Phishing this Holiday Season
When a questionable email hits your inbox, do you open the email or delete the message? The best practice to teach employees who encounter fishy emails is to scroll their mouse over any link and view the resulting URL. Caution – many phishes will include a mix of links; some of which direct to the authentic website, while others direct to malicious websites such as: weregoingtostealyourmoney.com.
In screenshot A, we see a message that purports to indicate a potential hack into an email account, raising immediate red flags to the recipient. Initially, the end-user may ask ‘who is trying to hack my account? I have to prevent this from occurring.’ And they may click on a link to further explore the issue.
Training your employees to spot red flags, using screenshot A, include:
- Font – the font is not consistent throughout the email.
- Spelling errors – Redmond, Washington is spelled incorrectly as Radmond.
- Grammar – Grammatical issues are an indicator of a phish. An email originating from Microsoft will not include grammatical issues such as, “…incoming and outgoing message till you sign in…”
- Link directs – Hover your mouse over all URLs to determine where the link directs. Often within phishing emails, links direct users to malicious websites. Once a user has clicked the link, personal information will be captured.
Clicking into a malicious website and entering personal information and credentials create put employee personal and organizational data at risk. Employees may not intentionally jeopardize the survival of an organization; however, some employees may be afraid to admit they have been victims of a phish if coming forward will jeopardize their job.
Training is critical to educate employees on the importance of reporting issues, resulting in an increased chance of surviving a breach of confidential information.
It is also crucial for management to identify employees who are likely to be victims of hacking.
Key Traits of Hackable Employees:
- They lack education and training.
- They choose weak passwords.
- They share login credentials.
- They install web applications without consulting IT.
- They upload company files to personal cloud storage.
- They access company data after changing jobs.
- They’re not careful enough with email.
Cyber Threat Intelligence Program
A Cyber Threat Intelligence Program identifies cyber security threats and coordinates responses to them. At a high level, the program:
- Maintains multiple intelligence sources,
- Matches potential threats with the company information assets,
- Establishes the cyber threat risk level,
- Assigns the appropriate company responsible parties to respond and
- Oversees the response actions.
What Next?
Schedule an Information Security Audit
In a virtual cyber security assessment, using the information security triad of confidentiality, availability and integrity, Firestorm provides observations and recommendations about cyber security risk. The virtual cyber security assessment includes interviews, document/questionnaire analysis, a virtual results working session, and a written Findings Report with observations and recommendations.
Keep your credit cards safe this holiday season by identifying phishing attacks before your information is stolen.