Cybersecurity Awareness Month: Evading Phishing Attacks

Cybersecurity Awareness Month was established more than 20 years ago to provide resources to enable organizations and their employees to stay safer and more secure online. It is an opportunity to focus on four key behaviors that will help everyone stay secure throughout the year:

• Creating strong passwords and using a password manager
• Enabling multi-factor authentication
• Updating software
• Recognizing and reporting phishing attempts

Each of these key behaviors are necessary to help keep organizations, their clients, and their employees secure.

Securing Digital Assets by Identifying, Avoiding, and Reporting Phishing Attempts

“Think before you click.” Embracing this simple habit can help employees keep cyber criminals out of an organization’s network. Phishing emails remain one of an organization’s main risks because a certain percentage of malicious emails will elude an organization’s mail filters, especially as cyber criminals turn to artificial intelligence to craft highly sophisticated and hard-to-identify malicious emails. As the final barrier between a company and cyber criminals, employees need to be even more aware of criminals’ methods and tricks. How can organizations educate employees to recognize and report phishing attempts?

• Emphasize the dangers of phishing. Phishing emails remain a top cyber risk for organizations. As phishing emails become more advanced, spotting phishing indicators is getting harder. Train employees to respond methodically to suspicious emails by pausing to check sender names and email addresses, verify link URLs, and confirm that the type and context of the request make sense. It is also important to emphasize the need to contact the purported sender by calling or texting a known phone number rather than by replying to the email—cyber criminals may still have access to and be monitoring the compromised account. If the recipient replies to the potentially suspicious email, the criminals could take advantage of the chance to communicate with the victim and convince the victim to comply with their request.
• Provide a security awareness program for all staff. Organizations’ most effective anti-phishing filters are employees who have been trained to identify, avoid, and report phishing emails. Organizations should educate all employees—including executives and contractors—on phishing awareness and other digital security best practices. Rather than offering once-a-year training that repeats the same material as previous years, organizations should implement a Security Awareness Program that uses continuous communication to appeal to employees’ different interests and learning styles. A mix of live classes, online modules, newsletters, and simulations can help employees apply cyber best practices to both their personal and professional lives.
• Train employees on the variety of methods employed by cyber criminals. Cyber criminals use social engineering techniques to try to trick employees by manipulating their emotions. They focus on psychological triggers—such as fear, empathy, sex, curiosity, and other emotions—to convince people to take action (e.g., click a link) or share information (e.g., a password). Phishing emails with malicious links are still a common form of social engineering, but cyber criminals also use business email compromise (BEC) emails and vendor email compromise (VEC) emails, as well as text messages, QR codes, phone calls, and direct messages in social media and online games. Organizations should train employees to identify, avoid, and report all types of attempts.
• Conduct internal phishing campaigns. Organizations can reinforce information security policies and training with simulated phishing campaigns. Challenge employees with exercises that mimic real-life techniques used by hackers to try to penetrate a network, such as emails with links that open a network sign-in page, BEC emails that appear to be from an executive, phone calls that simulate IT Support, and other realistic exercises. All users should be included in these campaigns—if they can access the network, even just through an email account, then they pose a risk to the organization, making them a target of cyber criminals.
• Encourage good cyber-hygiene habits on social media. An employee who overshares on social media can negatively impact an organization. Cyber criminals collect information from social media, other public online sites, and even the dark web to target an organization’s employees. Anyone with access to the organization’s network can be targeted—not just executives—so everyone should be wary of how their online information can be used against them and the organization. Help employees understand that the more they post about themselves, the easier it is for hackers to target them.
• Establish guidelines for the use of personal email accounts. Using a personal email for work correspondence (or even cc-ing a personal email address) can make it difficult for colleagues to determine if an email from a purported personal account is valid or if it’s a phishing email. If a cyber criminal were to send a spoofed (or fake look-alike) email posing as an employee, prior use of a personal account may mean that recipients let down their guard and respond with confidential information. If the use of personal email is required for business purposes, consider establishing and educating employees on business rules around its use. For example, if an employee must send a work-related email from a personal account, they should advise colleagues by phone call or text to expect it.
• Ensure employees are familiar with reporting channels. Knowing what should be reported—and whom it should be reported to—ensures that, if a security incident needs to be reported, employees will contact the correct channel. Advise them to report suspicious emails, phone calls, and other security incidents in a timely manner. Emphasize that if an employee has responded in any way—clicked on a link, opened an attachment, typed a password, or even replied—to an unexpected or suspicious email, they must report it immediately so the Information Security teams can begin investigating a potential compromise.

Throughout the year, organizations can follow cybersecurity best practices by establishing strong barriers to entry—creating long, unique passwords, enabling multi-factor authentication, regularly installing updates, and training employees on the dangers of phishing—to help keep their confidential information and their employees safer and more secure online.