How to train your employees to spot phishing attacks: 5 Things they need to know

How to train your employees to spot phishing attacks: 5 Things they need to know

Recent research by Trend Micro revealed that 91% of cyberattacks start with a phishing scam. Since these scams exploit human weakness rather than vulnerabilities in technology, it’s now clearer than ever that employees are the weakest link in information security. No matter how robust your processes, policies, and solutions might be, your staff are the first and last line of defense, hence the need for an ongoing awareness training program.

#1. Email addresses can be spoofed

Social engineering scammers deploy many tactics to disguise their emails to make them look as though they come from a legitimate business. The simplest and most common tactic is to use visible alias spoofing. This takes advantage of the fact that, especially on mobile devices, only the sender’s name is displayed, while the email address is hidden unless you tap on the name to find out more. For example, you might get an email from "Bank of America" but the email address is “xyz@gmail.com”. In this case, the attacker assumes that most busy people won’t check the email address.

Other common tactics include domain spoofing and close cousins, in which the email domain used is similar, but not the same, as one belonging to a legitimate company. For instance, a legitimate email address like “support@bankofamerica.com” might be spoofed as “support@bankofamerica.co”.

#2. Subject lines often try to inspire fear or urgency

Phishing scams are all about manipulation. Phishing emails that demand sensitive information often use threatening language. Common signs include threats of account closures, although any threat of personal loss is possible. However, the most dangerous phishing emails tend to be far more subtle, using similar tactics to those of legitimate businesses to build trust. Take note though that, a real business will never ask you for things like login information through email or any other channel, and neither will they ask for financial details outside of a known and secured platform.

#3. Attacks are becoming more personalized

Look in almost any spam folder, and you’ll no doubt find a multitude of phishing scams carried in bulk. These are typically the ones that make no effort to target specific individuals and are easy to spot by their generic salutations and lofty promises.

Far more dangerous are the targeted scams, also known as spear-phishing scams. Smarter scammers conduct extensive research into specific victims so they can masquerade as someone the potential victim knows. Just because a sender knows your name, job title, and other personal information about you doesn’t mean they’re genuine.

#4. Scammers often use real branding

Brand logos, trademarks, and even authentic-looking user interfaces provide no guarantee that an email or webpage is the real thing. To build trust, scammers might even link to a website that looks exactly like its legitimate counterpart to dupe users into surrendering their login credentials. Similarly, antivirus and other trust badges can easily be copied into a phishing email. While most email filters can easily spot known phishing URLs, it’s a lot harder to spot counterfeit images unless they have computer vision and machine learning capabilities. Even then, none of these solutions are perfect.

#5. Phishing isn’t just about email

When it comes to social engineering, email tends to get the lion’s share of attention. Although it’s true that most phishing attacks use email, attackers are exploiting many other channels as well, with social media and instant messaging being the next most popular mediums. Attackers may attempt to communicate through any platform, such as Skype, WhatsApp, Facebook, or any other that enables people to send unsolicited messages or invitations to connect. Some scams use the phone or SMS, while a few even rely on postal service. Your training program should cover all the communication channels that your business uses.

Founders Technology Group offers a full range of information security services so that you no longer have to worry about leaving your business vulnerable. Call us today to find out more.