How to be a Smarter Phish

Published: April 16, 2019 by Michael Bruemmer

Cybercriminals and fraudsters love phishing, and they especially like casting their lures into business waters. When these emails are highly targeted and designed to mimic legitimate business communications, it’s called spearphishing. They use real logos, use proper grammar and spelling and include attachments designed to fool even sophisticated spam filters. A Barracuda study found that 83 percent of spear phishing attacks use brand impersonation, and a third of the attacks are launched from a Gmail account. The point is to make the email look as legitimate as possible so users will fall for the scam, and, in turn, download malware or share sensitive information. It works, too. Kaspersky Lab reported that more than 120 million phishing emails were targeted at businesses in 2018.

Phishing is successful for cybercriminals because users struggle to tell the difference between a legitimate and fake email. This goes both ways: there are users who think any unexpected or unusual email message is automatically a phishing email and then ignore it. Opening a phishing email can be costly for your company, but missing an important email because it was confused with a phishing attack can also hurt financially. That’s why organization’s need to implement phishing awareness training for all employees.

Going after the Big Phish

Awareness training must start at the top of the organizational food chain. Big phish are more valuable to a cybercriminal, so they prefer to target high-level executives who usually have greater access to the most sensitive company data. Yet, these same executives are often the most resistant to cybersecurity. Phishing awareness for executives needs to include some basic training, but the greatest emphasis should be on risk management, with a deep dive into how a successful phishing attack impacts the organization’s business operations, financials, and reputation. It should also include a primer on whaling, the high-level spear phishing attacks targeting the most powerful positions in the organization, and how to recognize it as a malicious email.

Basic Training

Everyone in the organization should understand the phishing basics. Awareness training should include the following:

  • Closely examine the email for legitimacy. Telltale signs of a phishing email are often glaring mistakes, odd URL addresses revealed when hovering the curser over the link, a clickbait-style subject heading, unexpected attachments, or a message that has no relevancy to the recipient.
  • Set aside time for email. When you receive dozens of emails a day, it’s easy to give each one a cursory glance before taking action. That’s what phishers expect. Rather, dedicate time to checking email without other interruptions.
  • Don’t assume the spam filters catch everything. Spam filters are great, but a lot of bad email slips into the inbox.
  • Don’t trust; verify. Spear phishing emails are designed to look like they come from a trusted user, and, as mentioned earlier, a lot of legitimate email often resembles a phishing email. If you aren’t sure, open a new mail message to the sender to verify the mail. If you are directed to a website, type the URL in your browser.
  • Never share a password.
  • Beware of social engineering tactics. Phishers rely on social engineering to get you to respond to an email, and they take advantage of events like the Super Bowl, March Madness and the Olympics to engage users.
  • Share. If you think you received a phishing email, share it with your IT or security staff. If it is a phish, they can alert the rest of the organization about the scam.

Again, these are the basics that everyone should know to help spot a phishing email. But awareness training doesn’t stop with reading a single article or spending 15 minutes on a simulation activity. Awareness training is ongoing. An effective awareness exercise is a weekly “Phish Phry” where a fake phishing email is sent to the organization. If someone replies to the email, they get a response “You’ve been Phried!” The goal of the exercise is to reinforce all of the awareness training, and how easy it is for even the smartest phish to get caught. Try it!