Another October brings another Cybersecurity Awareness Month. The overarching theme, #BeCyberSmart, brings us to our discussion, Fight the Phish! As phishing is an extremely effective attack vector for malicious actors, this is a topic we can whole-heartedly get behind. Phishing attacks currently account for more than 80 percent of reported security incidents. In 2020 alone, there were 241,342 complaints of phishing scams, with adjusted losses of over $54 million. This increase in phishing attacks from years past highlights the need for vigilance. It is more important than ever that individuals and companies alike emphasis the need for reporting suspicious emails and awareness training. If you are interested in learning more about awareness training, read more on Social-Engineer, LLC ‘s managed phishing service here.
To Click or Not to Click
When determining if an email is legitimate or a phishing email, critical thinking plays a key part. Michael Scriven and Richard Paul (1987) define critical thinking as “the intellectually disciplined process of actively and skillfully evaluating information generated by observation.” Phishing emails play on emotions such as fear, greed, and curiosity to influence the target to take the desired action. Additionally, they often convey a sense of urgency. Rather than acting immediately, take a moment to pause. Assess if the sender is asking you to take an action that makes sense. For example, is your bank asking you to provide your routing number, or other information they should already have? It’s equally important to pay attention to the grammar of the email. Is it correct? Are there misspelled words? Let us break down some specific ways to determine if an email is safe.
To Verify You Must Clarify
Start by verifying the sender. Many times, malicious actors will use email addresses that clearly do not belong to the company they are impersonating. Checking that address is a great first step. Additionally, if the email requests that you submit financial information or provide any personal information via a link, don’t click it. Instead, contact the sender, whether it be a financial institution or other organization, to verify the request. When verifying the request, do not use the contact information provided within the email. Rather, use contact information found through that company’s official website. If needed, log into your account on the official website to check on any notifications.
Inspect the Link
One quick way to see the pathing of a link within an email is to hover over it with your cursor. But be careful not to click! This way, you can see the destination of a link without navigating to it. Sometimes, emails will contain an “unsubscribe” link or button. However, do not immediately trust these links. Be sure to hover and view the path of it first. Many times, the destination is the same as the other links within the phishing email, or easily identifiable as a suspicious destination.
If in Doubt—Throw it Out!
Link based phishing email attacks remain an easy way for malicious actors to gain a foothold into your personal information. Because of this, remember, if in doubt- throw it out. Try to apply your real world knowledge to the online world as well. If you do not know someone, you are wary of accepting things from them. Similarly, be cautious of any email from an unknown sender, or even emails that may appear to be from people you know. If you are unable to verify the authenticity of it, play it safe and delete the email.
Report Suspicious Emails
If you receive a suspicious email, it is important to report it to your company, whether you clicked or not. If you did click, your security team will be able to help you mitigate the damage. Reporting suspicious emails is a vital part of keeping your company safe. The more people who report them, the easier it will be to warn and protect the rest of the company. Open communication and knowledge of proper reporting procedures is one of the best defenses against phishing attacks.
Social-Engineer Phishing Service (SEPS)
Organizations should train and educate staff to detect social engineering attacks to improve overall security. The concept of phishing your own employees has been around for years; however, the concept of a customized and continuous Phishing Service is unique.
From start to finish, Social-Engineer helps an organization’s most unpredictable asset (their people) become the first line of defense. If an employee understands the value of reporting suspicious activity to their internal security department, they will likely react to real-world scenarios the same way. Rather than simply training staff to look for suspicious activity, the Social-Engineer team teaches users to apply critical thinking, to recognize phishing emails, and how to properly report and respond to them. It’s important for employees to understand the assets they are responsible for protecting and how they can better safeguard them. Security starts with each individual user.
By sending an initial wave of well-crafted phishing emails, Social-Engineer creates a baseline for an organization’s susceptibility to these types of attacks. From there, our team conducts a thorough debrief, focusing on remediation and education. We repeat this process with increasingly sophisticated phishing awareness education. By conducting ongoing and regular phishing campaigns, organizations can quickly develop a culture of phishing awareness and education. Our service can also provide advanced metrics, such as click and reporting rates, repeat offenders, and trend data in order to identify specific areas of improvement and, eventually, ROI. If you are interested in partnering with Social-Engineer to #BeCyberSmart, please contact our team for a personalized quote.
Sources
https://www.social-engineer.org/framework/attack-vectors/phishing-attacks-2/
https://enterprise.verizon.com/resources/reports/2019-data-breach-investigations-report.pdf
https://www.ic3.gov/Media/PDF/AnnualReport/2020_IC3Report.pdf
https://www.social-engineer.com/services/se-phishing-service/
https://louisville.edu/ideastoaction/about/criticalthinking/what
Image: https://www.bankinfosecurity.com/phishing-scheme-uses-google-drive-to-avoid-security-report-a-12924