Even with the best firewall in place, it can take one wrong turn for a hacker to break into a company: one uninformed click on a phishing email, or one infected USB inserted into a Wi-Fi-connected computer. Even though there are instances of employees maliciously stealing data from organisations, a large amount of security breaches is accidental and due to a lack of security threat awareness. You can ensure that your staff are equipped with the skills and knowledge they need to become your company’s best line of defence against cyber threats. From do-it-yourself to do-it-all-for-you service options, set your staff – and your business’ livelihood – up for success.
1. Phishing explained
Phishing is a type of fraud in which a hacker attempts to gather personal information or credentials by impersonating a legitimate brand and sending users to a malicious website. A common example of this is the Office 365 phishing attack: A hacker sends an email that appears to come from Microsoft asking the user to log in to their Office 365 account. When the user clicks on the link in the email, it takes them to a fake Office 365 login page, where their credentials are harvested. With Microsoft branding and logos both in the email and on the phishing page, an untrained user will not recognize the email as a phishing attempt.
2. Email addresses can be spoofed
Never trust an email based simply on the purported sender. Cybercriminals have many methods to disguise emails. They understand how to trick their victims into thinking a sender is legitimate, when the email is really coming from a malicious source. The most common types of spoofing are display name spoofing and cousin domains. With display name spoofing, the phisher uses a legitimate company name as the email sender, such as email@example.com, but the email underneath is a random address like firstname.lastname@example.org. Display name spoofing is most effective when a user views the email on a mobile device because the sender’s email address is hidden. Phishers are counting on the fact that most mobile users will not expand the sender’s name to view the email address.
3. Subject lines and text are often threatening or enticing
Cybercriminals may promise “free iPhones to the first 100 respondents” or threaten that “your credit card will be suspended without immediate action.” Evoking a sense of panic, urgency, or curiosity is a commonly used tactic. Users are typically quick to respond emails that indicate potential financial loss or that could result in personal or financial gain.
Emails that have an aggressive tone or claim that immediate action must be taken to avoid repercussions should be considered a potential scam. This technique is often used to scare people into giving up confidential information. Two examples of this are phishing emails telling users their critical accounts are locked or that an invoice must be paid to avoid services being suspended.
In some spear phishing attacks, personalized emails from purported colleagues are designed to evoke fear of consequences at work. A classic example of this is an urgent email from a CEO requesting gift cards or a wire transfer. Receiving such a request from a top executive creates pressure for the employee and makes them more likely to respond quickly—without thinking it through. Another example is the direct deposit spear phishing email, which is designed to pressure an HR employee into changing direct deposit information.
4. Attacks are becoming more targeted and personal
Many phishing attacks of the past were sent in bulk to a large group of users at once, resulting in impersonal greetings. The emails would often address a user with a generic term like “customer,” “employee,” or “patient.” Your employees should be cautious of these terms, because professional organizations commonly address users by their first name in email, but a personalized email is not a sure sign of a legitimate email. Today’s phishers are including the victim’s name in the subject line and prefilling the victim’s email address on the phishing webpage.
5. Phishing emails are getting more sophisticated
Employees need to read their emails carefully, not just skim them. Many phishing attacks and spear phishing attacks are launched from other countries, and although this can result in glaring grammar and stylistic issues, phishers have become more sophisticated. They have the resources to compose clean emails in their target language, and they make fewer mistakes.
Employees should read emails carefully for both glaring and subtle grammatical issues that might indicate that the sender is not reputable. In a recent Office 365 phishing page discovered by Vade Secure, there was only one discrepancy between the real Office 365 page and the phishing page: an extra space between “&” and “Cookies” in the “Privacy & Cookies” link in the footer of the phishing email.
6. Links aren’t always what they seem
Every phishing email inclues a link, but phishing links are deceptive. While the link text might say “Go to Office 365 account,” the URL takes the user to a phishing page designed to look like Microsoft. Make sure your employees hover over all links before clicking them to see the pop-up that displays the link’s real destination. If it is not the website expected, it is probably a phishing attack.
It is most important to make sure that the core of the URL is correct. Be especially cautious of URLs that end in alternative domain names instead of .com or .org. Additionally, phishers use URL shorteners, such as Bitly, to bypass email filters and trick users, so be cautious of clicking on shortened URLs. IsItPhishing.AI can determine if a URL is legitimate or a phishing link. If you or your employees are in doubt
7. Phishing links can be sent via attachment
All phishing emails contain a link, but it’s not always in the email. To avoid detection by email security filters, hackers will include a phishing link in an attachment, such as a PDF or Word doc, rather than the body of the email. And because sandboxing technology scans attachments for malware, not links, the email will look clean. The email itself will appear to be from a legitimate business, vendor, or colleague, asking you to open the attachment and click on the link to review or update information.
GDPR Implications – GDPR has changed how businesses should view email security. We discuss the implications and considerations of the new legislation on organizational email security.
Resources For Employees and Managers – Suitable if you want to provide your employees with training, or are a manager looking for extra tips, resources and demos on email security.
There are dozens and dozens of potential threats that can start through email. They come in many forms and almost all of them include some form of human interaction.
All of the most significant and common threats to your company’s files and your email security happen because of something that someone does.
With regular training for employees that includes phishing simulations, courses on IT and security best practices, and data protection and compliance training, businesses can significantly reduce risk, decrease infections and related help desk costs, protect their reputation by experiencing fewer breaches, and secure their overall cyber security investment.
1. INTRODUCTION TO EMAILS.
EMAIL SECURITY TERMINOLOGY
2. TYPES OF EMAIL ACCOUNTS AVAILABLE.
TYPES OF EMAIL ACCOUNTS
EMAIL TYPE: “POP”
EMAIL TYPE: “IMAP”
EMAIL TYPE: “EXCHANGE”
3. STRUCTURE OF AN EMAIL AND EMAIL ADDRESS.
THE EMAIL HEADER
THE @ SYMBOL
4. EMAIL HEADERS AND PROPERTIES.
ABOUT EMAIL HEADERS AND PROPERTIES
HOW TO VIEW AN EMAILS HEADERS AND PROPERTIES.
UNDERSTANDING EMAIL HEADERS