Spotting Phishing attempts has become quite easy for the most part, and believe it or not the number of data breaches seen in 2020 went down significantly. Phishing scams tend to be a manual approach to exploiting money and/or data from a business or individual. An additional cause to this decline is likely human nature, because we are lazy when it comes to this kind of thing and security has gotten better. However, what is on the rise is ransomware. A far more automated approach to exploitation and ransoming back to you the data that makes your business run.
This doesn’t mean that you should become lax on educating your employees on phishing scams and how to deal with them. To keep your business’ data and operations secure, you will need to take a two-pronged approach, how to avoid phishing and evaluate attempts and increase preparedness through simulated attacks.
Phishing Attack Method
There is a method that an average phishing attack follows for the most part:
- Posing as an employee, administrator, or even an owner of a company, an attacker will send a message.
- This message often poses as an enticing offer, something innocent, or a serious alert.
- The user is instructed to open an attachment or follow a link.
- By the nature of how emails like these are introduced, it often bypasses security protocols and reaches their target.
Since this type of phishing by design can circumvent security measures, staying on top of new scam methods and educating your workforce is more important than ever.
Think Like a Hacker
By the nature of phishing, hackers often tie in current events to add some perceived legitimacy, especially if your company is public, or if you regularly publish goings on within the company. But as far as public and relevant goes, the past year has seen a number of COVID-19-themed phishing attacks, offering updates and information to a vulnerable audience.
Hackers tend to rely on a user’s panic and impulsive reactions, hence education goes a long way when protecting your company.
Demonstrate Risky Links
Hackers will use spoofed links to fool their targets as well. A spoofed URL is a redirect to a website, or a mirrored legitimate website that sends you to a domain with intent to capture information. To recognize something like this let’s assume that the link is dressed to look like one that goes to Venmo.
If the email is from Venmo, the links should go to venmo.com or accounts.venmo.com. If there is a deviation from those URL’s then there is already something that is suspect. Also, there should always be a forward slash (/) after the “.com.” If the URL was something like venmo.com.mailru382.co/something, this an adjunct address that likely doesn’t belong to them and you are being taken advantage of. A few rules of thumb to follow with URL’s:
- venmo.com – Safe and is the root domain.
- venmo.com/activatecard – Safe – a simple page address within the main domain.
- business.venmo.com – Safe – A subdomain that is typically used to categorize a service or location.
- business.venmo.com/retail – Safe – A mixture of a subdomain and service designation.
- venmo.com.activatecard.net – Suspect – The dot immediately after Venmo’s .com are signs of a brand new domain
- venmo.com/activatecard/tinyurl.com/retail – Don’t Click! – Don’t trust dots after the domain, and TinyURL is used to condense hidden URLs, in this case a nefarious redirect is most likely.
- vemno.com – Wrong! – Don’t let transposed letters fool you!
Some tricks are easier to spot than others, so naturally diligence is necessary where this is concerned.
Provide an Approved Links List
You can give your team the safe versions of the URLs they are to use, though this is a very intensive approach as this is a list that will be ever growing, but they can quickly investigate the validity of an link without exposing themselves and your company to risk.
Implement Current Password Standards
Staying up-to-date on your team’s passwords and making sure they are secure is going to go a long way. Maintaining a password that can withstand a brute force attack goes a long way in protecting your infrastructure, and can mitigate the need for phishing in the first place. You should also be supporting these passwords with additional measures like two-factor authentication, creating more hassle for that potential hacker.
Put Your Team to the Test
Once you’ve taught your workforce what they need to watch out for, confirm that they can also apply them. In a simulated phishing attack, have your team members evaluated on how vulnerable they are to this form of attack. Helping you identify weak points and where more training needs to be applied.
Successful Phishing Testing
An effective phishing test cannot be one that is expected. At the same time, be ethical in how you run these tests and evaluate fairly. Too many have received backlash after running phishing tests with questionable tactics, almost doing more harm than the intended good.
But this is something we can certainly help you with, MyTek is here to assist you with your security needs. Call (623) 312-2440 to find out more.