Phishing scams are a very common technique used by identity thieves to trick you into giving them your sensitive personal or financial information. Thieves will often impersonate actual companies like credit card companies, banks or online resources such as PayPal or Dropbox. It is a challenge to recognize what is real and what isn’t but there are a few things you can do to make yourself/your organization less susceptible to this type of scam.
Before we discuss a non-traditional approach, here are a few quick tips you and your users should be aware of to avoid falling prey to a phishing attack.
Phishing emails or texts will attempt to tell a story to trick you into clicking a link. Some common themes phishers use include:
Below are some examples of typical phishing e-mails:
These phishing emails or texts often look like they’re from a trusted company that you’ve been involved with before. You should be extra suspicious of any emails requesting money or account information from ‘trusted entities’ like your bank or credit card provider.
One effective approach to strengthening your users’ phishing defense is actually… by phishing them yourself! Setting up an internal phishing campaign has been shown to be very effective in raising awareness about phishing emails and serves as a more effective training tool.
With this approach, your users will see what a phishing email actually looks like and your admins will get valuable insight into which areas of your organization need the most attention. This non-traditional approach has several additional benefits to traditional training exercises which typically highlight my earlier points around phishing language and structure etc.
There are a few key things you will need to accomplish for a successful internal phishing campaign:
This approach is far from traditional and might be a tough sell to your C-level decision-makers who you will need buy-in from.
One of the big hurdles when getting buy-in from the business is convincing them that it’s worth the time and money. This exercise is inexpensive and does not require any additional staffing, the results via monthly reports on company progress will speak for themselves.
There are a number of 3rd party platforms that are moving into this space as well for smaller organizations, who may be lacking in technical resources to carry out the campaign themselves. Some examples are Sophos Phish Threat which we are implementing here at STEALTHbits and Cofense PhishMe which is free for small businesses.
You will want to establish unbiased baselines for your user performance in order to accurately evaluate progress.
Here’s an example screenshot of the Sophos phishing dashboard:
Once you’ve established a baseline, a monthly update on the results of the previous Month’s phishing campaign can motivate your employees to be more vigilant.
Being familiar with typical phishing e-mails is great but actually testing your users is better. Educate your users on the standard phishing indicators that I mentioned above and with that training, test them by phishing them yourself. Setting up an internal phishing campaign is inexpensive and relatively easy to accomplish. It’s estimated that 80% of breaches are started with a successful phishing e-mail, get ahead of this before it’s too late.
Chris studied Information Systems at Hofstra University before joining Stealthbits – now part of Netwrix where he took on the role as the Technical Product Manager of SharePoint, Dropbox, and Box solution sets. His focus is primarily on SharePoint security, but data security, in general, is a passion. Aside from technical interests, he enjoys the outdoors and hopes to one day start an animal rescue and rehabilitation center for injured, disabled, and orphaned animals.
Proper data security begins with a strong foundation. Find out what you're standing on with a free deep-dive into the security of your Structured and Unstructured Data, Active Directory, and Windows infrastructure.
Read more© 2022 Stealthbits Technologies, Inc.
Leave a Reply