Phishing Archives

Through many clients and partners, we have gotten this question: “Do you offer phishing simulations?” The answer is no, although we do understand why they’re asking. Phishing simulations have become a standard practice when it comes to cyber security training. It may seem like everyone is doing them. But should you phish your employees and set them up for failure? Or is there something else you could do instead?

What do phishing simulations do?

In and of themselves, phishing simulations don’t raise awareness. Neither does forcing those who “failed” to sit through a lecture or long videos on cyber security. Phishing simulations, however, do give companies an indication of where they’re at awareness wise. An awareness score, if you will. But it only applies to the kind of phishing that was tested in the simulation. What it doesn’t tell you is how these employees (no matter how well they did with not clicking links or opening attachments) react to other cyber threats. Would they let a person in uniform into the building without question? Do they take confidential information to their home office? Would they have clicked on the link or attachment if the email had been more in line with their interests or line of work?

The fact is that when you phish your employees with a simulation you can only test a fraction of the phishing methods that can and will eventually be used to try to scam employees. And hackers are constantly creating new ways to phish and scam. It may look good on paper to say you’ve done a phishing simulation. What it also does is set up your staff, who might resent you for it as well as any subsequent cyber security training they receive as a result. And that’s not the way to build a strong security culture within a company.

Why do you want to do a phishing simulation?

It’s understandable that you’ll want to teach your employees about phishing because that’s usually the start of serious security breaches and hacks. We want everyone to be better able to recognize phishing emails too. Opening emails and attachments has become a big part of many jobs. It’s easy to click on the wrong link or attachment as a routine. That’s where security awareness comes in.

There are many cyber security firms that offer simulated phishing tests that are designed to test the level of cyber security awareness. Others may be the experts when it comes to phishing simulations and we realize our limitations. Instead, we decided to put all our efforts into offering the most high-quality security awareness training content and make it easily available to businesses of all shapes and sizes. If our clients want to do a phishing simulation that can easily be arranged through a third party. However, we don’t think phishing simulations are always necessary. There’s also this gut feeling we have that tells us that too often they are unethical and can have adverse effects.

What to do instead of a phishing simulation

Number one, two and three, train, train and train your employees. Then train them again. The message of cyber security awareness should be kept top-of-mind all year round. If you need a benchmark to measure results or progress, there are a few things you can look at.

After you start your selected cyber security awareness program have reports of spam, phishing or malware increased? If the answer is yes it means your staff is more aware, not that you‘re being attacked more often.
Have your IT team look at proven hacking incidents before and after training began.
Have your employees take a test about cyber security before training begins. Test them again in 6 months and then after a year.
AwareGO is working on gamification that will give companies a benchmark. Security awareness training will be designed to each employee’s needs based on their success in the game. In addition to having a fun outlet to compete with your fellow employees we hope this new way will make phishing simulations a thing of the past.

Raise awareness, not hackles

There’s no use in just phishing your employees and then leaving it at that. It’s what you do next that really matters. Phishing simulations are not mandatory just because they’ve become the norm. Running a simulation also doesn’t mean that there can be no talk of security awareness beforehand. It’s always better to train employees and raise awareness. Help your employees understand why you need strong cyber security. They need to know that spam filters and firewalls are not going to protect them 100%. That they are the ultimate firewall. And it’s not just important for the company, it‘s important for them personally as well.

If you are going to run a phishing simulation do it with care and purpose. Coordinate your efforts with the phishing test by sending out a security awareness campaign, posters and emails about what you are doing and why you are doing it. In other words, help your staff instead of setting them up.

Building a strong security culture

What you really want is not just good awareness scores for your files but a strong security culture. Having a strong security culture within you company means that employees, on every level, will tap each other on the shoulder when they see behavior that doesn’t comply with the company’s security standards. They will model good behavior to their peers and go to great lengths to protect the company. And they will help each other keep the company safe.

This only works if everyone feels that they are “in this together”. That’s why messages of cyber security procedures should not come from “on-high” but rather move laterally throughout the company. It can be a job for HR, IT, a specific DPO or a CISO (or even a combined effort) but the message needs to be inclusive, simple and make sense to everyone.

Punishing people for mistakes is a surefire way to install fear. When employees live in fear, they are less likely to participate in the training and, less likely to report breaches and data leaks. They are also more likely to quit.

Cultivate a no-blame policy where employees are rewarded for good behavior and offered additional training to set them up for success if they make mistakes. Make sure everyone knows that cyber security is everyone’s business and that all will benefit from it.

With no fear and a common goal, the employee buy-in will be much higher and your company that much safer.

