Written by Andre Schindler, NinjaOne’s general manager for the EMEA region
There are technologies to limit and detect the number of phishing emails that come into your business. However, people are the last line of defense against such social engineering attacks at the end of the day.
At some point you will be “beaten up” as an employer or MSP. Instead of blocking everything and slowing down business communication, employees, starting with the C-suite, need to be equipped to identify phishing emails, so the worst happens in the learning environment, not the real one.
To begin, employees need to know the elements that make up a phishing attack on social engineering, and how they can know where their information is published online.
Elements of Social Engineering Phish
Explore your digital footprint
The best cybercriminals will need time to do their homework on the next victim. By scrolling through social media feeds related to a person’s name, and searching Google for any available information about a potential victim, they can put together information about a person’s habits.
Examples include places they frequently visit, such as a gym or favorite restaurant, and even collecting personal information, such as date of birth or home address.
Imagine if you repeatedly wrote on social media about how much you love a local coffee shop. A message about this local coffee shop may even be in your story if you read this post.
An attacker could create a compelling phishing email that appears to be a coupon code that comes from that local coffee shop or vendor they work with.
With such information being spread online, victims are more likely to fall prey to fraud that uses this type of personal information.
Creating social click pressure
“Human behavior is hard to change. People are always constantly vulnerable to certain things, and as current events change, that changes how vulnerable people are and how they react. ”
In many cases, attackers will use social pressure to force the average user to click without thinking.
Some examples of this include phishing emails, including requests from the supervisor to a new employee in the first few weeks at work.
Other cases may rely more on emotions acting on a friend or colleague that requires immediate attention to get out of a bad situation.
Both examples draw on the use of social pressure and harsh human emotions to make the victim prefer their safety training.
Practical tips to identify fish
If you see something, say something.
Reporting a potential phishing email should be the golden rule, even if the employee opened the email or downloaded the attachment. Employees should have a supportive process and environment when reporting potential phishing emails that they have identified or discovered.
Don’t make the environment negative or hazing-like towards an employee when he reports phishing.
In a recent MSP Live Chat, which included anti-phishing other IT professionals, Phin Security CEO Conor Swolm went even further, saying:
“Don’t tell your employees about a phishing test on a specific date or time. If you do, they just won’t open any of their emails these days, which reduces business efficiency and communication. ”
Kill the most common types of phishing attacks
The more familiar employees are with all types of phishing attacks, the better they will be armed when it comes to reporting the real thing.
Federal Trade Commission together this list which describes the most common types of phishing attacks. Including how some phishing schemes of social engineering may include email, text messages and even phone calls to gather the necessary information for hacking.
Do not create a long technical list of threats. Instead, translate the most common threats so that they can be mastered from C-suite across the organization. Real-world examples, such as those displayed in our MSP Live Chat, also help add color by helping employees understand the realities of the problem.
Encourage caution and rely on company policies if possible
The company’s policy regarding funds transfers, messages from the CEO and the creation of new registrations is an excellent guide for employees to identify phishing emails.
In accordance with the company’s policy, assume that one-time transfers of funds for additional services are not accepted by your business. In this case, it may be an easy way for the employee to detect the slip.
In addition, we recommend outlining in the policy what employees should expect in terms of communication from the CEO on interim requests. So when new employees come in and see an urgent request for Amazon gift cards of $ 600, they know that the CEO won’t ask for that kind of thing via email.
Security culture transcends security training
“Culture is the most powerful force in humanity.” “Kanye West.”
All businesses need to schedule regular security training in employee calendars, but when security becomes part of your organizational culture, you make it inevitable and constantly in the spotlight of employees.
Keep the rules simple and easy to understand so that your team knows what is expected and that they are not only involved in protecting the organization from bad entities, but are also one of the most integral parts of that protection.