Educating employees on how to detect phishing attacks can be a much-needed push for network defenders.
Security by design has long been a sacred grail for cybersecurity professionals. This is a general idea: make sure the products are designed to be as safe as possible so that there is less chance of further compromise at the bottom of the line. The concept has been further expanded in recent years to refer to the effort to embed security in every part of an organization – from its DevOps pipeline to the day-to-day work practices of its employees. By creating a security-first culture like this, organizations will be more resilient to cyber threats and better equipped to minimize their impact in the event of a breach.
Technology controls are certainly an important tool in helping to create such a deeply embedded security culture. But at the same time phishing awareness training – which plays a vital role in mitigating one of the biggest threats to corporate security today and must be at the forefront of general cyber security awareness training programs.
Why is phishing so effective?
According to the ESET Threat Report T1 2022, email threats increased 37 percent in the first four months of 2022 compared to the last four months of 2021. The number of blocked phishing URLs has grown at almost the same rate, with many scammers exploiting common interests in the Russia-Ukraine war.
Phishing scams are among the most successful ways for attackers to install malware, steal certificates, and deceive users into transferring corporate money. Why? Because of the combination of spoofing techniques that help scammers disguise legitimate senders, and social engineering techniques are designed to accelerate the recipient’s performance without first thinking about the consequences of that action.
These strategies include:
- SFFD sender uses ID / domain / phone number, sometimes typoScating or International Domain Name (IDN)
- Hijacked sender’s account, which is often difficult to identify as a phishing attempt
- Online research (via social media) to make targeted spearfishing efforts more credible
- Use official logo, header, footer
- Creating a sense of urgency or excitement that speeds up the user’s decision
- Short link that hides the actual destination of the sender
- Creating legitimate handsome login portals and websites
According to the latest Verizon DBIR report, Four vectors are responsible for most security incidents last year: Certification, Phishing, Vulnerability and Botnet. The first two revolve around human error. One-fourth (25%) of the total violations examined in the report resulted in social engineering attacks. When combined with human error and abuse of privilege, the human component is responsible for 82% of all violations. This should make it a priority for any CISO to turn this weak link into a strong security chain.
What could be phishing?
If phishing attacks become a bigger threat in the last two years. Confused home workers with potentially unpacked and less-protected devices have been ruthlessly targeted by threatening actors. In April 2020, Google claims Blocking about 18 million malicious and phishing emails every day worldwide.
As many of these workers return to the office, they are at risk of further SMS (laughing) and voice call-based (wishing) attacks. Traveler users can probably click on links and open attachments that they shouldn’t. These could be:
What training strategies work?
Recent Worldwide study Revealed that safety training and employee awareness are top spending priorities for companies next year. But once this decision is made, which strategies will provide the best return on investment? Consider training courses and tooling that provide:
- Extensive coverage across all phishing channels (email, phone, social media, etc.)
- Entertaining lessons that use positive reinforcement instead of fear-based messages
- Real-world simulation exercises that can be tweaked to reflect phishing campaigns developed by IT professionals
- Continuous training sessions throughout the year in small bite-sized lessons of no more than 15 minutes
- Coverage for all employees, including Temp, contractors and senior executives. Anyone with network access and a corporate account is a potential phishing target
- Analytics provides detailed feedback on individuals that can be used to improve subsequent sessions.
- Personalized lessons according to specific role. For example, members of the finance team may need additional guidance to deal with a BEC attack.
- Gamification, workshops and quizzes. Instead of pretending to be “taught” by IT experts, it can help motivate users to compete against their peers. Some popular tools use gamification techniques to make training “stickier”, more user-friendly and engaging.
- DIY fishing practice. According to the UK National Cyber Security Center (NCSC), Some companies allow users to create their own phishing emails, giving them a “richer view of the techniques used”.
Be sure to report
Finding a training program that works for your organization is an important step in turning employees into a strong front line against phishing attacks. But attention should also be paid to creating an open culture where reporting of potential phishing attempts is encouraged. Companies should create an easy-to-use, clean process for reporting and reassure employees that any precautions will be investigated. Users must support this, which may require purchases across the organization — not just IT, but HR and senior managers as well.
Finally, phishing awareness training should be part of a multi-layered strategy to address social engineering threats. Even the best-trained workers can sometimes be deceived by sophisticated scams. That’s why safety controls are essential: consider multi-factor authentication, regularly tested incident response plans, and anti-spoofing technologies like DMARC.