We’re starting Monday off with depressing news you probably already know (sorry). It seems the numbers around phishing are not improving (we can hear you groaning from here). There’s equally-depressing data to support our claim.
The 2015 CYREN Cyber Threats Yearbook released last month reported a 51% increase in phishing URLs since January 1, 2015. Worse yet, the most recent Verizon Data Breach Investigation Report confirmed that respondents are still opening, clicking, and spreading phishy emails at blazing speed.
The uptick in new phishing URLs shows that phishing and other “hacking the human” attempts have become an increasingly prevalent way for hackers to gain access to a system. These attempts are often crafted to exploit natural human tendencies like curiosity and the desire to help others. In addition to becoming more prevalent, these attacks are becoming more complex and more persistent by the day, as well. Mix in staff members who are checking and responding to email faster than ever before and, well, it’s a phishing perfect storm.
The only way to protect against it is to help your staff not only recognize phishing, but to teach them how to respond to those emails when they come across them, as well.
Institute a Simulated Phishing Attack
Simulated phishing attacks (yes, purposely sending out fake phishing emails) can provide a good deal of valuable data, allowing you to monitor the number of employees who “take the bait” on phishing attempts. Data accumulated from these attacks can be used to identify patterns, to see first-hand what type of messages carry the most risk, and to make improvements to your overall security awareness program. Once you have the results, use it as a learning opportunity to discuss phishing with staff and the types of attacks that were most successful in getting them to hand over information.
Put Proper Education In Place
Of course, simply talking to your staff isn’t enough. Once you’ve identified behavior patterns, use your Security Awareness program—both training and reinforcement—to help employees spot phishy emails. Teach employees to ask themselves things like:
- Does the email list one URL, but the hyperlink points to another?
- Does it sound suspicious? Is this the first time your bank has ever emailed you?
- Does the header information match the sender?
- Does the message ask for personal information? Is this information you wouldn’t hand over to a stranger?
- Does the email just not feel right?
This material doesn’t have to be dry or boring; in fact, it can be humorous and (if your culture will tolerate it) a little edgy. Adding a little quirkiness to your training may actually aid your staff in absorbing and retaining the information. Maybe they’ll even be inclined to share it with others, giving it legs and spreading education about phishing.
Phishing: What Would You Do? from MediaPro on Vimeo.
Training should also indicate a response plan on how to deal with an attack. With the median time-to-click on phishing emails at just one minute and 22 seconds, your team must immediately be able to tell when something doesn’t look right, and know what to do.
Smart people continue to fall prey to phishing all the time, opening strange messages and clicking on suspicious links. Your employees are your last and most important layer of defense against phishing attempts. Make sure they’re prepared. People who know about phishing stand a better chance of recognizing the bait and avoiding it. Make sure your business is prepared.