There are many threats on the internet today, and luckily, there are also many ways to combat them. Standing out from the lot, there is one type of threat that always seems to find its way through organizations’ defence mechanisms: phishing. How is that? Because many forms of attack leverage technology, like viruses/trojans or malformed links. This can be fought with other technology. What makes phishing different is that it leverages many social tricks. There is a human aspect to it that needs to be fought at the user level, which is not easy to do. How to ensure they won’t bite the hook? There are ways. Keep reading to discover my simple trick to manage phishing attempts.
Phishing, or Threats in High-End Tailored Disguises
It is particularly true in cases of ‘spear’ phishing or ‘whaling’, as these attacks are tailored to the recipients for maximum effect. Typically, they take the form of email disguised as an important request from a source of authority, with of course a malicious intent. Take, for example, an email from the Director of IT asking a user for their password because it was “lost when we moved your account to the new server” or an urgent request from the VP of Business Development who needs “100k transferred ASAP to the following account to land this major partnership”. As the messages come from an authority figure, most people just oblige the request without further questions.
Don’t Judge an Email by its Header
For more credibility, phishing attacks are often combined with spoofing. Spoofing is a technique that allows cybercriminals to alter the sender’s header so their messages can look like they’ve been sent by a source trusted by their victims. Thankfully this is a technological trick and thus other technologies, like SPF and DMARC, exist to detect and prevent those messages from making it into organizations. The biggest problems arise when spoofing is not employed, leaving only the content to give away its intent. Since technologies, like AI, are not there yet when it comes to detecting the patterns of these fraudulent messages, it is up to us humans to use our judgment. In many cases, IT value their judgment over their users’ (No hard feelings). So how can IT intercept these messages before they make it to the recipients?
A Simple Trick to Manage Phishing Attempts
We usually advise for a two-pronged approach. First, the non-technical issue must be addressed. All company business MUST be conducted from a company email account. This puts an end to executives using personal email addresses when communicating with other employees. The second prong will leverage this at the technical level by quarantining all email received externally and matching an executive’s name. All emails received from external sources and having the sender name match an executive will be directed to a special mailbox for IT moderation. Assuming everyone is following the company policy, anything being caught by this rule should be fake. If it’s not, someone can choose to let it through and follow up with the transgressor for more end-user training.
Tricks best who tricks last! Cybercriminals are smart and protecting your organizations requires techniques that are both pragmatic and creative. At the end of the day, phishing preys on user behavior and thus requires a change in behavior to overcome. Technology and company policies can play their part but end-user education is very important. Remember that email is only one of the vectors that phishing can use; it can also come via text message, phone call, and other apps. The education will go a long way in helping users identify phishing scams in all its forms, and safeguard not only corporate information but also their own.