Without anti-phishing controls in place, your organization is likely to face a high risk of end users falling for scams. How good do you think your employees are at spotting phishing emails?
How good are you at spotting phishing emails? Are you a Grammar-Nazi who can spot a misplaced semi-colon from 50 paces? Are you a former Spelling Bee champion or an amateur super-sleuth?
Sometimes phishing emails are so obviously fake they are laughable. You would think that a scammer who goes to the trouble of sending out millions of emails claiming to be from a reputable company would actually check the spelling of the company name. Many don’t. Error-ridden phishing emails are common, and they are easy to identify.
However, don’t believe for one second that all phishing campaigns are that easy to identify. I write about Internet security and I have nearly fallen for one in the past. Admittedly, it was a very convincing one and in the early days I was a little naïve!
I tell you this as even the security conscious can fall for phishing campaigns from time to time. Sometimes scams and phishing emails are virtually impossible to distinguish from legitimate emails. Unless a software security solution is used, it is all too easy to inadvertently become a victim.
It used to be a rarity to be emailed a phishing email that was convincing, free from errors, and looked like it had been sent by a legitimate company. Today, scammers are much wiser. They know that a little time spent preparing a campaign properly will result in far more clicks and even more victims.
When you consider the money that can potentially be made from targeting business users, investing some time into creating highly convincing campaigns is well worth the investment. Spending a few hours or even a couple of days on a campaign could make the difference between getting no clicks and netting millions of dollars. Unsurprisingly, email spammers have realized this.
Spear phishing emails are becoming increasingly common
IT security professionals will be well aware that their end-users will be sent phishing emails that can be identified with one eye closed. These emails are sent out randomly in the millions. Fake PayPal receipts, Better Business Bureau warnings, potential lawsuits, and requests for money to help victims of natural disasters. These emails are very common. Unfortunately, they claim many victims. If they didn’t, the spammers would stop sending them.
However, there has been an alarming rise in spear phishing emails in recent months. These are more worrying as they have been expertly written and use personal information gained from the recipient to convince them to click on a link or open an attachment. They can even appear as if they have been sent by a friend, or contain information that has been gained from a social media account.
Sometimes an email will be sent to a number of individuals in a company. Other times the email targets one person. In the case of the latter, these insidious emails can be highly effective. An attacker gains access to the target’s Facebook account, either by being accepted as a friend, viewing pages that have been indexed in the search engines, or by guessing passwords. Then information posted to the user’s account can be used to construct a convincing email.
For example, you attended a school function, such as a sports day, and you post some pictures to your Facebook account. If someone had access to your account or could view your pictures (a friend of a friend of a friend for example) and they then sent you an email with a JPEG attachment, would you be likely to open it if they said they enjoyed speaking to you at the event and said they had attached a great picture of your child? How about if they mentioned your son by name? All of that information could be easily gained from Facebook without even having your password!
Simple anti-phishing controls will protect your network from spear phishing campaigns
Fortunately, defending against well researched and expertly written phishing emails is not difficult. There are a number of anti-phishing controls that can be used to prevent the emails from being delivered, as well as controls to stop users from visiting phishing websites.
The first line of defense is to prevent the emails from being delivered. To do that you need to install a spam filter, such as that offered by SpamTitan. SpamTitan Anti-Spam solutions prevent 99.98% of spam and scam emails from being delivered. It is one of the best anti-phishing controls you can implement to protect your workers and network.
Secondly, all members of staff, from the CEO down, should receive security awareness training so they know how to identify a phishing email. Training need not involve day-long courses. A little information can go a very long way. It is better to have face to face training but an email explaining how a phishing email can be identified is better than nothing. Remember to put training to the test by sending staff members fake phishing emails to see how their training is being applied at work. This will identify the weakest links, and further training can be provided.
Thirdly, it is possible to block users from clicking links to malware-infected websites. Employ a web filter and these and other potentially dangerous links can be blocked. SpamTitan’s web filtering solutions are ideal for this.
Along with Anti-Virus software and Anti-malware protection, users can be properly protected by using anti-phishing controls. All small to medium businesses should use each of the above solutions to minimize risk. A little investment in anti-phishing security measures can safe a fortune in data breach remediation costs. It could also prevent ransomware and other potentially catastrophic malware infections.