Tue, May 9, 2017

Can your users spot a phishing email?

Regardless of the security measures that you have in place for your network, it really comes down to user education to prevent security threats. Having top-notch firewalls, anti-virus, web and content filtering are all great lines of defense when it comes to limiting the chances of ransomware or other malware. However, the most effective strategy in combatting these attacks is also typically one of the most poorly implemented – security awareness.

The long list of “worst practices” for user education is almost endless – break room briefings while people eat lunch and catch up on email; short instructional videos that provide no more than superficial understanding; and the time-honored practice of hoping for the best and doing nothing. Trust Centrality’s Security Awareness, powered by KnowBe4, to keep your user community informed of the threats out there.

What is Phishing?

You’ve probably seen many different examples of phishing emails. They are sent to large numbers of users simultaneously and attempt to “phish” sensitive information from unsuspecting users by posing as reputable sources. This includes banks, credit card providers, delivery firms and law enforcement. Their ploy is to trick the user into either clicking on a link to infect the PC, open an infected attachment or go to a fake website to enter login credentials, financial information, social security data or credit card details. But any data entered is likely to be used maliciously to steal money or an identity, or infiltrate a network.

According to the Verizon 2015 Data Breach Investigations Report, 23% of recipients open phishing messages. Another 11% click on attachments. Unfortunately, nearly half open these emails and click on links within an hour of receiving them. Some respond within a minute of receipt. In other words, security teams have a tiny window to note the presence of such an attack and take adequate precautions to cleanse it. Clearly, a purely defensive posture is doomed to failure.

Training your User Community

In the past, having a “training” for employees may have been enough to inform them of any suspicious attacks. Now, malicious emails may not seem as obvious, as hacking tactics are getting more and more sophisticated. That’s where KnowBe4 comes in to play. With the Baseline test, a free simulated phishing attack, you can see which of your users are more prone to clicking on suspicious emails. Not only will this program provide ongoing training classes and newsletters for your users, but also customized phishing campaigns. For instance, “Anti-prairie dog” campaigns send random templates at random times preventing users warning each other.

KnowBe4’s robust reporting capabilities allow you to easily access user training completions, Phish-prone percentage, compliance reports and more. Over a 12 month period, typically the Phish-prone percentage drops from 15.9% down to 1.2%!

Manage the Problem of Social Engineering

Although many phishing emails are difficult to differentiate between a legitimate email, there are some key things to look out for. For instance, if the email has bad grammar or when hovering over the link or email address, it does not match the name. In the body of the email, does the sender request for you to send information or to open a link to gain something of value? The below infographic contains some the red flags to identify if an email is compromising in nature.

RedFlags of Social Engineering

Ask Centrality for your FREE baseline security awareness test today!