Spear phishing is a specific cyber-attack aimed at an individual or individuals that are associated with an organisation.

The US Federal Bureau of Investigation (FBI) gave the following example: “Customers of a telecommunications firm received an e-mail recently explaining a problem with their latest order. They were asked to go to the company website, via a link in the e-mail, to provide personal information—like their birthdates and Social Security numbers. But both the e-mail and the website where bogus.”

The key to spear phishing is that the criminal knows something about the recipient. In the FBI’s example, the criminal knows that the recipients were customers of a telecommunications company. It’s that small piece of information lends credibility to the scam.

The dangers of spear phishing

Imagine your staff getting an email from a criminal that says they would like to place an order at your restaurant. The email includes a word document with instructions to enable editing, and therefore open the floodgates for malware. This is exactly what happened at the restaurant chain Chipotle when millions of customers’ credit card numbers were stolen.

Spear phishing attacks differ from phishing attacks in that they are targeted to a specific group. In a traditional phishing attack, there is no information that shows that the sender knows who they’re reaching out to.

How to prevent spear phishing

Educate and train employees

Education is the most important way to prevent spear phishing in your business. Teach your staff what to look for and make sure that they understand the dangers of spear phishing.

Here are some of the guidelines that you can teach your employees to prevent spear phishing:

● Simply never use links in emails
Teach your employees to never click a link in an email. If a bank, or even your own company, requests that they log in or make changes, they should go to their browser and type in the URL themselves.

● Verify URLs
Every hotlink in an email or even on a website redirects to someplace else. Teach employees to look at the URL more than once before clicking anything. One of the tricks that criminals use is to create a close approximation of a domain. For example, to trick someone into clicking a page, they will change www.usbank.com to www.usbenk.com. The name is close enough to trick someone who is not reading closely.

● Never give out personal data
One simple rule to institute is to tell employees to never share any information like passwords or account numbers. Unless they are instructed to do so by management, they should never share any information. Moreover, they should never share it via email or any other electronic medium. Anything typed into a computer connected to the internet is susceptible to having information stolen.

● Be careful with social media
The more information that employees put on social media, the easier it can be for criminals to spear phish them. Criminals can use online information to increase confidence in the recipients.

Spear phishing prevention with software

There are several steps that you can take using software that can protect your company.

● Keep your software up-to-date
Spear phishing relies on malware to infect your system. By having the most recent patches and security software, you can minimize the risk of the malware if it arrives.

● Antiviruses
Antivirus software is, and always will be, a necessity. Look for software that scans and updates itself constantly. It could prevent malware from getting a foothold on your server.

● Encrypt sensitive data
File and data encryption is a great way to keep spear phishers from being able to use the data. All of the sensitive data on your network should be encrypted. This keeps any data that a criminal receives from being useful for anything.

● Multi-factor authentication
If someone asks for an employee’s password, but there are multiple layers of protection, the password is useless. For example, if your system is protected with passwords and bio-metrics, a password is useless on its own.

Staying safe from spear phishing

All spear phishing is based on human behavior. Therefore, the best way to make sure that your system stays safe from spear phishing is to teach your staff what to avoid.

The technological solutions are powerful, but education and security awareness training are the most important elements.

Security awareness training is vital for businesses of all sizes. Many businesses rely on software and policies to keep their data secure, but that’s not enough. According to Verizon’s 2017 Data Breach Investigations Report, 81% of hacking related breaches used weak or stolen passwords. It’s simple: Employees are the biggest gap in your security wall. No matter how great your software is, it only takes one person to click the wrong link, and you have a massive security breach that costs an average of $100,000 to recover from.

A security awareness training program is key to helping employees understand how to avoid problems and how not to be the person who puts the entire network at risk.

Here are 4 important security awareness tips that you need to know before you start training your employees.

Security Awareness Tip no. 1

71% of organizations were successfully spear phished in 2014

Spear phishing is a targeted attempt to gain access to an executive’s credentials, like passwords. This is contrasted with just-plain phishing where a trap is laid in the hopes that someone will fall into it.
Spear phishers target executives, often a specific executive, in an attempt to get into a certain system.

Spear phishing, like most hacking attempts, is a behavior-based hack. Many business owners think of hackers as using software to break past a firewall or trying to find a backdoor into a piece of software. In truth, over 90% of all hacks occur because someone clicked a link in an email, opened an infected attachment on an email or went to a malicious website.

The 2016 US Presidential campaign hacks were the result of spear phishing attacks. An email was sent out by hackers saying the user needed to change their password. The user did, but it was on a bogus site. Then the hackers stole their password and data.

