For example, a tired employee sifting through email at the end of a long day may mistake a fabricated IT request or phony retail offer as legitimate, and inadvertently compromise an entire company with one click. Phishing, due to its simplicity and relative ease of deployment, has become a cornerstone attack method for hackers, and one that can have significant repercussions for affected companies.
Phishing is such a potent threat to organizations for several reasons:
Aware of these dangers, many companies are taking steps to protect against phishing attacks by conducting awareness training for employees or performing internal phishing campaigns to test their defenses. The central element of a strong phishing awareness training program is education. You need to know both how to detect a phish and how to properly report it. Therefore, we have reviewed the awareness training programs at a wide variety of companies to provide you with the most effective methods for protecting yourself and your organization against this pervasive and persistent risk.
Unfamiliar or Misspelled Sender Address
Attackers often use false sender addresses, particularly if controls (such as an SPF record) are in place to prevent spoofing from internal addresses. Be on the lookout for addresses ending .corn instead of .com. Also be on the lookout for addresses ending in .net, as well as unusual elements added to the domain such as @example.suspicious.com instead of @example.com.
When in doubt, Google a suspicious domain name to determine whether it is tied to any known phishing schemes.
Your local Atlas Copco CMT USA dealer |
---|
Cooper Equipment Co |
Bee Equipment Sales Ltd |
Central Texas Equipment |
Closner Equipment Co Inc |
Unexpected or Questionable Requests
Any emails asking you to perform an action for which you have had no prior notice (such as upgrading to a new system) should raise alarm bells. Though hackers are tailoring phishes to specific lines of business and using scenarios that people in your organization may have encountered before, it’s still better to verify with a supervisor before clicking (particularly if the request is completely unexpected).
It’s especially important to be skeptical of emails asking you to authorize major transactions or transfers. Instead, users should verify such actions in person or through channels previously established as legitimate.
Masked Links
Attackers may mask malicious content in a seemingly innocent hyperlink. However, hovering over the link reveals where it will actually send users. Ask yourself: Does the link direct to an unfamiliar site? Does it take you to an unsecured site (HTTP) when it should be directing to a secure site (HTTPS)? Utilizing link scanners can also verify a link’s security without having to navigate to the site.
Suspicious Attachments
Many phishing emails are often designed to trick you into downloading a malicious document and enabling macros. Attackers embed macro-based malware in Microsoft Word documents and Excel spreadsheets and design a convincing pretext to convince users to launch the file. Always double-check the source of the file and be extremely cautious about enabling macros.
Threat
Some of the most convincing phishing emails prey on common fears. For example, your Amazon account was breached or your email inbox is full and you won’t receive new messages. By manufacturing an emergency, these emails convince you to act immediately or face serious consequences. As a result, you may be blinded by a threat and in a hurry to fix the supposed problem. This rush may cause you to miss the telltale signs of a phish and inadvertently give up your credentials or download malware. These can be some of the most effective phishing pretexts.
Your local Volvo Construction Equipment dealer |
---|
Romco Equipment Co |
ASCO Equipment |
Sierra Machinery |
Obligation
More targeted phishing emails hinge on your workplace obligations. These emails may appear to come from a supervisor or executive asking you to download a document. They may be designed to look like a message from your organization’s IT or security department, asking you to login to a new site or reset your password. In each case, these phishing attempts are engineered to make you feel as though you must follow the instructions as part of your job. Without proper training or caution, your sense of obligation may override any suspicions you have.
Opportunity
Many phishing emails offer an enticing opportunity in hopes of luring you into performing a specific action. For example, an email may be designed to look like coupon, contest or company appreciation effort with various potential rewards. Attackers will use almost anything as bait: a gift card to a grocery store or restaurant, tickets to a local sports event, or just plain old cash. If the right opportunity comes along and you’re not careful, you might get phished.
Take the following actions when spotting a phish:
- Immediately inform a manager or supervisor.
- Record the incident via a help-desk ticket or email to security or IT personnel (depending on your organization). This will create a paper trail, which can be important to the incident response or disaster recovery plan. It also sets the wheels in motion for a full security response.
- Do not forward the email to anyone, even when reporting the incident. This only acts to spread the risk, increasing the chances that another user may inadvertently click on a malicious link or attachment.
- If necessary, take a screenshot of the email to capture the relevant information.
At this point, your organization’s security or IT team can respond to the incident by:
- Alerting users of the phish
- Recalling the email from user inboxes to prevent further damage
- Blocking the IP address of the attacker
- Examining potentially compromised devices or systems
- Investigating what further access the attacker may have gained
- Changing passwords as necessary
These processes should be outlined in your incident response policy. The clearer the reporting and incident response policy, the faster your organization will be able to block attacks.
Your local Stewart-Amos dealer |
---|
Closner Equipment Co Inc |
Organizations looking to do more can conduct quarterly phishing assessments to test users and identify areas for improvement. In addition, some automated tools are available to test your organization’s vulnerability to and preparedness for inevitable phishing attacks. For example, RSM offers a free, open source tool called King Phisher that enables you to test your own susceptibility to phishing by sending a sample phishing email to your team and tracking user responses.
King Phisher allows you to select sample phishing emails or design your own customized phishes aligned to your organization’s training plan. For instance, after a lesson on common phishing pretexts, you can send users a similar phish to test their awareness and reinforce the specific training. Like anything else, the more you practice the better you will become at catching phishing attempts.
By learning how to detect and respond to a phishing attack, you can become the first line of defense in your organization’s security program.