If your employees know how to prevent phishing attacks being successful, it can have a significant impact on your business´s online security – now more than ever. According to the July 2017 Intelligence Report from Symantec, there has been a significant increase in trojan malware that infiltrates a user´s device, steals their email credentials, and then uses the email credentials to send phishing emails from the company´s “trusted” email account. This relatively new development in phishing is concerning.
Much of the published advice on how to prevent phishing attacks being successful suggests checking the sender´s email address is legitimate, looking for design and formatting errors, and implementing email validation systems such as Sender Policy Frameworks. Unfortunately, if a phishing email has been sent from a legitimate account with the correct design and formatting, and it has been authorized by its domain administrator, this advice is not going to help prevent phishing attacks being executed.
Phishing Emails from Compromised Accounts
When a hacker takes control of a company´s trusted email account, it gives them the opportunity to conduct Business Email Compromise (BEC) scams. This scam can cost companies millions of dollars if the recipient of the BEC phishing email acts on the instructions given in the email. Even if the compromised account is not used to request the transfer of large sums of money, the fact it could be used to execute other phishing attacks, send spam and distribute malware could cost a company its credibility.
There are online security mechanisms that can mitigate the risk a compromised email account is used for sending spam and distributing malware – for example outbound email scanning – but these do not reduce the threat from BEC scams and individual phishing emails. In these scenarios, the recommended advice on how to prevent phishing attacks being successful is known as the “Three Cs” – Check, Confirm and Coach. This is how each of the “Three Cs” works:
Check
In the case of a BEC scam, users should check to see if a request to send a payment is consistent with previous requests. BEC scams are most frequently executed when the executive (allegedly) responsible for requesting the payment is out of the office. Therefore, in addition to checking the amount and destination account, users should also compare the timing of the request against previous requests and be alert to inconsistencies in the language used in the email – advice on how to prevent phishing attacks being successful that applies to every phishing email.
Confirm
In many cases, BEC scams include a message along the lines of “I am uncontactable by phone for two weeks”. No CEO or CFO is uncontactable by phone wherever he or she is, and no matter how much of a fearsome employer they are, they will appreciate a call that could potentially save the business millions of dollars. Before taking any action in an unexpected or unsolicited email, always confirm the instruction using some other channel of communication other than email. Again, advice on how to prevent phishing attacks being successful that should be applied to every phishing email.
Coach
If the reported increase in trojan malware is correct, the likely consequence will be phishing emails from compromised accounts landing in the inboxes of every employee from the C-suite down. Everybody in the business needs to be coached how to prevent phishing attacks being successful. This not only includes providing advice on checking and confirming each potential threat before acting upon it, but also on how phishing emails can be reported in order that the compromised email account can be recovered quickly and the potential damage minimized.
Coaching How to Prevent Phishing Attacks being Successful
With phishing attacks being more sophisticated, coaching employees how to prevent phishing attacks being successful also has to be more sophisticated. Emailed memos and 15-minute training sessions are unlikely to achieve their objectives, and employees need to have memorable and ongoing coaching in order to support the business´s online security efforts and the integrity of its network. For this reason, the best coaching on how to prevent phishing attacks being successful is simulated coaching.
Simulated coaching consists of employees being sent simulated phishing emails and monitoring how they react. From their reactions, lessons can be learned about their resiliency to phishing and further coaching tailored to address their weaknesses if necessary. The ultimate aim of simulated coaching courses is to condition employees to recognize and resist phishing attacks, transforming potentially the weakest links in your online security into your strongest defenses.