Imagine yourself, working at your computer. A new email notification comes in. The sender seems familiar, but you can’t put a face to the name. You open the email up. Inside the body of text is a long message. The message contains several references to your organization. Past and present leaders, current employees, and benefactors are all mentioned in this email. All of that must have came from a legitimate source, right? Wrong!
Sadly enough, today’s phishers are getting more and more clever from attempt to attempt. While there’s still a few African Princes asking for money, they’re becoming less common. Today’s phishers are finding public information about your organization and using it against you. Broken English, varying fonts, and pleas for money seem to be a thing of the past.
Now phishers are doing their research before they click the “Send” button. They are Googling your organization and cutting/pasting key names, places, and things from your website, to their professional looking template. They’re including everything they can find to fool your end users into clicking on their bait.
Their bait isn’t just links to long URL’s that lead to a poorly designed login page. They are now using fake attachments disguised to look like a PDF or Word Document CV, formal proposition, or any other frequently attached documents.
Thankfully, there is some good news. The phishers still leave some obvious clues behind that end users can easily identify. Any links located in the body of the email still lead to long URL’s. The email addresses they use are not familiar. The names are generic in nature, someone who sounds familiar, could be someone you know, but not someone you have communicated with at your current function.
As IT Professionals, there are several roles we have to play in this arms-race against phishers. We must educate our end users on the obvious clues and make them weary of unfamiliar email senders, encourage them to forward any suspect emails to us immediately and make it a priority to read and respond to them. We must also use those forwarded emails as examples of new tactics being used against us.
Of course, up to date anti-virus definitions and regular backups should always be in place, but we’ve all seen the frustration for end users caused by losing hours worth of work, or down time while a workstation is being scanned.
Having a well trained and well-informed end user base is the first line of defense against preventing attacks from entering your organization. It’s important to make security awareness fresh and fun for the end users. Having lunch ‘n learns with specific examples of recent attacks and praising end users who have reporting these attacks keeps the training interesting.
This may seem like hours work of work and prep time, and it is. But wouldn’t you rather have some fun with your end users and give them face to face time rather than pulling an all-nighter restoring from backups after an accident-prone end user exposes your network to malware that was disguised as a resume?
Here are a few tips on making your end user training successful:
- Know your end users and be prepared to spend extra time on those who you have identified as being accident prone.
- Make the training exciting and fresh; be sure to make attractive handouts as a takeaway for everyone to reference.
- Keep the accident-prone end users anonymous; we never want anyone to be embarrassed and stop reporting suspicious emails all together!
- Don’t take any users for granted. Even people with IT backgrounds can fall for the newer scams!
- Make email phishing prevention a top priority for everyone in your organization.