New AI-tuned phishing attempts are cause for re-evaluation of user phishing training. With AI chatbots able to assist in the generation of email body contents that are not only grammatically correct but adopt the style or tone of a legitimate sender, it’s time to take another look at this training. Here are tips for user training topics, with sample wording to send to users, based on current attack trends:
Threat: Dynamic DNS Subdomains
Reports indicate an increase in abuse of dynamic DNS to create spoofed domains as an attack vector in phishing attempts.
User Training Example:
When checking links, start at the far right of the domain (.com/.org/.us/.net/etc) and then look to the immediate left. Report emails as phishing that end in something that does not match the sender’s organization such as:
- duckdns.org
- lflinkup.org
- ns02.us
- serveuser.com
- dns2.us
- dynamic-dns.net
Threat: DKIM Replay Attack
This month a phishing attempt circulated, appearing to be a subpoena from Google. The email passed DKIM, looked very similar to legitimate Google alerts, and utilized Google Sites to continue the scam.
User Training Example:
Legitimate email accounts can be compromised, and email messages can appear to be sent from someone who did not actually send the message. Even if an email appears to come from someone you know or an organization you trust, still keep your lens of suspicion.
Re-emphasize the Classics: Scare Tactics
As seen in the DKIM replay attack (posing as a subpoena), threat actors see success when they generate fear. Focusing on the concept of scare-tactics as a vector gives users a broad lens for spotting scams.
User Training Example:
Be wary of any email message that tries to scare you. Even if the email seems to come from a legitimate person or organization, stop and think: Is this trying to scare me into acting quickly? .
- Stop, remain calm, and think critically for any email that creates panic.
- Use another means to contact the individual or organization to verify.
- Research online to see if this is a known scam.
- Ask your information technology support for help determining if the message is legitimate.
Examples of potential scare-tactic email topics:
- subpoenas
- taxes
- bills
- extortion
- current news events
Emphasizing Reporting
The first step in stopping an attack is knowing the attack is occurring. Users are an organization’s “boots on the ground”. Encouraging user reporting improves the organization’s cybersecurity culture while expanding the threat intelligence network. Make sure the reporting process is clear and simple.
User Training Example:
If you click a link in an email and are asked to login: STOP. Contact the sender by another means to verify (example: phone call to a known valid number). If you are unable to verify the legitimacy of the message or if the message is confirmed to be a scam, report this to your technology support.
Clicking Links
Now is the time to update this training; many users have their email on their cell phone. Make sure to include coaching for how to check links via their mobile devices as well as how to report phishing from this device. In addition, educate on treating QR codes with a lens of suspicion.
User Training Example:
When using a cell phone, preview where a link in an email goes by pressing and holding on the link. A preview of the link shows on your phone. Similarly, when you scan a QR code with your phone app, a preview of the link shows on the screen. Maintain a lens of suspicion if you visit click on links or scan QR codes with your cell phone.
User training should never be ignored. Keep your user training current and relevant, to reduce the threat of user-initiated cyber incidents.