It is common belief in the field of cybersecurity that human users are the weakest link of security in your environment. You may consider that the following statistics justify this belief:
43% of people have made mistakes at work that have compromised security
25% of employees said they have clicked on a phishing email at work
74% of breaches involve the human element
However, users can’t receive all the credit for being the weakest part of their cyber environment. The lack of proper cyber training employees receive is arguably the weakest link of the entire structure of your environment’s cybersecurity.
In late 2022, Arctic Wolf conducted a worldwide survey of over 700 global IT security decision makers to understand their priorities and anticipated challenges for the year ahead. Arctic Wolf discovered that security awareness training still — even after social engineering attacks have wreaked havoc for years — remains on organizations’ “to-do” lists. In light of this discovery, it’s safe to say that expecting employees to naturally identify and mitigate social engineering attacks like phishing without receiving the proper training is unrealistic.
With the proper cyber training your employees will become your first line of defense; a human firewall protecting your data, your reputation, and your finances. Below are five ways for employees to spot — and stop — a phishing attack.
5 Ways to Avoid Falling for Phishing Attacks
1. Keep Your Guard Up
If you receive a message that seems suspicious, don’t confirm those suspicions by engaging with it. When you reply to a phishing message in any way, even to tell them “I know this is phishing,” or “Nice try,” you let cybercriminals know they have your attention.
You instantly become a more active target once you confirm there is a real person at the other end of the inbox, ready and willing to engage. They will focus more energy on you, sending you multiple phishing attempts with ever-more enticing scams to try and trick you into sharing your information.
2. Don’t Trust. Verify.
If you receive a message claiming to be from a co-worker or your boss, don’t just accept the message as genuine. In today’s digitally connected world, it’s all too easy for threat actors to use social media and other publicly posted information like company reports and filings to learn plenty about an organization’s inner workings, including organizational hierarchy and who reports to whom. Then it’s a simple matter of assuming the role and making the ask, whether it’s to send a payment to a fraudulent third-party, open a malicious file, or forward confidential information, to name a but a few possible routes.
Whenever you receive an unexpected email from a colleague or vendor, verify that the sender is who they are claiming to be by performing a secondary check. Slack your co-worker, knock on your boss’ door, or call your rep at that third-party vendor. Verify they’ve sent that email, and that they are the ones requesting you to take that next step.
3. Check for Unexpected
When a message you don’t expect, or one you find the least bit suspicious, arrives in your inbox, take a few moments to tick the following boxes:
Check the address in the From field. Is everything correct? Is that really a W or two VVs?
Give it a spellcheck. Phishing emails are notoriously known for misspellings and grammar errors.
Hover over hyperlinks. The bottom of the webpage will display the URL the box or hyperlink redirects to. If it looks wrong, it probably is.
4. Go Slow on Mobile
Cybercriminals understand human psychology. They know that we are more prone to errors when we are distracted or multitasking. That’s why phishing attacks will often be launched outside the target’s typical office hours — they’re trying to catch you on your phone.
In 2022, mobile phishing attempts increased by 50% year-over-year
11.8% of enterprise users clicked on six or more malicious links in a single quarter
When checking your email on your phone, give it the same level of focus you would if you were seated at your desk. In fact, give it more. If there’s any email that raises suspicions, save the additional verifications and investigations listed above until you’re back in front of your work monitor.
5. Keep Calm and Email On
When they can’t rely on you to be distracted, they can rely on you to be human. Human actions are run by emotion far more often than logic. Phishing emails play on our emotions by creating a sense of urgency. It could be a notification that you logged in somewhere you didn’t, an offer that sounds too good to be true, a warning that some compromising behavior of yours has been captured on video, a sudden inheritance from someone you’re not related to, or a message from your CEO. Whatever the message is, they all share a common trait: the clock is ticking.
Any sense of urgency in an email should be treated with suspicion until you’ve followed the other steps above and verified the email is what it’s claiming to be and is from who it’s claiming to be.
Bonus Steps:
Work Where They Conduct Security Awareness Training
According to IBM’s 2023 Cost of a Data Breach Report, employee training has been shown to reduce the average breach cost by $232,867 USD.
Continuous security awareness education (meaning a program that is conducted weekly or monthly, not just annually) combined with regular phishing simulations significantly increases the ability of employees to make proactive choices that adhere to more secure standards.
An effective security awareness program will improve and reinforce employee behavior. This has a positive effect on an organization’s ROI, as it not only ensures the organization performs cybersecurity best practices, but also alleviates the amount they need to spend on cyber threat mitigation. Discover the value of a security awareness program for your organization.
Utilize a Technology Services Provider That Handles All the Security Operations For Your Business
GFI Digital is an Advanced Technology Services provider that offers security operations to protect your business from security breach. We are a value added reseller (VAR) of Cisco, Meraki, Duo, Mimecast, Arctic Wolf, and more. With these partners we can customize and implement top-notch security for your cybersecurity environment. We can manage Multi-Factor, Firewall, Email Security, Web Security, Endpoints, and Managed Detection and Response/ SIEM. With these capabilities we can prevent, detect, analyze, and respond to cybersecurity incidents. Contact us today to learn more about how we can enhance and protect your cyber security environment.
Information sourced from Arctic Wolf.