Email is one of the oldest “modern” forms of communications. While it provides near real-time discussions, alerts and sharing, it also has become one of the most popular ways hackers gain access to locked-down business environments. Despite powerful security solutions and diligent IT departments, often it is awareness and education that help keep corporate environments secure.
While viruses, Trojan horses and other malicious software remain high in the ranks of security concerns, email scams – specifically phishing scams – are being crafted to socially engineer access into secure business environments.
A Pew Research survey from September 2013 showed “21 percent of Internet users have had an email or social networking account compromised or taken over by someone else without permission.” The survey was based on telephone interview data of a sample of 1,002 adults ages 18 and older.
The most frequent types of cybercrime incidents are malware, phishing, network interruption, spyware, and denial of service attacks according to a 2014 US State of Cybercrime Survey published in May 2014 and co-sponsored by PricewaterhouseCoopers, the U.S. Secret Service and others.
While current security suites as well as modern browsers do offer features to prevent users from clicking on malicious or fraudulent sites, often it takes time for updates to be propagated to end users and these updates vary based on the software or browsers and how current both items are. To combat this, many businesses are turning to the tried-and-true method of awareness and education to reduce the number of security incidents from phishing attempts.
Testing Employee Cyber Safety Knowledge
McAfee, a subsidiary of Intel Security Group, recently posted a Phishing Quiz as a way to increase awareness as well as drive education. Quiz-takers are presented with 10 actual emails from a variety of popular banking and social sites.
Within an “emulated” email client, users can dig into the validity of emails by hovering over links and reviewing email addresses and are then asked to determine if the email is legitimate or a phishing attempt.
Once the quiz is completed, the user receives a score and has the opportunity to dive into why a particular email is or is not legitimate.
“IT guys are so tired of their employees forwarding emails to them asking them: ‘Hey, is this a phishing attempt or a real email? I can’t tell,'” said Dave Bull, director of product marketing of Content Security Technology at McAfee, about the inspiration behind the quiz. “We wanted to alleviate the pain of the IT guy and we wanted to empower the employee as much as possible.”
Since May 12, the vast majority of quiz respondents have identified only 6-7 emails correctly – 65 percent accuracy on average – and fewer than 10 percent correctly identified every email example as either legitimate or a phishing attempt, according to McAfee. Bull said one company who participated in the quiz discovered the lowest performing group within the company was the finance group, the “people handling the money.”
Another Way to Test and Train Employees
Corporations can take other approaches to training their employees. Companies such as PhishMe and KnowBe4, firms providing security awareness training and testing, offer programs for companies to test their employees through simulated phishing attacks.
KnowBe4 issues fake phishing scams directed towards pre-defined email addresses within a business. The results of the phishing test is later provided to the company outlining success or failure as well as the actual employees who are deemed “high risk” based on their responses.
“The bad guys are business people too. They pick the low-hanging fruit and get into networks the easiest way – social engineering the end user,” says Stu Sjouwerman, founder and CEO of KnowBe4. “Employees need to be inoculated against this as part and parcel of every organization’s defense-in-depth deployment. Simulated phishing attacks are by far the best way to do this.”
In 2013, KnowBe4 conducted 3,600 phishing tests for its customers, and from an initial average baseline of 15.9 percent of users clicking on phishing emails, the average 12 months later was 1.28 percent. The 12-month period also included training.
A “Prairie Dog” phenomenon was witnessed regularly according to Sjouwerman where upon the receipt of a simulated phishing attack, employees would pop their heads out of their cubicle asking their co-workers: “Hey, did you get this email too?”
An Ounce of Education
McAfee and other security experts recommend several methods to prevent being “phished.”
- Update your software – This includes browsers, operating systems, email and security software.
- Verify emails – Email servers can be hacked or forged so ensure that any links you click are from a trusted source, or visit that site directly via manually typing in the Web address.
- Not every email is real – Scammers are getting increasingly good at forgery. While some fake emails may contain misspellings, bad formatting or improper grammar, some of the newer scams are practically impossible to distinguish from valid emails.
- Not every email ADDRESS is real – Scammers have become quite good at spoofing email addresses as well.
- Check URLs carefully – You should always hover over (or long-press on smart phones) URLs that are within emails because while they may look legitimate, the actual link may go to a malicious site.
- It’s not only email – Malicious social engineering has evolved beyond email. Sophisticated outbound (and inbound) phone scams can be used in conjunction with email phishing. Don’t call numbers that appear within seemingly legitimate emails as they may go to fraudulent phone banks.
“It’s so important to have employees educated on the subject,” says Dan Flaherty, product marketing specialist at McAfee. “We often think of email protection as the front line into these attacks coming into your network. Your employees are really the soldiers on that front line. They are the first filter.”
Common sense frequently proves to be one of the best tactics in phishing prevention. If something simply feels strange about an email, it often is better to simply avoid any type of action and merely delete the email instead.
This content was originally published on the Intel Free Press website.