Another technique which was used was to infect the network with spyware that was able to observe online activity and the hackers stole passwords and emails that way.

Over ⅔ of executives have been successfully spear phished. This means that it’s not about intelligence or education; security awareness training is about knowing what to look for in emails and on websites.

Security Awareness Tip no. 2

Phished people were exposed to an attack for an average of 17.5 hours before antivirus software discovered it

Antivirus and anti-malware software are vital, but they’re not foolproof. Even if a program is actively scanning your system, it might not find a phishing attack for hours, days or it might not find it at all. Most antivirus software doesn’t actively scan. Furthermore, most of the software scans only once or twice a day and it requires periodic updates. For an average of almost 18 hours phishing emails will hang in someone’s inbox, waiting to be opened, before anti-malware software finds it and neutralizes the threat. For this reason teaching staff to recognize phishing emails is imperative. Lots of folks figure, “We have antivirus software, so if it’s in my inbox, it must be okay.” Dispelling this myth needs to be part of your training.

Security Awareness Tip no. 3

Security awareness training can reduce a company’s exposure by up to 70%

Few things will give you the ROI that security awareness training does. According to the most recent IBM Cost of a Data Breach Study, on average, a breach costs $148 per stolen record. Take a moment to consider that – that means that if you have 100 records stolen, it will cost your company $14,800. A thousand records would be $148,000!
What’s the average size of your spreadsheets or data files that contain client or staff information? Multiply that by $148 and see if you’re willing to pay that amount or the cost of a good security awareness program.

If you can reduce your exposure to loss by 70%, why wouldn’t you do it?

Security Awareness Tip no. 4

Employee data is often stolen too

When we think of data breaches, we often only consider customer data – information entrusted to us by our customers. What many employees forget is that their data is on the company network as well.
Every employer has their employees’ social security numbers, but that’s not all they have. Employee’s personal email logins can be found on most systems. In addition there are addresses, phone numbers, social security numbers of children and spouses, medical data, emergency contacts’ personal data and more is sitting on the company’s network.

If the network is hacked, there’s a very real chance that employees’ personal data will be taken as well.

What all of this means for your company and employees

All of this is important to understand as you start training your employees. Each of these security awareness tips is a lesson that needs to be clearly understood.

71% of executives were successfully spear-phished in 2014 – Unless one is to assumes that 71% of executives have below average intelligence, being smart has nothing to do with your vulnerability. It has to do with attention to messages and knowing what to look for.
Phished people were exposed to an attack for an average of 17.5 hours before antivirus software discovered it – Staff can’t rely on antivirus/anti-malware software to protect them. They must be vigilant.
Security awareness training can reduce a company’s exposure by up to 70% – The ROI of security awareness training far outweighs any costs incurred. In fact, other than locking the front door, there isn’t anything a staff member can do that can save the company more money.
Employee data is often stolen too – This is personal. Each employee needs to understand that the company’s servers contain their data as well. They need to know that they are as vulnerable as anyone else.

Security awareness training is simply part of life in the modern computer age. It needs to happen.

You hear about it all the time, from your tech people to the evening news. Ransomware attacks seem be everywhere and it seems like there’s a new and nastier version out every day. The truth is that ransomware is very popular with criminals and it can be very difficult to beat once you’ve been infected. It is possible to prevent ransomware from getting onto your network in the first place and perhaps reset your system if you do get infected. Here’s what you need to know:

What is ransomware?

As a concept, ransomware is fairly simple. A criminal uses a piece of email that prompts someone to open a link or download an attachment to carry out the attack. The malware that is at that link or on the attachment contains instructions to encrypt the entire network. As the malware crawls over the network, it locks down all of the files, the software – everything.

A message appears on all of the infected screens that tells the owner to call a number or send money to an account number. In exchange, the criminals will send or apply an encryption key that will release the data.

The encryption system that they use is nearly unbreakable, being the same level of encryption that most banks and military installations use.

Why are ransomware attacks so popular?

One reason that ransomware has become so popular is that there are automated ransomware designers on the dark web. Anyone can go to one of these designers-as-a-service and create ransomware that they then deploy to the world. Ransomware is also popular for another reason, it gets cash for the criminal. Once you’ve paid the ransom, they might release your computers. You have no guarantee – and they’ve gotten away with your cash.

As much fun as simply destroying things is, the bad guys like getting money even more. There are even some indications that ransomware attacks are being used to fund terrorism and drug cartels.

