Ever wonder why Carmen and Ken get way more malware alerts than any other user on your network? Are they loose cannons creating preventable problems for you? There are a few ways for you to help get this under control.
It turns out some people are pretty gullible when it comes to email, because after all why would anyone be sending email that would cause a problem? Certainly not their bank, credit card company, or FedEx. But hackers are using a type social engineering called “phishing” to con Carmen and Ken into unwittingly and unknowingly install malware on their devices, and consequently your network. They do this by closely imitating the kind of legitimate email people are used to getting all the time. Tactics include making it look like email is coming from a trusted source, but upon closer examination the source is completely different than expected. The displayed name is very familiar and trusted, but the actual email address is different. The email often compels the reader to click on a link or “button” in the email. Here again, the displayed link or “button” looks trustable, but the hyper-link takes you places where you don’t want to go.
Since everyone gets and depends on email, getting people like Carmen and Ken who click on things willy-nilly has become the biggest delivery method for malware and targeted attacks. Phishing attempts are becoming increasingly clever and harder to detect. Therefore teaching your users to be paranoid, vigilant and aware is an extremely important layer of affordable defense for your network. Here are some quick tips to share with your users:
1) Treat all email as suspect, no matter what.
- This sounds extremely paranoid…and it is, and though it’s hard to get used to doing it will save you a lot of pain.
2) Be patient reading over email before reacting. Stop. Look. Examine.
- If your users are closely examining their email, they (and you) won’t be victims. Scan the displayed name AND the actual email address of the sender. Do they match?
3) Check out any and all links the email is trying to get you to click (WITHOUT CLICKING).
- You can do this by merely hovering your mouse over the link or “button”. Does the link that comes up in the little box look like a genuine site from the sender (your bank, credit card company, or FedEx)?
4) Does the content make you say, “What is this?”
- Most of the time there’s something a bit off about a phishing attempt. If you feel confused about why you’re getting the email or the content in any way, including misspellings, make sure you review the steps above.
5) If you’re still not sure, get it checked out by someone that handles your IT so they can help you figure it out.
There are excellent methods available to further test your users’ susceptibility, including sending them “fake” phishing email. Implementing this kind of test will help you see which users are the most susceptible and it teaches them how to detect these threats before they are unleashed.
Do you have any tips or unusual phishing stories to share? We’d love to see them in our comments section.