My agency recently conducted a “phish your own” campaign and the results were, as usual, disappointing. Or maybe shocking. I was unaware that the message was going to be sent, but as soon as it hit my inbox, I questioned my office mate if he had also received the message? Upon affirmative response I declared it a phishing simulation as there was no way the spam filter would not have caught it. The email had more red flags than a pre-hurricane beach. Yet, ridiculous as the email was, over twenty people still fell for it. In a real life situation that is twenty opportunities for the attackers to access our network.
So here are threefour a few quick and easy ways for to spot a phishing message.
I cannot dismiss the similarities between the current COVID-19 threat to human life and the threat of damage from cyber actors that businesses face every day – and have since they plugged into the Internet. Of course, it must be understood the stakes are much higher when humanity is facing down a deadly virus as the ultimate end can be death, not the loss of money, data, or reputation.
In the debate of when to “re-open” our now closed lives and return to “normalcy”, the news reporters and pundits often lament on the aspect of risk. But they rarely get it right.
All of us involved in the information security domain knows that the end-user is the weakest link of the security framework. Empirical study and anecdotal experience back this up. The bad guys know this and exploit it to maximum benefit. The 2019 Verizon Database Breach report details that 94% of all cyber breaches start with an email. Yet as security professionals, we also realize that it isn’t fair and bad form to blame the end-user. Particularly if they haven’t been properly trained.
Of course, it is easy to blame the user. Oh, how easy it is. Who clicked the link, answered the phone, or fell for the ridiculous story and sent the wire transfer. And they have received training. Well, at least a 15-minute lecture or a 3-minute video.
