass emails and automated calls are the most common ways phishing occurs; wherein the scammer will try to trick the user into thinking they need to take some action that requires imputing or giving away information. Through mass emails and calls, it is likely that someone will eventually take the “bait”.

Spearphishing

Spearphishing is a more direct and targeted approach. Spearphishing is where a scammer already has some information about the target and uses that to their advantage. One example is a scammer imitating a colleague or other person which the victim knows. Spearphishing messages will be more tailored to the victim; and typically target people who might control valuable assets such as higher ranking executives.

Following instructions from phishing attacks may lead to access to your systems, stolen passwords and credit card information, malware, ransomware, and more.

The Importance Of Training

Anti-malware programs, filters, and firewalls will help reduce your cybersecurity risks, but they can’t catch everything. Employees, including top level executives, are a companies biggest potential cybersecurity incident source. This is why cybersecurity training is necessary to protect your business as well as your personal information.

Employees, including top level executives, are a companies biggest potential cybersecurity incident source.

The reality is, breaking into a network that follows any kind of best practices is not easy, takes a lot of time, and requires a lot of knowledge. However, tricking people into letting you in is much easier and faster. That’s why phishing has become such an issue. Phishing casts a much wider net with much greater ease. One person is all it takes to gain access to a business network, and that’s why these attacks are becoming more subtle and elaborate.

When an employee falls for one of these scams, an expensive cybersecurity incident is likely to follow. An incident may lead to leaked confidential information, ransomware, and stolen money. Fixing the breach will most likely take a lot of time and effort, and some or all systems may be unusable in the interim.

For this reason, training in the fundamentals of cybersecurity is essential for every employee. Especially management and executives because they are more lucrative targets and thus more likely to be the target of an attack. Training to identify phishing will go farther in protecting your business than many other avenues of protection.

Create A Secure Business Culture

Getting the entire business inline with cybersecurity practices is no small task. But creating a culture where employees will naturally follow guidelines will help. Training employees and giving them the tools they need will go a long way in protecting your business.

An example of good business cybersecurity culture is having employees recognize suspicious emails and follow proper reporting procedures. Seems like a small thing but can be immensely helpful. An employee may not fall for a phishing attempt by just deleting the email; but the attack happen to other employees who might not catch it. Submitting the email to the security team allows them to decide the best way to proceed. For example, blocking the source of the email could prevent future attacks; or the security team may need to follow up on suspicious emails from a business partner.

In everyday business activities, using email properly can also increase cybersecurity. Poor grammar and misspellings are common indications of spam and malicious emails. Employees, managers, and anyone involved with the business should keep emails neat and professional. Keep urgent emails to a minimum. Too many emails marked as urgent or important may desensitize employees to what could be a red flag. Don’t reprimand employees for being skeptical or asking for further verification. You want them protecting your business instead of blindly following any email they receive.

Phishing Tricks

Phishing has evolved and uses different strategies to try to compromise users. Cybersecurity training is constantly having to cover newer tricks to keep businesses safe.

Impersonating Technical Support

Scammers may try to call pretending to be technical support from a major company. They state they have detected a problem and need the end user to do a task to fix the issue. One example we have seen is a fake call from a person claiming to be Microsoft technical support. The scammer stated they detected a virus on the victim’s computer and need remote access to fix the issue.

Secure Websites With HTTPS

In the earlier days of the internet, secure websites that used HTTPS were uncommon and often meant the website was trustworthy. However, today anyone can secure their website easily, showing the secure lock on the address bar. A secure site simply encrypts the data transfer between you and the website. It does not mean the site is safe or trustworthy.

Social Media

Increasingly, phishing is utilizing social media as both a means of attack and for information to use for spearphishing. It is often easy to impersonate people on social media, making information gathering easier. Users should hide sensitive information from the public, and don’t trust people you don’t know.

Impersonating Common URLs

Spoofing websites is a common phishing tactic. The attackers will create a fake webpage that looks like the original. It might even have the same design and logos. When the user visits these fake webpages they will prompt the user to login or enter in private information. The scammers take this information and use it afterwards or sell it. The fake webpage may then redirect the user to the official page and will never know the attack happened.

To trick the user, attackers may also create a website address for a fake page that looks like the address of the real website. For example: microsoft.com-baddomain.com at first glance looks like it’s from microsoft.com but is actually the domain com-baddomain.com. Another common trick is to use common misspelled or mistyped versions such as microsft.com or nicrosoft.com.

Attachments

Attachments are another common attack vector. This is why many email platforms no longer allow sending certain types of attachments such as .exe files. But other common files, such as Microsoft Office files, can also include malicious code. Some attachments that link to websites may contain a meta redirection header that links to an official website but then redirects the user to a different and malicious website. Since the message wasn’t directly linking to a malicious website filters may not detect an issue.

Cybersecurity Software And Firewalls Alone Are Not Enough

Email filters do a great job at catching suspicious emails and spam. Anti-malware programs will reduce the chance that a malicious program can cause harm tot a system. Firewalls will help keep out unwanted traffic, and may even alert to potential issues internally. Authentication online has helped prevent fake emails and impersonation through verification. All this is great, but it’s not enough by itself.

Phishing wouldn’t exist if it didn’t work. And spearphishing even more so because of the added time and complexity. Filters may miss certain types of content. Every day security experts find new malware and zero-day exploits. Firewalls can’t catch everything; especially with more and more services using encryption. And not everyone has the knowledge to setup authentication and verification protocols for things like email.

Phishing wouldn’t exist if it didn’t work.

Train the people that make up a business to identify suspicious content and know what to do with it. And refresh this training on a regular basis to keep skills sharp. It may mean that an employee asks for verification before completing a task, but it may also keep that same employee from sending thousands of dollars to a scammer.

Cybersecurity Awareness Training

At No B.S. Computer Repair, LLC, we know a multi-layered defense is the best approach to cybersecurity. We also believe employees can be one of the best tools in your company’s protection. Contact us to learn about the training options that are available to your business.