One key element of cybersecurity is security awareness training. End users need to know what they can do to protect their organizations. As I’ve mentioned in previous articles, we all need follow good password practices and be able to detect phishing attacks by identifying suspicious URL and email domains.
But not only do we have to pay attention to the domain and the address of the individual email, we also have to scan the body of the email to see if there is any suspicious behavior inside of it. Hackers practice a method called social engineering, which attempts to manipulate, influence or trick an end user to gain control of IT systems.
Why Do Threat Actors Send Phishing Emails?
The endgame of a phishing attempt could be one of a few things, sometimes in combination with one another:
- Ransomware: The threat actor encrypts your personal and company files and sends you a ransom note that your systems are locked until you pay a fee (usually via a digital currency). This happens to businesses of all sizes and verticals. I’ve seen schools, municipalities, hospitals, banks, retail, manufacturing, etc., all hit with ransomware. While you can pay to release the ransom, that won’t stop the threat actor from hitting you again.
- Malware: Sometimes the goal is to drop a probe on your network to gather more data before launching a more sophisticated attack. You might not even notice any wrongdoing after clicking on a malicious link. This is extremely important in the world of intellectual property – a threat actor may be acting on behalf of one of your largest competitors, attempting to steal patent, blueprint or script information to clone your valuable assets and beat you to market. This happens every day. To put it into context, when the U.S. government proposes adding tariffs to China because of ongoing intellectual property theft, this is what they are referencing.
What Does a Phishing Email Look Like?
If you only read one of our security awareness training articles, read this one. It’s the blockbuster piece. If all else fails in your organization, at least get your employees to think critically of what is being asked of them in emails and take action. It will greatly reduce your security risk.
These are some of the common characteristics of phishing emails. Train end users how to recognize phishing emails and not to engage – don’t click, don’t reply. Develop a policy around what they should do if they receive a phishing email, such as deleting the email and reporting it.
Threat actors are monitoring your email system. They are looking for patterns in your organization: who sends emails to one another? Who sends wire transfers? They can easily source email addresses from your company website or even from .xls or .pdf documents via a google search on your company domain. Your email and those of your peers are out there. Therefore, you can’t trust anything sent via email without analyzing it first.
Urgency Is the Reddest Red Flag
Any email that says, “login immediately,” “click here now” or “action required” is bogus. Nothing via email is urgent – that’s the whole point of email – it waits for the user to be ready for it. Manufactured urgency is one of the easiest ways to get a user to stop thinking critically and mindlessly click. Be wary of an email requesting immediate attention. If it was that important, they would have called you or walked over to your desk.
Wire Transfers/Receipt of Payment
These are some of the most typical phishing attempts out there: asking for a wire transfer or asking for the user to click a link or open a file to check upon payment receipt. Clicking on that link or opening that file will install malware on the machine.
This needs to be taken extremely seriously, especially for those that are in positions where they deal with transactions daily. The general protocol is that every invoice received, unless specifically requested over the phone or face to face, should be accompanied by a courtesy call to make sure that the claim is legitimate.
Nothing should be opened or processed until that confirmation call has taken place. Once you do this on a repeated basis, your vendor community will learn your protocol and may even proactively call you before sending an invoice. That is an ideal security culture!
I can’t stress how important this is. Workers tend to follow patterns. What I mean is, if I see an invoice from someone who has invoiced me before, I am generally going to open it without question. This behavior needs to be broken.
How do threat actors attempt to fool you regarding attachments? They may change the file name so it reads as “Proposal.PDF” but when you download the file you notice at the bottom of your browser it says “Proposal.pdf.exe” – that’s an executable file program and potentially malicious.
Threat actors also might send you a zip file (.zip) that could have any number of malicious files within it. It’s important to be critical about these attachments. Don’t open an attachment unless you have checked these factors and most importantly, you were expecting the attachment.
Is the email full of typos (or depending on how verbose the sender is, are there not enough typos)? Does the tone of the email seem like one your boss would send? Is this a normal request for your company culture via email?
If your spidey sense is going off, it’s probably worth a phone call to confirm.
Links, Links and More Links
If the email is full of multiple links, you’ve got to stop and pause. What kind of sane email user puts multiple links all over their emails? Only insane people or marketing blasts insert multiple links into an email. It looks desperate and suspicious. Just delete the email and move on. They’ll email you again if it’s real.
You may not be the actual target. But someone in your address book might be. Be suspicious of any emails asking you to forward the message to anyone in your organization, regardless of the tenure/title requested.
Pro Tip for Training End Users to Recognize Phishing Emails
Draft emails containing one or all the features listed above and send them out from both your own legitimate email address and from a dummy account that you are using for the purposes of this training. Hopefully the open rates will be nonexistent on the dummy account, and for the emails coming from your domain, make sure that they are following protocol by overcommunicating before opening. Also be sure to use a fake email with your real name and see if that trips anyone up.
Check out the whole series on security awareness training:Make sure you have the cybersecurity skills needed to outrun the other guy with IT certifications like CompTIA A+ and CompTIA Security+. Download the exam objectives to see what's covered.