Don’t Get Hooked!

Phishing graphic

Phishing awareness education can save money and reputation, protect assets and keep you from becoming front page news. Phishing is a social engineering technique used by cyber criminals to trick the recipient into giving up valuable information. Unlike a bank robbery, these thieves cleverly craft emails to deceive the user into taking an action that will result in a bountiful harvest for the crook. The treasure could be money transfers or gift card codes; it might be a quest for personal information such as credit cards, banking, social security number or login credentials.

These miscreants are very clever in their tactics. The emails may look like legitimate companies you do business with. They may litter the body of the email with familiar looking logos and shortened links that hide the links’ true destinations. These links may send the user to an official-looking website or portal. The message may appear to have come from an administrator or co-worker; this is called spoofing. At first glance, it looks like a familiar name and associated email. If you respond to the email by clicking reply, make sure to see that the to email address matches one that you would expect.

Phishing is effective. That is why cyber creeps use it. These emails prey on the user by threatening to take actions, imply a sense of urgency to act and take advantage of the human nature to want to help.

Common phishing scams include:

  • A delivery service asking for more information, claiming your delivery is being delayed.
  • Fake invoices.
  • Email account upgrades or suspension.
  • Problems with your online account or bank.
  • HR scams for direct deposit changes or reviews of information.
  • Requests for money transfers or personal information.
  • Requests for purchases of gift cards and revealing the activation codes to requestor.

Here are some tips to ensure your cybersecurity awareness program is successful.

  • Deliver the training in bite-size doses. This makes it easier to focus on the message.
  • Everyone needs this training. Anyone that touches the network is a potential target. Executives, HR and finance departments are prime prey.
  • Change it up. Use contests, gamification, guest speakers, posters and quizzes. Everyone learns differently.
  • Share real life examples. What’s in the news? Mimic current phishing campaigns in your own exercises.
  • Create metrics to measure progress. Report the headway on a regular basis. For example, “Hey folks! Last quarter our staff reported over 50 suspicious emails. Diligence and recognition is helping to keep us safe!”
  • Use positive language and reenforcement. Change those cyber risk attitudes from fear to fierce.
  • Don’t limit your training to email phishing. There are other social engineering tactics that use the phone, text messaging and social media.

Technology controls can assist with keeping these scams from landing in users’ inboxes, but raising awareness of what a phish looks like and how to report suspicious emails is an integral part of an organization’s multi-layered cybersecurity defenses. Security awareness should be an ongoing process. People need reminding.