Have You Prepared Your Employees to Catch Phishing Attempts?

While it initially sounds promising to hear that the number of data breaches seen last year went down significantly, it is important to recognize that the number of data records leaked as a result more than doubled. One clear cause was the resurgence in the use of the underhanded malware variety known as ransomware. With this suggesting an increased threat of ransomware incoming, can you confidently say that your business’ team is ready to deal with it?

For your business’ data and operations to remain secure, you will need to take a two-pronged approach—both teaching your team to avoid phishing and evaluating them on their overall preparedness through simulated attacks.

How a Phishing Attack is Carried Out

To start, let’s review the overall process that the average phishing attack tends to follow:

1. Posing as someone else, an attacker sends a message.
2. This message can be written in a few different ways, framed as an enticing offer, a very unremarkable email, or a serious alert.
3. Whatever the case may be, the user is encouraged to react by opening an attachment or following a link.
4. Because these elements are what introduces the actual threat, these emails can often bypass security protocols and reach the unsuspecting target.

This—and the fact that a phishing attack against you is practically guaranteed to happen at some point—is precisely why it is so important that your team is prepared to spot them as they come in.

Elements to Identifying a Potential Phishing Attack

Have Your Team Think Like a Hacker

Hackers and scammers are unfortunately very crafty when it comes to their schemes, often tying in current events to add some perceived legitimacy. The past year has seen no shortage of COVID-19-themed phishing attacks, seeming to offer updates and information.

Hackers rely on user panic and impulsive reactions, so reinforce the importance that your users take an extended look at them before acting on them.

Demonstrate Risky Links

Hackers will also commonly use spoofed links to fool their targets. A spoofed link can take a few forms, but regardless of how it looks, it will direct a user to a website different from the one they expected to go to.

Spotting these links can be tricky, so here are a few best practices to follow. Let’s assume that the spoofed link is meant to look like one that directs to the payment application Venmo as we go through some examples:

If the email is from Venmo, a link should lead back to venmo.com or accounts.venmo.com. If there is anything strange between “venmo” and the “.com” then something is suspicious. There should also be a forward slash (/) after the “.com.” If the URL was something like venmo.com.mailru382.co/something, then you are being spoofed. Everyone handles their domains a little differently, but use this as a rule of thumb:

• venmo.com - Safe
• venmo.com/activatecard - Safe
• business.venmo.com - Safe
• business.venmo.com/retail - Safe
• venmo.com.activatecard.net - Suspicious! (notice the dot immediately after Venmo’s domain name)
• venmo.com.activatecard.net/secure - Suspicious!
• venmo.com/activatecard/tinyurl.com/retail - Suspicious! Don’t trust dots after the domain!
• vemno.com – Suspicious! Be careful to pay attention to the spelling!

As you can imagine, some of these tricks are easier to spot than others, so extra diligence will be called for here.

Provide Your Team with Approved Links

To be particularly cautious, you could also consider giving your team the safe versions of the URLs they are to use. That way, they can seriously investigate the validity of an email without exposing themselves to risk.

Maintain Secure Password Standards

Finally, you need to ensure that your team’s passwords are secure enough that your business isn’t vulnerable that way—because if passwords are too easy to deduce, there isn’t going to be any need for phishing in the first place. Your team should also be supplementing these passwords with additional measures like two-factor authentication, making a breach that much more challenging for a hacker to pull off.

Testing Your Team

Once you’ve taught your team the various things they’ll need to know, you should also confirm that they can apply them. A phishing test is an effective means of doing just that. In a phishing test, you have your own team members phished to evaluate how vulnerable they are to this form of attack. That way, you know where more training needs to be applied.

What a Successful Phishing Test Involves

An effective phishing test, naturally, cannot be one that is expected. Any warning you give should be vague so that your team isn’t on their guard more than they would normally be.

At the same time, you need to be ethical in how you run these tests. Too many companies have received backlash after running phishing tests with questionable tactics, and such tests don’t do much to benefit your security. As with everything else, your phishing tests cannot infringe on the trust of your team.

Speaking of trust, you can trust EZ MSP to assist you with your security needs. Call (914) 595-2250 to find out more.