How gullible is your average user when it comes to clicking on a link from an unknown source?
In a recent research project conducted by researchers at Friedrich-Alexander University in Germany, they sent 1,700 emails to simulate a phishing scam. The results were rather disturbing.
They found that 56% of the recipients opened the phishing email and clicked on the link. When later interviewed, 70% of the people that opened the email said that they were aware that phishing scams exist, but they didn’t realize they had clicked on a suspicious link.
Phishing Is Out Of Control
Phishing costs an average-sized company approximately $4 million annually. Some popular types of phishing attacks include:
- Whaling attacks, where hackers use similar or spoofed domain names to send out targeted attacks.
- Since many people consider SSL sites to be secure, hackers buy cheap SSL certificates and applying them to their phishing websites to make them appear more legitimate.
- Hackers insert malicious software into systems that shut down the power and prevent them from rebooting. Approximately 700,000 people lost power in Ukraine after a phishing attack like this.
These are just a few examples of how phishing has gotten out of control. The question becomes, how do we reduce the risk? Take a look at the 7 ways to prevent phishing attacks:
- Use Gamification To Train Your Employees: Rather than forcing employees to watch tired videos or listen to the same person stand in front of them and ramble on about cyber security, use gamification to make the training more interesting. This process will need to be repeated every couple of months. It can be as simple as having people report when they receive phishing emails. For each report, they receive a badge. Once they get enough badges they can be eligible to get gift cards, etc. You can also do a leaderboard to track who has earned the most badges.
- Train Everyone (Whether They Think They Need It or Not): Make sure you include the entire company, including senior management, in these training sessions. The attendance should be mandatory and tracked to see who attends each meeting.
- Use Real-world Examples: Don’t just talk about phishing attacks! Provide real-world examples of attachments, links, fake websites, and downloads so users can see how these attacks appear.
- Be Suspicious of Attachments: If an email comes from a typically trusted source (but they aren’t expecting it), train your employees to forward that message to the sender (without the attachment) to verify they actually sent it (or even better, call them and ask).
- Watch Out for “Phishy Links”: Train your employees to put their mouse cursor over any links to verify the URL matches the one of the sender. Be careful of subtle misspellings or misleading domain names (i.e. gmail.questionable-site.com).
- Let Them Know You Will Be Monitoring Their Progress: Let employees know that IT will be monitoring security and will receive reports to compare against how many people are participating in the games. Those that don’t participate may need additional training.
- Make Your Network Ready: Take the following steps to make sure your network is ready:
- Set up a SPAM filter that blocks known malware, viruses, etc.
- Update security patches on computers
- Use malware protection on your network
- Set-up network filtering to block phishing sites
- Create a secure data exchange for confidential information
Even with all of this, expect an occasional link to get clicked. When it happens, make sure your network tools are ready to remove any infected machines from the network and restore them to their previous state. Make your security efforts a success by preparing for your next phishing attack today. To learn more about securing your data and how to prevent future breaches visit our new website.