Avoiding ransomware attacks

Over 90% of ransomware ends up in your network via email. It can be business email accounts or personal email accounts. Once someone has accessed that email and either downloaded an attachment or clicked a link, you’ve got ransomware in your network.
There are a number of steps that you can follow to prevent ransomware from ever making it onto your network:

1) Education

Most importantly, educate your people to never download anything unless they are 100% positive that they know where the email comes from. They should never open unsolicited emails or follow instructions in an email that seems out of place.

2) Next Generation Anti-Virus

Use a “next generation” antivirus program. Most anti-virus programs wait for an update to protect you from a new threat. Those downloads need to be prompted by the company that made the software. With next-gen antivirus, the system updates itself by tracking activity around the world 24/7 as well as actively scanning your network all the time rather than being activated by a user or the clock. Furthermore, most next-gen antivirus programs are cloud-based so any program updates can be handled instantly by the provider.

3) Regular and Consistent Backups

Make sure you backup at regular intervals. While most people know that they should back up their systems, few individuals and small businesses actually do. Larger businesses have begun to catch on. If you have a backup of your system that is current enough, your tech people can scrub your system and restore you to just a couple of hours before the attack.

4) 24/7 Monitoring

Get constant monitoring. Hire an outside firm or create an in-house team to monitor your network 24 hours a day. It can make a huge difference. They will be able to spot an attack, often before anyone else notices, enabling them to stop it before it spreads too far. This type of monitoring is especially effective against brute force attacks, where a hacker attempts to enter your system from the outside.

What to do when your system is held ransom?

If your system is infected, you’ll usually see the ransom message appear on one screen first, then another. The good news is that, if you are lucky, there might be a way to recover your files without paying the ransom.

Worst case scenario: you need a technology team to reset your computers and network.

The most important point

This is the most important point of them all: with proper security awareness training, your company can avoid 90% or more ransomware attacks. That is why security awareness training is crucial for your business!

Your employee security awareness training should include:

Building awareness of the different types of scams out there: phishing, whaling, spear phishing, and more. With frequent news of cyber security breaches and hacks, one would be forgiven for thinking that people would know what is out there. But generally they don’t. And with businesses having security software and various technical precautions people may think they are pretty safe. But a lot of security breaches happen because of human mistakes that security software, no matter what kind, can’t do anything about. Furthermore, security breaches in businesses often originate with the hacker gaining access to an employee’s private account, and from there getting into the business network. Therefore, effective cyber security awareness training of your employees cannot be underestimated.

Know what to do in case of a ransomware attack. Computers and networks that are turned off don’t spread infection. You’ll want to listen to your own security staff, but for the most part, turning everything off is the first step once you discover you’ve been hacked.

Train your staff on the importance of email and social media policies. The policies that are put in place are designed to protect not only their devices but the company’s network overall. Make sure they are clear on what to do and what not to do.

Ransomware attacks and the 21st century

The idea that anyone with internet access and the ability to get to the dark web can create a ransomware program means that it’s likely that this type of activity won’t stop any time soon. Proactive efforts could save you and your organisation a lot of pain and hassle.

Ongoing education, next-generation antivirus protection, and cloud-based email programs are a significant leap forward in protecting your business. And, once again, education, education, education!

Phishing is the attempt to obtain sensitive information such as usernames, passwords, and credit card details by disguising as a trustworthy entity.

The word “Phishing” is a recently coined expression created as a homophone of fishing due to the similarity of using a bait in an attempt to catch a victim. Phishing attempts are typically carried out by email spoofing or instant messaging. And they often direct users to enter personal information at a fake website. The look and feel of those websites can be identical to the legitimate ones and the only difference is the URL of the website in concern. Recognizing phishing emails before you get scammed is very important.

Example of an email scam:

Fake social web sites, auction sites, banks, online payment processors or IT administrators are often used to lure victims. Phishing emails may also contain links to websites that distribute malware.

There are ways to recognize phishing emails

Here are the most common indicators:

Bad grammar.
Missing or strange fields in email.
Salutation is missing. This can be an indicator of phishing email.
Aggressive call to action. Businesses do not regularly require you to update your payment information or your passwords. Be wary of emails that ask you for too much information or use aggressive wording.
If it sounds to good to be true – it is!
Graphic is fuzzy. Design and the layout of phishing email often gives it away. Scammers rarely do their design work properly.

Check out our Phishing security awareness video

Key takeaways:

Be suspicious of emails that request sensitive information.
If in doubt, verify the origin of the email.
Think twice before you open attachments or click any links.

AwareGO security blog

Category: Phishing