The phishing attack is the most recognized kind of social engineering attack, and yet it remains a continual digital bane for enterprises of all sizes. Phishing attacks constitute over 25% of all enterprise fraud, and according to recent findings by Sophos 44% of businesses experience at least one phishing attack a day. 77% experience one attack a month.
Why does the relatively low-tech phishing attack persist in the hacker’s toolbox? It might because it takes advantage of your largest digital attack vector: your employees. In a statement, Sophos’ Senior Security Expert John Shier said: “As the quality of phishing emails has improved it is important to remember that some recipients will get fooled. Users are the first line of defense against a successful phishing attack. While education is an important part of keeping an organization secure, so is the user’s [responsibility] to report suspected phishing attempts.”
Literally anyone in your enterprise could be targeted by a phishing attack, disguised as anything from day-to-day business concerns to personal affairs. A single personal slip-up could cost your enterprise millions of dollars.
While we have given some passing advice on digital hygiene in relation to phishing attacks, you need to train your employees and privileged users to recognize a phishing attack before it is too late. Here are the skills you need to train your employees in:
Even the Ordinary Email Could be a Phishing Attack
In the world of identity and access management, there is a concept called “zero-trust.” It refers to enterprises not trusting any user until it can definitively prove it is trustworthy. Your employees should carry this same attitude into all of their digital activities, and your enterprise should do everything it can foster their suspicions.
This isn’t idle advice. The most common kind of phishing attack, according to Sophos, are dressed as ordinary emails saying the employee has been assigned a task on one of their workflow applications. Other popular choices including claiming the employee left their car lights on and that there is an annual employee survey.
Modern phishing attacks will often trigger just upon being opened, so these seemingly mundane emails can cause massive headaches if your employees fall for them. If your employees have a gut suspicion about an email, they should alert your IT security team immediately rather than taking the risk. Better safe than sorry in the digital world.
Intimidation is Key to the Phishing Attack
A sense of urgency does disastrous things to the human mind: it can foster desperation, snap decisions, and irrational choices with little more than a suggestion. Hackers have long since figured this out, which is why the common phishing attack will often rely on this to trigger emotional responses in your employees.
What is more variable is how that sense of urgency is manufactured. Some phishing emails will attack the employee’s role by claiming an important enterprise account (such as a bank account) has been compromised, seized, or will be shut down. Other attacks will go more personal, insinuating that the employee did something wrong (traffic violations being a popular choice). Still others will pose as a government agency like the FBI to make this accusation seem far more intimidating.
As you are fostering proper suspicions in your employees, teach them to be wary of any intimidation tactic that comes through on email. The U.S. Government does not blackmail people and banks cannot just seize assets after a single missed email. Encourage them to trust their doubts and to reach out to the sender directly (using the phone number on their official website) to verify its accuracy even if the sender works for your enterprise. Phishing attacks will often disguise themselves as coming from inside the house if you will. Don’t let them get away with it.
Think It’s a Phishing Attack? Look at the URLs
If you suspect a phishing attack, the common rule of thumb is to hover over any embedded URL in the email to see the hyperlink. If the hyperlink doesn’t match the URL, then it’s probably a phishing attack. Your employees should report it to the IT security team so other employees don’t fall for it. Additionally, employees should be trained to recognized malicious domains and how they try to disguise themselves as legitimate.
However, hackers have become more sophisticated on this front and have begun to falsify the hyperlink information even when hovered on. Again, foster the sense of zero-trust and give your employees the good instincts they need to say no to a suspicious email. “When in doubt, don’t click” should be the motto.
Also, employees should keep an eye out for emails from institutions or businesses using a public email like Gmail. This will never happen. It’s a phishing attack.
The Phishing Attack and Poor Spelling Go Together
Any major institution will make sure their official communications are checked for proper spelling, grammar, regulatory compliance, and brand messaging. While no writer is ever 100% perfect, consistent errors in an ostensibly legitimate message from another department, employee, or official third party usually means it is a phishing attack in a poor disguise.
Other errors indicative of a phishing attack include mismatched color schemes, incorrect branding messages, or incorrect contact information. Train your employees to be vigilant in examining emails for any sign that it might be a phishing attack. It’s not paranoia because hackers really are out to get you.
Have a Plan in Place
This shouldn’t just be a training plan to instill these lessons in your employees (although that is also crucial). This also means making sure you have a clear chain of communication for suspected or confirmed phishing attacks and that you have a known and understood incident response plan in case a phishing attack breaks through your perimeter.
Remember: while your employees are your largest attack vector, they are also human and make mistakes. If you react too harshly to one of them falling for a phishing attack, you discourage others from coming forward if they fall victim to another—hurting your enterprise far more in the long run.
- More Expert Commentary and Coverage of the GetHealth Exposure - September 14, 2021
- GetHealth Platform Misconfiguration Exposes 61 Million Fitness-Tracking Records - September 13, 2021
- Panther Labs Releases State of SIEM 2021 Report - September 13, 2021