Email is the most common vehicle for phishing attacks. But hackers also try to hijack other channels—text messages, phone calls, social media instant messaging, communication tools like Slack, and even faxes or regular mail.
Cybercriminals who send phishing attacks hope to fool end-users into thinking they are someone they know. Threat actors also hope to convince end-users to click on links that take them to a malicious website or on a file that embeds malware. Or they try to trick end-users into sharing sensitive information. Should hackers succeed, they can gain access to a user’s account credentials. They then may have the freedom to move horizontally across your network to capture the credentials or access the files of high-privileged accounts.
It’s also common for phishers to spoof the identity of higher-privileged accounts—someone in a senior leadership position such as the company president, CEO or CFO. Or if the cybercriminal has access to the company org chart, they may try to spoof the manager of a department. Cybercriminals know employees are more likely to respond to someone holding a management or senior position.
Teaching End-Users to Watch Out for Common Phishing Indicators
To avoid phishing attacks from impacting your business, it’s critical to train employees to always scrutinize emails and other communications, even if a message appears to be from someone they know. Here are some of the key indicators to pass along to your internal teams so they will know if they have possibly received a phishing message:
- A message that arrives from an unknown person.
- The sender is known, but they make an unusual request
- The display name in the email header or on caller ID is different than the name of the person trying to communicate.
- A URL that points to an unknown domain (ALWAYS hover over links first to see their destination).
- An unlisted phone number.
- Spelling errors.
- Unusual formatting, design or attachment file extensions.
- Unexpected attachments.
Emails with very large pictures can also present a danger. Clicking on the white space may launch a malicious link as the whole email is actually a link. It’s best to train end-users to not click on anything at all within a suspicious email.
When Mistakes Occur, Tell IT Right Away
If an end-user is unsure whether a message, attachment or voice mail could be harmful, ask them to immediately reach out to IT. And if someone responds to a message by mistake—clicking on a URL, opening an attachment, or providing sensitive information—also tell the IT team right away.
IT may be able to remediate the situation or at least limit the damage. If an end-user tries to cover up a mistake, they risk further damage will occur to their account and the entire company.
With immediate notice, IT can take measures to protect other end-users and the digital assets within your network’s infrastructure. IT can also investigate the source, which may allow them to block similar phishing attempts. They may find similar messages sent to other end-users and can immediately delete them from their inbox or find out if other end-users also clicked on the malicious link.
Getting end-users to notify IT when they have made a mistake can require culture change. People don’t like to confess, hoping no one will find out what they did. But this leaves the door open for damages that can snowball. End-users must feel comfortable that they can come forward without repercussions.
Attacks May Begin with Innocuous Questions
When cybercriminals send phishing messages, they usually start with an innocuous question or comment. They may go back and forth a couple of times to build rapport with the end-user. Once they sense trust, they will then ask for sensitive information that allows them to compromise the organization—such personal information about employees or access to files containing intellectual property.
Ask your end-users to particularly beware of fake accounts on social media where it’s easy to copy a publicly-available picture of someone and create a fake account. The hacker may even try to connect with people the user is connected to on that social media platform so others will believe they actually are that person.
Empower IT to Educate and Test the Company
As you educate your employees on how to avoid phishing attacks and other best practices for protecting their accounts and the digital assets of the company, empower your IT team to deliver refresher training on an annual basis. Every end-user needs reminders about the basics of cybersecurity, and you want to keep them informed of the new cyber tactics that keep emerging every year.
Also consider internal testing. Microsoft offers phishing test software (Attack Simulation) so IT can attempt to dupe your end-users. Once you run such a program, end-users are less likely to click on real phishing attacks as they learn their lesson. You can even require those who fail the test to take additional security classes. And IT will learn who their most susceptible end-users are and know to watch out for them.
At the same time, it’s impossible to keep every end-user from clicking on malicious content and sharing sensitive information. This makes it imperative to deploy additional security measures like multi-factor authentication, which can block cybercriminals should they acquire a user’s credentials. It’s also helpful to use single-sign-on, so a user’s access to multiple systems can be shut off all at once if their account is compromised.
And by implementing Azure Active Directory or Microsoft 365 Business Central, you can benefit from pre-configured security features that leverage artificial intelligence. Both solutions come with multi-factor authentication and advanced threat protection tools that filter out many malicious emails before they hit end-user mailboxes. The solutions can also validate safe and harmful URL links and identify spoofing emails.
Don’t Just Click!
For more information about defending your company against phishing attacks, contact Stratos Cloud Alliance today. We can also conduct an assessment of your overall security posture to determine if you have any gaps in your digital asset defenses.
In the meantime, continue to have your end-users be on the lookout for phishing attempts and report them to IT. Practice safe habits and always question suspicious communications before taking action—don’t just click!