Written by André Schindler, EMEA General Manager at NinjaOne
There are technologies to limit and view the number of phishing emails coming into your business. Still, people are the last line of defense against social engineering attacks like this at the end of the day.
At some point, you will be “in” as an employer or an MSP. Instead of locking everything up and slowing down business communication, c-suite staff needs to be equipped to recognize phishing emails, so the worst happens in a training environment and not really.
To begin with, employees should be educated on the aspects of social engineering phishing attack and how they can be aware of where their information is published across the Internet.
Features of Social Engineering Fish
Examine your digital footprint
The best cybercriminals will take time to do their homework on the next victim. By scrolling through social media feeds related to the person’s name and by scouring Google for any available information about the potential victim, they can gather information about the person’s habits.
Examples include places they frequent, such as a favorite gym or restaurant, and even the collection of personal information such as date of birth or home address.
Imagine if you post repeatedly about how much you love a local coffee shop on social media. There may even be a post about that local coffee shop on your story as you read this post.
The attacker could create a persuasive phishing email that appears to be a coupon code coming from that local coffee shop or vendor with whom they partner.
With this type of information floating around the web, victims are more likely to fall for scams that leverage this type of personal information.
Creating social pressure to click
“It simply came to our notice then. People are always at risk for certain things and as current events unfold, the way people are vulnerable and respond to them changes. ”
In many cases, attackers will use social pressure to make the average user click without thinking twice.
Some examples of this include phishing emails, including a request from an executive for a new employee during his first few weeks in the job.
Other situations may put more pressure on emotion leveraging a friend or colleague who needs immediate attention to get out of the predicament.
Follow both examples of social pressure and using raw human emotions to prioritize the victim click on his security training.
Practical Tips for Identifying Phish
If you see something, say something.
The golden rule here should be to report a potential phishing email, even if the employee opened the email or downloaded an attachment. Employees need to have a supportive process and environment in reporting potential phishing emails that they have identified or opened.
Do not confuse an employee with a negative or shelter – like environment when reporting a phishing email.
At a recent BPA Live Conversation that included a phishing challenge related to other IT benefits, Connor Swalm CEO at Phin Security went further by saying:
“Do not inform your employees about a phishing test on a specific date or time. If you do, they will not open any of their emails on those days, which will reduce business efficiency and communication. ”
Home hammer are the most common types of phishing attacks
The more experienced employees are at all types of phishing attacks, the better armed they will be at reporting the real thing.
Compiled by the Federal Trade Commission this list which outlines the most common types of phishing attacks. Including how some social engineering phishing schemes may include emails, text messages, and even phone calls to gather the information needed to execute a hack.
That said, do not create a long technical list of threats. Instead, switch to the most common threats, so that they can be digested from the c-located throughout the organization. Real-life examples such as those on our BPA Live Conversation also help to add color and help staff understand the realities of the issue.
Encourage caution and follow company policy where possible
Company policy on funds transfers, CEO communications, and the creation of a new login provide a great guide for employees to identify phishing emails.
According to company policy, your business probably does not accept one-off fund transfers for additional services. In that case, this can be a simple way for a staff member to see know.
In addition, we recommend that the policy set out what employees should expect in terms of communication from the CEO regarding time – sensitive applications. That way, when new employees come in and see an urgent request in their inbox for $ 600 in Amazon gift cards, they know that the CEO would not ask for this sort of thing by email.
Security Culture Beats Security Training
“Culture is the most powerful force in mankind.” – Kanye West
All businesses should schedule regular security training on employee calendars, but when security is part of your organizational culture, it is inevitable and consistently on the minds of employees.
Keep the rules simple and easy to understand so that your staff know what is expected and that they are not only involved in protecting the organization from wrongdoers but that they are one of the most central parts of the protect that.
Practical Tips for Seeing Phish –
Source link Practical Tips for Seeing Phish –