Phishing is a real problem for cyber security professionals and one that isn't going to go away any time soon. Jeremy Swinfen Green, Head of training and consulting for Teiss, offers some thoughts in this blog post.
Email is now the biggest source of ransomware and other malicious software. In fact according to Wombat Security’s 2016 State of the Phish report, 85% of organisations have reported being the target of an email attack. It’s time to take action!
Malicious emails are often called phishing emails. These emails have two purposes:
- They might want to persuade you to divulge secret information such as your password, often directing you to a fake website where you are asked to enter your user credentials which are then stolen and used to log on to your account. (They are “password fishing” which is where the term “phishing” originated.)
- Or they might try to download malicious software to your computer, either by asking you to download an attachment which contains malware or by persuading you to click on a link that takes you to a website where malware can be downloaded.
Either way, if you fall for the fraudster’s scam you are in trouble!
So what can you do to protect yourself, and your colleagues, from malicious emails?
Training and awareness
The first thing you can do is to make sure your colleagues are aware of the threat from phishing. Help people recognise what a phishing attack looks like. Teach them to:
- Check where the email is coming from. They may find it is from a suspicious sender, perhaps an email address that doesn’t match the logos in the actual email. You will also need to teach them that even if the address checks out, the email may be a fraud because it is very easy to “spoof” someone’s email address.
- Check the URL in any links. Does it look genuine? Does the text of the link match where it will actually direct you to?
- Check the text in the email. Does it look in any way odd? For instance does it use poor wording or perhaps a greeting that they person who appears to be sending wouldn’t normally use. Staff in casinos are taught to report anything that “Just Doesn’t Look Right” (JDLR). Encourage your colleagues to report anything that JDLR.
You will also need to work at keeping people aware of the risk from malicious emails. Running campaigns to keep the threat at the front of people’s minds, and even sending out fake malicious emails which display an appropriate (polite!) message if people click on a link or download an attachment can help people keep safe.
Unfortunately the phishermen are getting increasingly sophisticated. So you will also need to advise people about how to behave safely. Teach them to:
- Avoid clicking on links in emails. Instead they should type the URL they want to go to into their browser.
- Avoid downloading email attachments unless they are expecting them.
- Avoid putting secret data into pop up boxes on websites or forms within the email itself.
- Avoid putting secret information into emails.
In addition to training, there are some simple process-based defences that you can employ:
- Ensure that computer accounts with admin rights are not generally used to access email systems Computer accounts with “admin” rights can run software, including malware while accounts that don’t have admin rights are harder for some malware to infect. Ensuring that accounts that go online don’t have admin rights is a sensible precaution
- Reduce the number of emails that people get by discouraging the use of “Reply all” and email copies and blind copies, except where essential. There is a strong correlation between the number of emails that people get, so reducing the number will help.
There are a number of technological defences that you can also use:
- Use email spam filters; these will catch the majority of malicious emails and so make the ones that do slip through easier to spot
- Update your software regularly so that it is less likely to get infected by malicious software
- Use a computer security solution that will identify malicious software in attachments and warn you about suspicious links. Everyone who goes online should use an antivirus tool; the free Windows defender that ships with Windows is a good start but you may want to consider a more powerful paid for tool as well
- Consider setting email systems to strip out any HTML including images, and deliver emails simply as text; they will be far safer
- Consider setting email filters to reject certain attachments such as .exe files
- Alternatively set the email filters to reject any attachments and instead educate colleagues to ask people who want to send them documents to use cloud service providers; while this won’t eliminate dangerous files it will cause people to stop and think before they download files to their PC
It is unfortunate, but true, that nothing you can do will make your email systems totally secure. But by working on the awareness of your colleagues and backing this up with some simple technical fixes you can decrease the risk from malicious emails very substantially.
Teiss offers a series of training workshops and online courses that will help you and your colleagues address phishing and other cyber security threats. In particular our workshop on managing internal cyber risk may well be of use.
Want to know more about how to keep your organisation safe from phishing attacks? Do you have your own tips and tricks you would like to share? Get in touch with our Head of Training and Consulting, Jeremy Swinfen Green at firstname.lastname@example.org.
Image under licence from thinkstockphotos.co.uk copyright nevarpp