Phishing is a hacking technique that uses phony emails to trick users into revealing sensitive account information (e.g., account password) and/or installing malicious software (“malware”). With ransomware hogging the headlines, non-technical staff may have gotten the impression that the phishing threat is over. News flash – 97% of phishing messages now act as carriers for ransomware! (Barkly Stats & Trends) Agh!
So now, it’s more important than ever that staff be trained to anticipate, recognize, and avoid clicking on phishing messages. In a study reported in the Business Insider, Dr. Zinaida Benenson found that even people trained to recognize phishing could fall prey for several reasons:
- Curiosity – If the message used a personalized greeting (“Dear Mary”) and seemed at all relevant, recipients often clicked the link out of curiosity.
- Trust – Many people assume that once they are inside the organizational firewall, they are protected from all viruses, malware, phishing messages, etc..
- Myths – People who use Firefox and Apple/Mac devices believe they are “immune” to viruses because many viruses do target weaknesses in WindowsOS.
Even pros who have been trained to spot phishing messages can fall prey to those that look more professional. So train – and retrain – staff to look for the tell-tale indicators:
- Sender – Message is from an unknown source OR seems to be from a known source but the email address isn’t quite right. For instance, the sender address for a phishing message trying to look Amazon might read “Amazo.com” or “mazon.com.” Look closely!
- Subject – Seems personal and triggers feelings of fear (“Problems with your account”), surprise (“You’ve won…”), or the warmth of recognition (“You’ve been selected…”; “CNN – we would like to interview you”). Teach staff to recognize these emotions as potential warning flags.
- Greeting – Phishing messages often do not include a greeting or, if they do, tend to use an impersonal one, such as “Dear Customer.” More sophisticated phishing attacks, however, do include personalized greetings.
- Message tone – Phishing messages tend to have an urgent tone, such as “If we don’t hear from you today, your account will be closed.”
- Message content – Messages almost always ask recipient to “click on the link below” and suggest that personal information is needed. Teach staff (a) to hover over a link to check the destination before clicking, and (b) that legitimate organizations won’t request personal information by email.
- Branding/Graphics – The colors and logos may look authentic except they are slightly out of focus and/or incomplete.
- Signature Block – The signature block is often missing completely or lacks a specific person’s name and title. For instance, a phishing message might be signed, “Sincerely, The Customer Service Team.”
Get the word out today and repeat it frequently in as many different formats as you can think of – email, newsletter, posters, screen savers, etc. An effective “human firewall” is an essential component of every organization’s cyber defense.
info@thirdrock.com | 512.310.0020
Protect Your Patients. Protect Your Practice. Protect Yourself.™