Protect Your Business from Phishing Through Staff Education and Training
The acclaimed television drama series "Mr. Robot," which ran on the USA Network through four seasons, focused on the chaotic life of an information security specialist who becomes embroiled with a radical group dedicated to hacktivism. One of the most celebrated aspects of the series was its realistic portrayal of cybercrime, and many of its episodes are currently used by university professors who teach IT and computer networking courses.
It only took six "Mr. Robot" episodes for viewers to be introduced to the basics of an authentic phishing attack, and it was quite the informative lesson because it was carried out against the IT department of a major corporation. Most business owners associate phishing with stealing username and password credentials; in this case, however, the attack was conducted as a diversion to give hackers sufficient time to physically infiltrate a rack of servers. This is a good lesson to learn because phishing attacks can be formulated for various purposes.
Through the rest of the "Mr. Robot" series, phishing made a few more appearances, but the show made it a point to showcase social engineering as a more dangerous aspect of cybercrime, one that seasoned hackers take great pride in. To a certain extent, phishing is just one aspect of social engineering, but it happens to be quite damaging.
In the United States, the Federal Bureau of Investigation logs more than 250,000 phishing complaints each year through its Internet Crime Complaint Center. Statistics compiled by IBM show that one out five major data breach incidents and ransomware attacks are facilitated by phishing.
At SynchroNet, something that our information security consultants often notice when they conduct security assessments is that business owners are not aware that phishing can be prevented and mitigated through staff training. You may be familiar with phishing because you have seen it mentioned on numerous news headlines such as the 2016 breach of the Democratic National Committee, but do you think you would be able to recognize it once it lands in your inbox? How about your employees?
Phishing Awareness and Training
The current cyber threat environment requires business owners to accept that they will be hacked at some point. In the past, cyber attacks could be prevented; nowadays, they must be mitigated, but phishing happens to be an exception. Preventing phishing attacks is a matter of learning how they work, how they can be spotted, and how to implement the right business practices in order to avoid them as much as judiciously possible.
All of the the above measures are part of phishing training, which happens to be one of the best information security tools available to business owners. While it is true that email management solutions can go a long way towards preventing phishing attacks, there is a lot more to learn about this cyber threat. First of all, phishing is hardly limited to email; there is also whaling, pharming, spear phishing, SMShing, and the highly sophisticated vishing, which is closer to pure social engineering.
The ultimate goal of phishing training is to foster a posture of total awareness among all staff members who engage in business communications. As long as phishing attacks are spotted, further damage can be averted not only by not falling into their traps but also by implementing adequate measures to stop what could be a wider cyber incident. For example, some cybercrime gangs have been known to drop malware that forces malicious URL redirection, but they will follow up with a phishing email to entice targeted individuals to type a specific web address. In this case, if the message is recognized as phishing, the manual entry of the redirected URL can be ignored, thus interrupting the attack.
Phishing training may include class instruction, real-life examples, simulations, and assistance with crafting adequate security policies. There are two main objectives: One that focuses on spotting suspicious and malicious situations, and another one centered on promoting individual behaviors as well as a culture of corporate security. The proper posture should combine individual behaviors with an overall mission to avoid both phishing and social engineering situations.
It is important to note that phishing is a game of deception. Pharming schemes, for example, tend to be easier to spot because hackers mostly use scripts and automated methods to cast a wide net. Highly targeted phishing, the kind used in the 2016 DNC cyber attack, often involves "casing" by hackers who go after big targets such as law firms and security agencies that handle sensitive and confidential matters.
SynchroNet is equipped with the tools and resources to help your company avoid phishing scams, in all of its forms. Call us to learn how we can help your organization!