Welcome to our third and final blog in our three part phishing series. In part one and part two, we wrote about what phishing attacks are, why they are so dangerous, and we reviewed some technological approaches to limit phishing. Yet, some phishing attempts will still bypass spam filters, no matter how much a systems administrator tries to prevent it. This is where user training comes in and why it is a necessary to teach employees how to avoid phishing, so you can keep your organization secure.
How to Avoid Phishing
Many phishing attacks strive to look like normal emails for a colleague, customer, or business associate. Training all organization team members to be cautious and vigilant about cybersecurity is a critical component to thwarting phishing attempts. Here are some tips for phishing prevention:
- All organization team members should be taught how to examine the “from address” on their email so they can see the true domain the email is coming from.
- Users should be trained on how to identify URLs and addresses in hyperlinks, whether hidden or not. This can be done by either hovering over the hyperlink to expose the true address, or by right clicking, copying the address and pasting it into a text editor to view. Malicious actors may try to use URL shorteners to hide their phishing link even further – user’s need to know how to unshorten those URL’s. The easiest way to do this is to use a service like http://checkshorturl.com, which will show the long address of a shortened URL.
- Team members should be trained on how to use services like Google Safe Search or Norton Safe Search. These sites allow you to enter URLs and they will present the user with a score relating to whether the site is secure or not – although these are not 100% foolproof, they can give some idea as to whether the site should be trusted or not without actually visiting it.
- Teach all users that external addresses that ask them to click a link or download a file, should not be trusted, until they verify security fundamental. If they are not absolutely sure who the sender is or they are being asked to do something in an unusual way, they should report that email to IT and wait for further instructions. Malicious actors often use emails that attempt to confuse or mislead users into clicking a link or downloading an attachment by presenting a receipt or form that the user needs to know about. If the user is suspicious or unsure of an email, they need to be able to contact someone from IT to get more info.
- Users should be trained to not immediately trust sites that use a valid SSL certificate – as discussed before, a valid SSL certificate does not ensure a site is not malicious. Users should be educated that clicking on a link can be just as dangerous as submitting credentials and can have devastating effects on an organization. Malicious file attachments can very easily spread malware, the most common attack vectors being Microsoft word documents that use macros to download a payload and PDF documents containing malicious code. Users should be aware of just how dangerous downloading and opening these file attachments can be.
- If it seems too good to be true – it probably is. Malicious actors try to entice users in many different ways, including ploys of winning money or items. Train users to first verify these types of emails with IT or their manager before responding or interacting with these emails. Another common tactic is to create a sense of urgency by imposing a deadline or threatening a negative outcome if the user does not respond quickly. Again, users should verify the legitimacy of these emails before clicking.
Build a Security-Conscious Company Culture
Train all users to be cautious as the last line of defense, but also ensure they know that the IT team is accessible and would rather investigate the emails they think are suspicious then to have to backtrack and remediate a phishing incident. It is always easier to stop a phishing attack before it happens than to try to investigate and remediate it after the fact. Additionally, users should be taught to immediately report any incidents where they may have fallen for phishing attempts, rather than try to sweep it under the rug and hope no one finds out.
Many internal phishing attempts are successful because of a lack of communication. Users should be taught ways to verify a sender other than by responding over email. For example, get secondary verification by walking over to the original sender in person and inquiring about the email, or call them at a known number.
Once you have trained your internal team and built a security-conscious culture, periodic phishing tests can be an effective way for organizations to test if user training is working. If you find that there are security gaps, you should schedule another post-test cybersecurity awareness training. We also recommend post-test communication with your entire organization, to review the successful phishing attempts during the test, and point out any “red flags” that should have been picked up by users.
We hope you have found our phishing blog series educational! Please contact us if you need help with general security training or would like to schedule phishing or social engineering testing.