What is “phishing”? How can we protect our firm from phishing attacks? How can we train our employees to spot a phishing attempt? These are all valid questions and today we will explore the ins and outs of how to recognize phishing and how to protect your firm from it. As we have discussed before, an attacker is going to go after low hanging fruit when trying to breach a company’s perimeter because their return-on-investment (ROI) is higher for easier exploits. This just so happens to be your employees most of the time. It is no wonder then that almost half (43%) of all data breaches happen as a result of social engineering. With a single click, an attacker has effectively bypassed all of your perimeter security controls and has gained access to the internal corporate network. Now, it’s just a matter of elevating permissions and finding your sensitive data.
Tips To Recognize Phishing
- Sensitive Information Request – A legitimate company or individual should NEVER request sensitive information via email. You should always be hesitant and skeptical when you receive a request for sensitive information, such as credentials, tax information, credit card information, social security numbers, etc. Odds are this is a phishing attempt or scam of some kind and you should not interact with the message, click on any links/attachments, or reply to the sender.
- Email Domain – Look very carefully at the domain of the email address used to send the message. Oftentimes, attackers will buy a domain that is very similar to your company’s in order add to the credibility of their phishing attacks (your domain may be @amazon.com and the email may have originated from @amaz0n.com). While the name of the sender may look correct, a quick hover over the “from” field and you can see that sender’s actual email address. If something does not match or the syntax seems off, this should raise alarm bells and you should reach out to your IT department to determine if this is a legitimate corporate domain.
- Red Flag Phrases – There are some key words or phrases that are very common in phishing attacks to try and convince you to take an action that you’re not supposed to. You should be on the lookout for phrases that try and instill a sense of urgency in you (e.g. if you don’t provide your login information and SSN we’ll repossess your house) or that threaten monetary harm or criminal action (e.g. don’t miss out on this free money or your inaction may lead to jail time or tax liens). Try and slow down to assess the situation rather than acting rashly, and you should never feel embarrassed to go talk to your IT team and get a second opinion on the legitimacy of a request.
- Poor Grammar – Ever read an email and immediately pick up on multiple grammar mistakes? Generally speaking, notices and requests for information that are full of grammar mistakes or look un-polished can be illegitimate.
- URL Matching – If there’s a link in an email you receive, a quick hover over the link will tell you where the link actually directs to. This is one way that an attacker can hide the URL they are directing your browser to when you click a link. The link should match where you would expect to go or otherwise that should raise red flags for you.
What You Can Do To Protect From Phishing
- Security Awareness Training – By training employees via some sort of security awareness training, you will not only educate them on how to spot a phishing attempt, but also how to address and spread the word to colleagues to ensure no one else falls victim.
- Social Engineering Assessments – Testing your employees to see how they react to phishing emails or more advanced social engineering attacks is a great way to put your security awareness training program to the test. This is also a way to further educate employees using real world examples during a post-mortem discussion. This can help drive home the importance of training and demonstrate the risk to the business of a successful social engineering attack.
- Comfort Factor – Ask your employees to constantly be on guard and cautious for social engineering attempts. Training should include proper reporting channels for suspected incidents and making sure all employees are comfortable that they can tell someone about an attack. The key here is not to make them feel stupid or embarrassed when they report a potential issue, give everyone a safe and easy reporting channel to investigate these incidents. If something seems odd, even if you cannot put your finger on it, ask employees to always proceed with caution and report the email or incident.
Unfortunately, there are no 100% solutions to prevent an employee from falling victim to a phishing attempt. By educating your employees, you are taking the first big step to helping prevent your firm from falling victim. As hackers become more sophisticated, so do the schemes and phishing attempts. This makes it incredibly important to never become complacent as an organization and to keep security at the top of your mind.