User Training: The Best Defense Against Phishing Attempts
Welcome to our third and final blog in our three-part phishing series. We hope our previous two blogs have already strengthened your phishing defenses and helped you stop some phishing attempts. If you’re just joining us, as we mentioned in the previous blog, phishing attacks are one of the top causes of a data breach. In fact, the 2022 Verizon Data Breach Investigation Report found that 82% of breaches involved a human element – e.g. social engineering – and over 60% of those attacks were a result of phishing.
In part one and part two of this series, we wrote about what phishing attacks are and why they are so dangerous, and we reviewed some technological approaches to limit phishing. Yet, some phishing attempts will still bypass spam filters, no matter how much a systems administrator tries to prevent it. This is why general cybersecurity awareness training for all users is your best defense against phishing attacks. In fact, most online training programs now include special phishing defense training and simulations (watch this 1-minute video on phishing training for more information)
Why User Training is the Best Defense Against Phishing
Many phishing attacks strive to look like normal emails for a colleague, customer, or business associate. Training all organization team members to be cautious and vigilant about cybersecurity is a critical component of thwarting phishing attempts. Here are some tips for phishing prevention:
- All organization team members should be taught how to examine the “from address” on their email so they can see the true domain the email is coming from.
- Users should be trained on how to identify URLs and addresses in hyperlinks, whether hidden or not. This can be done by either hovering over the hyperlink to expose the true address, or by right-clicking, copying the address, and pasting it into a text editor to view. Malicious actors may try to use URL shorteners to hide their phishing link even further – users need to know how to unshorten those URLs. The easiest way to do this is to use a service like http://checkshorturl.com, which will show the long address of a shortened URL.
- Team members should be trained on how to use services like Google Safe Search or Norton Safe Search. These sites allow you to enter URLs and they will present the user with a score relating to whether the site is secure or not – although these are not 100% foolproof, they can give some idea as to whether the site should be trusted or not without actually visiting it.
- Teach all users that external addresses that ask them to click a link or download a file should not be trusted until they verify security fundamentals. If they are not absolutely sure who the sender is or they are being asked to do something in an unusual way, they should report that email to IT and wait for further instructions. Malicious actors often use emails that attempt to confuse or mislead users into clicking a link or downloading an attachment by presenting a receipt or form that the user needs to know about. If the user is suspicious or unsure of an email, they need to be able to contact someone from IT to get more info.
- Users should be trained to not immediately trust sites that use a valid SSL certificate – as discussed before, a valid SSL certificate does not ensure a site is not malicious. Users should be educated that clicking on a link can be just as dangerous as submitting credentials and can have devastating effects on an organization. Malicious file attachments can very easily spread malware, the most common attack vectors being Microsoft Word documents that use macros to download a payload and PDF documents containing malicious code. Users should be aware of just how dangerous downloading and opening these file attachments can be.
- If it seems too good to be true – it probably is. Malicious actors try to entice users in many different ways, including ploys of free items, winning money, or providing crucial information. Phishers will also try to trick you using fear tactics. They will send you a receipt that thanks you for your purchase of an expensive product or service, it will also say to contact them using a special link if you have any questions or concerns. These tactics can also go hand-in-hand with another common tactic, which is to create a sense of urgency by imposing a deadline or threatening a negative outcome if the user does not respond quickly. There are many different scams criminals use in their phishing attacks. Train your users to first verify these types of emails with IT or their manager before responding or interacting with these emails.
- Regularly remind your users to watch for phishing attacks. We have a few free resources that you can send directly to your team as reminders:
- Tip Sheet: How to Spot a Phishing Email. This tip sheet can be sent directly to anyone in your organization and shows users the most common ways to identify phishing attempts.
- Video: What is Phishing? For users who are not familiar with phishing attacks, this short video provides an overview.
- Tip Sheet: How to Stop Phishing Attacks. This tips sheet summarizes strategies to avoid getting caught by phishing attempts.
Build a Security-Conscious Company Culture
Training all users to be cautious is the best defense against phishing, but also ensures that they know that the IT team is accessible and would rather investigate the emails they think are suspicious than to have to backtrack and remediate a phishing incident. It is always easier to stop a phishing attack before it happens than to try to investigate and remediate it after the fact. Additionally, users should be taught to immediately report any incidents where they may have fallen for phishing attempts, rather than try to sweep it under the rug and hope no one finds out.
Many internal phishing attempts are successful because of a lack of communication. Users should be taught ways to verify a sender other than by responding over email. For example, get secondary verification by walking over to the original sender in person and inquiring about the email, or call them at a known number.
Once you have trained your internal team and built a security-conscious culture, periodic phishing tests can be an effective way for organizations to test if user training is working. If you find that there are security gaps, you should schedule another post-test cybersecurity awareness training. We also recommend post-test communication with your entire organization, to review the successful phishing attempts during the test, and point out any “red flags” that should have been picked up by users.
We hope you have found our phishing blog series educational! Please contact us if you need help with cybersecurity awareness training or would like to schedule phishing or social engineering testing. We can manage the entire training process for you and take the administrative burden off your internal team while ensuring a cybersecurity expert oversees your team’s learning path. You can also start training your team today by downloading our tip sheets on How to Spot a Phishing Email and How to Stop a Phishing Attack and sharing these tip sheets directly with your team.