In the first and second articles, we talked about what phishing is, and provided some general tips for avoiding common types of phishing attack. However, there's really more to it than that. A truly security-aware organization should place an emphasis on employee education and training. "Social engineering" style attacks - like phishing - can happen to anyone, at any workplace, and they can subvert all the work you've put into building your IT defenses.
So, for this final article in the series, we're going to to focus on education. How can you create a workforce that's going to spot phishing attempts and other social engineering scams? Read on for important tips!
Five Vital Tips For Developing A Workforce Resistant To Phishing
1 - EVERYONE must get trained.
Yes, everyone. From the janitor to the CEO, anyone who has access to any sort of information, sensitive locations, or system privileges within a company is a potential target for phishing. Lower-tier targets can be used as springboards to scam higher-tier employees and, of course, gaining access to a C-level exec's passwords is a mother-lode.
Don't let anyone off the hook because they claim they aren't a target, because they are.
2 - Know how to spot the warning signs.
There are few genuinely perfect scams in this world, and most phishing attacks will have some big warning signs. Here are some of the most common red flags:
- Impersonal greetings, such as "customer" or "patient," rather than real names.
- Multiple spelling/grammar mistakes.
- Misspelled company names.
- Incorrect URLs. Look carefully! Phishers like to use Unicode to create URLs which are almost identical to the real thing, with only slight variations such as a diacritical mark over a letter.
- Requests seemingly from other workers which require ignoring standard security protocols.
- Misleading domain names. "mail.google.com" and "mail.google.something.com" are not going to the same place. Understand the difference between parent and child domains.
- Open requests for money or personal information.
- Unrealistic over-the-top threats, like "Respond to this email immediately or your bank account will be closed!"
- Claiming to be from the government.
3 - Encourage critical thinking and follow-up messages.
CEO impersonation would be impossible, if everyone in the workforce felt empowered to double-check an iffy message that seems to be from the boss. Employees should NEVER be punished for doing a bit of due diligence to ensure a questionable email is valid, even if their suspicions turn out to be unfounded. The alternative is far worse.
4 - Have a clear reporting protocol.
Ideally, your organization should have a clear standardized protocol in place for reporting suspected phishing attempts, and investigating their veracity. This would likely be handled by IT or your security team, just depending on your organizational setup. Sometimes IT can trace such emails back to their source and block them, or potentially even alert law enforcement.
5 - Do live tests.
There's simply no better way to know if your staff are properly trained to resist phishing and other social engineering scams, than to have professionals conduct a live simulated attack. So called "white hat hackers" are security experts who make their living testing businesses' security and delivering reports on whether than security could be subverted.
These tests are entirely safe, and no protected data will actually be compromised. The "attackers" will always stop short of doing real harm. They simply show you how harm could be done, by a malicious agent.
Hummingbird Networks can be your partner in creating a highly-effective security setup, from initial deployment to penetration testing. You can read about our services here, then contact us to keep yourself safe from scammers.
Think you're a phishing expert now? See if you can catch all of the phish!