Technologies exist to limit and spot the number of phishing emails that come into your business. Still, humans are the last line of defense against social engineering attacks like this at the end of the day.
At some point, you're going to "be beat" as an employer or MSP. Instead of locking everything down and slowing business communications, staff from the c-suite on down need to be equipped to identify phishing emails, so the worst happens in a training environment and not the real thing.
To start, employees should be educated on the elements that make up a social engineering phishing attack and how they can be aware of where their information is published across the internet.
Elements of a Social Engineering Phish
Examining your digital footprint
The best cybercriminals will take time to do their homework on their next victim. By scrolling through social media feeds associated with the person's name and scouring Google for any available information on the potential victim, they can piece together information about the individual's habits.
For bigger social engineering phishing hacks I can imagine things start to look a bit like this:
Examples include places they frequent, like a gym or favorite restaurant, and even gathering personal information like date of birth or home address.
Imagine if you repetitively post about how much you love a local coffee shop on social media. A post about that local coffee shop may even be on your story as you read this post.
The attacker could create a convincing phishing email that appears to be a coupon code coming from that local coffee shop or a vendor they partner with.
With this sort of information floating around the web, victims are more likely to fall for scams that leverage this type of personal information.
Creating social pressure to click
"Human behavior is hard to change. Humans are always consistenly vulnerable to certain things and as current events pop up it changes the way people are vulnerable and how they react."
In many cases, attackers will use social pressure to make the average user click without thinking twice.
Some examples of this include phishing emails, including asks from an executive to a new employee during their first few weeks on the job.
Other cases might lean more on emotion leveraging a friend or colleague who requires immediate attention to get out of a bad situation.
Both examples lean on using social pressure and raw human emotions to make the victim prioritize clicking over their security training.
Practical Tips to Identify a Phish
If you see something, say something.
Reporting a potential phishing email should be the golden rule here, even if the employee opened the email or downloaded an attachment. The employees must have a supportive process and environment when reporting potential phishing emails they have identified or opened.
Don't make the environment a negative one or one that resembles hazing an employee when they report a phishing email.
On a recent MSP Live Chat that included a phishing challenge of other IT pros, Connor Swalm CEO at Phin Security took this even further by saying:
"Don't make your employees aware of a phishing test on a particular date or time. If you do, they just won't open any of their emails on those days reducing business efficiency and communication."
Connor talked about the risks of "punitive phishing training" on our MSP Live Chat, view the clip here:
Hammer home the most common types of phishing attacks
The more familiar employees are with all the types of phishing attacks, the better-armed they'll be when it comes to reporting the real thing.
The Federal Trade Commission put together this list that outlines the most common types of phishing attacks. Including how some social engineering phishing schemes may include emails, text messages, and even phone calls to collect the necessary information to execute a hack.
That being said, don't create a long technical list of threats. Instead, translate the most common threats, so they are digestible from the c-suite across the organization. Real-world examples like the ones displayed on our MSP Live Chat also help add color while helping staff relate to the realities of the issue.
Encourage caution and lean on company policy when possible
Company policy around fund transfers, communications from the CEO, and the generation of new logins provide an excellent guide for employees to identify a phishing email.
According to company policy, suppose one-off fund transfers for additional services are not accepted by your business. In that case, this can be a straightforward way for a staff member to spot a phish.
On top of this, we recommend outlining in policy what employees should expect in terms of communication from the CEO for time-sensitive requests. This way, when new employees come in and see an urgent request in their inbox for $600 in Amazon gift cards, they know that the CEO wouldn't ask for this sort of thing via email.
Security Culture Beats Security Training
"Culture is the most powerful force in humanity." — Kanye West
All businesses should schedule regular security training on employees' calendars, but when security becomes part of your organizational culture, you've made it inescapable and consistently on the top of employees' minds.
Keep the rules simple and easy to understand so your team knows what is expected and that they aren't just taking part in defending the organization from bad actors but are one of the most integral parts of that defense.