We’ve all been there. Whether it’s browsing Facebook, scanning your Twitter feed, or simply perusing email, curiously worded messages promise great fortunes—or spectacular destruction of your personal worth. While these phishing techniques immediately send our BS detectors into overdrive, not everyone is quite so savvy about these emails’ malicious nature.
Here are a few tips on how to prevent a Chernobyl-like meltdown due to an overly curious employee.
Diagnose the problem
Phishing attacks are, at their core, a form of social engineering. Someone, somewhere, has carefully picked each word and sentence of that alarming email from the “IRS” (spoiler: not the IRS) with the intent of squeezing some sensitive information out of you. Admittedly, some choose their words more carefully than others, but the basic aim is the same: to deceive you into believing they are who they say they are.
After the social engineering aspect of phishing, things get a bit more diverse. These attacks come in forms ranging from social media posts to text messages and everything in between. Essentially, if you can communicate with it, you can phish with it.
Phishing techniques using analog communication methods like phone or Morse code (hey, it could happen) are obviously after tangible data: things like financial, identification, and authorization information. On the other end of the spectrum are more complex attacks through digital means, like email, websites, and social media.
Both are harmful, and both can lead to larger data siphons if they aren’t nipped in the bud. In particular, digital techniques can spread malware through entire networks with the single click of an insidious attachment. In organizations with more than a handful of users, this can present a nightmare-inducing dilemma. How can you keep your users from falling victim to these attacks?
The more you know—3 steps to help users detect phishing
The success of phishing attempts really boils down to two things: charisma and gullibility. Think about it as you would your favorite Dungeons and Dragons scenario: if the charisma +6 attack of the enemy outweighs your 2d6 gullibility check … well, you’re in for some tough times.
It stands to reason, then, that you should focus on reducing the gullibility of your users and enlightening them to the suave tactics of phishing experts. For example, most people don’t actually realize that email is one of the easiest forms of communication to defraud. Case in point: this recent news item from CNBC.
Don’t be a victim. A good strategy should generally include the following three steps:
Education can be as simple as showing your users exactly what phishing attacks are capable of. Inform them of the myriad ways in which these attacks are presented and how they can compromise both the user and the organization.
Reinforcing this education is key, especially as attacks continue to evolve. Think outside the box on this one in order to prevent death by boredom. For example, you could send mock phishing attempts and offer prizes for those users who spot the attack first. Basically, anything to get your users to see things from your perspective in a less monotonous way is good here.
The goal is to fend off grandma syndrome in your users—you know, the types who believe everything they read online—even in an era of #fakenews. Instill a healthy dose of skepticism and generally sound surfing practices in your users, and you’ll be in good shape.
Finally, don’t be afraid to take things into your own hands. Stay proactive by keeping antivirus software, SPAM filters, and security patches current. Look for central solutions to monitor network activity and device health. Since your users’ willpower will likely fail at some point, it might even be worth looking into self-healing infrastructure.
Follow these simple steps, and your organization will be safer than it was yesterday. Better yet, you won’t walk into work one day and curse when an employee walks up to you with a computer brought down by a sophisticated phishing attack. That’s one more headache avoided!