While it initially sounds promising to hear that the number of data breaches seen last year went down significantly, it is important to recognize that the number of data records leaked as a result more than doubled. One clear cause was the resurgence in the use of the underhanded malware variety known as ransomware. With this suggesting an increased threat of ransomware incoming, can you confidently say that your business’ team is ready to deal with it?
For your business’ data and operations to remain secure, you will need to take a two-pronged approach—both teaching your team to avoid phishing and evaluating them on their overall preparedness through simulated attacks.
To start, let’s review the overall process that the average phishing attack tends to follow:
This—and the fact that a phishing attack against you is practically guaranteed to happen at some point—is precisely why it is so important that your team is prepared to spot them as they come in.
Hackers and scammers are unfortunately very crafty when it comes to their schemes, often tying in current events to add some perceived legitimacy. The past year has seen no shortage of COVID-19-themed phishing attacks, seeming to offer updates and information.
Hackers rely on user panic and impulsive reactions, so reinforce the importance that your users take an extended look at them before acting on them.
Hackers will also commonly use spoofed links to fool their targets. A spoofed link can take a few forms, but regardless of how it looks, it will direct a user to a website different from the one they expected to go to.
Spotting these links can be tricky, so here are a few best practices to follow. Let’s assume that the spoofed link is meant to look like one that directs to the payment application Venmo as we go through some examples:
If the email is from Venmo, a link should lead back to venmo.com or accounts.venmo.com. If there is anything strange between “venmo” and the “.com” then something is suspicious. There should also be a forward slash (/) after the “.com.” If the URL was something like venmo.com.mailru382.co/something, then you are being spoofed. Everyone handles their domains a little differently, but use this as a rule of thumb:
As you can imagine, some of these tricks are easier to spot than others, so extra diligence will be called for here.
To be particularly cautious, you could also consider giving your team the safe versions of the URLs they are to use. That way, they can seriously investigate the validity of an email without exposing themselves to risk.
Finally, you need to ensure that your team’s passwords are secure enough that your business isn’t vulnerable that way—because if passwords are too easy to deduce, there isn’t going to be any need for phishing in the first place. Your team should also be supplementing these passwords with additional measures like two-factor authentication, making a breach that much more challenging for a hacker to pull off.
Once you’ve taught your team the various things they’ll need to know, you should also confirm that they can apply them. A phishing test is an effective means of doing just that. In a phishing test, you have your own team members phished to evaluate how vulnerable they are to this form of attack. That way, you know where more training needs to be applied.
An effective phishing test, naturally, cannot be one that is expected. Any warning you give should be vague so that your team isn’t on their guard more than they would normally be.
At the same time, you need to be ethical in how you run these tests. Too many companies have received backlash after running phishing tests with questionable tactics, and such tests don’t do much to benefit your security. As with everything else, your phishing tests cannot infringe on the trust of your team.
Speaking of trust, you can trust NetWorthy Systems to assist you with your security needs. Call 877-760-7310 to find out more.