Protecting Yourself Against the Dangers of Email Phishing
An email arrives in your inbox. The sender displays as your company’s president or CEO. The message is simple: There’s a nasty virus making its way throughout the internet affecting anything it touches. The message informs you the IT department has been working tirelessly to ensure the network is protected, but you need to make sure you haven’t already been compromised. They’re asking you to log in to a web-based portal so a new tool they’re deploying can check your account for potential problems.
This is just one of the many social engineering attacks criminals use to steal company information. The attacks are designed to elicit just enough fear while providing a solution. Because people are the weakest link in the security chain, proper training is just as valuable as any firewall or spam filter. Luckily, if you’re a BKD client receiving the email described, the sender was likely not a criminal but instead a BKD consultant hired to test the effectiveness of social engineering training.
Some of the best spam filters on the market today haven’t been effective at detecting spear phishing campaigns like the one described. Tools are freely available to spoof the sender’s address and often go undetected by spam filters. In cases where a more sophisticated system is in place, purchasing a similar domain and creating an identical username fools even savvy users. BKD’s phishing engagements have shown approximately 10 to 15 percent of recipients will respond to our email phishing test if no test has ever occurred for the institution and if recipients aren’t receiving periodic training. Subsequent tests often see a 5 to 10 percent drop in users who freely give up their credentials.
Prevention requires a multifaceted approach. Training is, and always has been, the key to preventing these attacks. Email filters, while important, simply aren’t enough. Here are a few tips from a consultant’s viewpoint to consider when preparing your next social engineering awareness training program.
- Periodic emails to employees with tips or reminders can be effective. Just remember the information needs to be short and informative. Longer emails are often skimmed or ignored.
- Perform periodic internal testing. BKD clients that have successfully had zero employees fall for phishing campaigns during a test typically perform internal tests on their employees and bring us in annually for an independent test.
- Consider policies stating no URLs should ever appear in emails from other employees and under no circumstance should URLs be clicked.
- If URLs can’t be avoided in your day-to-day business, always check URLs carefully before following them. Extortionists who use Cryptolocker often create complex URLs that look like they lead to legitimate websites. Just because it includes the name of a company you recognize doesn’t mean it belongs to that company.
- Never follow shortened URLs without knowing where they lead first.
- Relying on typos or grammar misuse isn’t enough to detect a phishing email. It’s true that many overseas phishing campaigns are littered with errors. However, relying on the discovery of errors isn’t enough.
- If the email is asking you to do something, especially to avoid some kind of negative action, always verify the email’s legitimacy. Do this by phone or in person. Don’t reply to the email. If your attacker receives replies asking “Is this real?” they will likely reply “Yes.”
- If you believe you have fallen for a phishing attack, change your password immediately and contact IT.
- Never download files from senders you don’t know. This is especially true for executable files regardless of the sender. It may look like an update, but instead it may allow an attacker access to your computer.
For more information, reach out to your BKD trusted advisor or use the Contact Us form below.