![\"phishing](\"https:\/\/solutionsreview.com\/security-information-event-management\/files\/2018\/01\/phishing-mod.jpg\")
<\/p>\n<\/p>\n
The phishing attack is the most recognized kind of social engineering attack, and yet it remains a continual digital bane for enterprises of all sizes. Phishing attacks constitute over 25% of all enterprise fraud, and according to recent findings by Sophos 44% of businesses experience at least one phishing attack a day. 77% experience one attack a month. \u00a0<\/span><\/p>\n Why does the relatively low-tech phishing attack persist in the hacker\u2019s toolbox? It might because it takes advantage of your largest digital attack vector: your employees. In a statement, Sophos\u2019 Senior Security Expert John Shier said: \u201cAs the quality of phishing emails has improved it is important to remember that some recipients will get fooled. Users are the first line of defense against a successful phishing attack. While education is an important part of keeping an organization secure, so is the user\u2019s [responsibility] to report suspected phishing attempts.\u201d <\/span><\/p>\n Literally anyone in your enterprise could be targeted by a phishing attack, disguised as anything from day-to-day business concerns to personal affairs. A single personal slip-up could cost your enterprise millions of dollars. <\/span><\/p>\n While we have given some passing advice on digital hygiene in relation to phishing attacks, you need to train your employees and privileged users to recognize a phishing attack before it is too late. Here are the skills you need to train your employees in: <\/span><\/p>\n In the world of identity and access management, there is a concept called \u201czero-trust.\u201d It refers to enterprises not trusting any user until it can definitively prove it is trustworthy. Your employees should carry this same attitude into all of their digital activities, and your enterprise should do everything it can foster their suspicions.<\/span><\/p>\n This isn\u2019t idle advice. The most common kind of phishing attack, according to Sophos, are dressed as ordinary emails saying the employee has been assigned a task on one of their workflow applications. Other popular choices including claiming the employee left their car lights on and that there is an annual employee survey. <\/span><\/p>\n Modern phishing attacks will often trigger just upon being opened, so these seemingly mundane emails can cause massive headaches if your employees fall for them. If your employees have a gut suspicion about an email, they should alert your IT security team immediately rather than taking the risk. Better safe than sorry in the digital world. <\/span><\/p>\n A sense of urgency does disastrous things to the human mind: it can foster desperation, snap decisions, and irrational choices with little more than a suggestion. Hackers have long since figured this out, which is why the common phishing attack will often rely on this to trigger emotional responses in your employees. <\/span><\/p>\n What is more variable is how that sense of urgency is manufactured. Some phishing emails will attack the employee\u2019s role by claiming an important enterprise account (such as a bank account) has been compromised, seized, or will be shut down. Other attacks will go more personal, insinuating that the employee did something wrong (traffic violations being a popular choice). Still others will pose as a government agency like the FBI to make this accusation seem far more intimidating. \u00a0\u00a0\u00a0\u00a0\u00a0<\/span><\/p>\n As you are fostering proper suspicions in your employees, teach them to be wary of any intimidation tactic that comes through on email. The U.S. Government does not blackmail people and banks cannot just seize assets after a single missed email. Encourage them to trust their doubts and to reach out to the sender directly (using the phone number on their official website) to verify its accuracy <\/span>even if the sender works for your enterprise<\/span><\/i>. Phishing attacks will often disguise themselves as coming from inside the house if you will. Don\u2019t let them get away with it. \u00a0<\/span><\/p>\n If you suspect a phishing attack, the common rule of thumb is to hover over any embedded URL in the email to see the hyperlink. If the hyperlink doesn\u2019t match the URL, then it\u2019s probably a phishing attack. Your employees should report it to the IT security team so other employees don\u2019t fall for it. Additionally, employees should be trained to recognized malicious domains and how they try to disguise themselves as legitimate. <\/span><\/p>\n However, hackers have become more sophisticated on this front and have begun to falsify the hyperlink information even when hovered on. Again, foster the sense of zero-trust and give your employees the good instincts they need to say no to a suspicious email. \u201cWhen in doubt, don\u2019t click\u201d should be the motto. <\/span><\/p>\n Also, employees should keep an eye out for emails from institutions or businesses using a public email like Gmail. This will never happen. It\u2019s a phishing attack. \u00a0<\/span><\/p>\n Any major institution will make sure their official communications are checked for proper spelling, grammar, regulatory compliance, and brand messaging. While no writer is ever 100% perfect, consistent errors in an ostensibly legitimate message from another department, employee, or official third party usually means it is a phishing attack in a poor disguise.<\/span><\/p>\n Other errors indicative of a phishing attack include mismatched color schemes, incorrect branding messages, or incorrect contact information. Train your employees to be vigilant in examining emails for any sign that it might be a phishing attack. It\u2019s not paranoia because hackers really are out to get you. <\/span><\/p>\n This shouldn\u2019t just be a training plan to instill these lessons in your employees (although that is also crucial). This also means making sure you have a clear chain of communication for suspected or confirmed phishing attacks and that you have a known and understood incident response plan in case a phishing attack breaks through your perimeter. <\/span><\/p>\n Remember: while your employees are your largest attack vector, they are also human and make mistakes. If you react too harshly to one of them falling for a phishing attack, you discourage others from coming forward if they fall victim to another\u2014hurting your enterprise far more in the long run.<\/span><\/p>\n Other Resources:<\/strong><\/p>\n Get Your Employees to Embrace SIEM Best Practices!<\/a><\/p>\n 4 Tips to Make Data Breach Detection Easier For Your Enterprise<\/a><\/p>\n Enterprises: Don\u2019t Become Complacent in Your Cybersecurity!<\/a><\/p>\n How to Make Your SIEM Solution Deployment Easier for Your Enterprise<\/a><\/p>\n Comparing the Top SIEM Vendors \u2014 Solutions Review<\/a><\/p>\n How UEBA Can Prevent Insider Threats in your Enterprise<\/a><\/p>\n SIEM vs Security Analytics: What\u2019s the Difference?<\/a><\/p>\n
Widget not in any sidebars
<\/p>\nEven the Ordinary Email Could be a Phishing Attack<\/b><\/h3>\n
Intimidation is Key to the Phishing Attack<\/b><\/h3>\n
Think It\u2019s a Phishing Attack? Look at the URLs<\/b><\/h3>\n
The Phishing Attack and Poor Spelling Go Together<\/b><\/h3>\n
Have a Plan in Place <\/b><\/h3>\n