Phishing Awareness Training: 12 Things Your Employees Should Know for Phishing ProtectionOrhan Sari
Phishing Awareness Training: 12 Things Your Employees Should Know for Phishing Protection
Phishing attacks have been a widespread problem, posing a huge risk to individuals and institutions. According to Garner, According to Gartner, phishing emails will continue to be the primary method used by advanced attacks. Because it is simple and can easily to trick your employees. Below are 12 things your employees should know about phishing.
1- What is a Phishing Attack?
Phishing an attack vector that cybercriminals use it mainly for identity theft, which they manipulate users to hand over their personal and sensitive information. It is a sort of social engineering attack which is mainly initiated via email. For instance, in many cases, cybercriminals sent out warnings to users manipulating them to change their passwords, but redirecting them to a fake website in an attempt to harvest their credentials.
Sometimes, cybercriminals launch phishing attacks to collect information for a sophisticated and successful enterprise attack. Since, humans element is the weakest link in the security chain, that over 95% of successful cyber attack results from human error, cyber criminals aim especially financial institutions as effective targets.
2- Phishing Emails Use Urgent or Threatening Language in the Subject Line
It can frequently emerge as an important notice, critical update or an urgent warning with a tricky subject line to entice the target to think that the email has arrived from a trusted source. The subject line may consist of numeric characters or other letters in order to bypass spamming filters.
Sometimes victims receive sextortion emails, a threatening email about sending a pornographic video of them or other compromising information to family, friends, coworkers or social network contacts if a price was not paid.
Aggressive, threatening or urgent emails that demand quick action should be regarded as a possible scam. Cybercriminals often use targets’ fear and panic to terrify them into delivering confidential information.
Usually, threats and urgent messages such as “change your password quickly” especially if they are coming from a legitimate company are a sign of phishing attacks. Please, be reminded once again not to respond to suspicious emails asking for personal information, or demand you act quickly to do something even it is coming from a legitimate source. Cybercriminals can send forged emails using fake email IDs or by hacking into email accounts since they try to get your personal information and use any means necessary to get you to respond.
Most urgency email easily to lure victims to click on the embedded link. Below are examples of subject lines to be cautious of :
- Urgent Action Required
- Your Account will be Deactivated
- Change of Password Required Immediately
- Password Check Required Immediately
3- Phishers Sends Email From Spoofed Address
When you send an email, a sender name is attached to the message, but it can be forged. Criminals have been spoofing email addresses for a long time and doing this to show messages look like they came from friends, trustworthy sources, or their own company.
Spoofing real email addresses is surprisingly easy because tools needed to spoof email addresses are surprisingly easy to get, and a criminal need is a working SMTP server (a server that can send email), and appropriate mailing software.
Spoofing is most efficient on a mobile device because the sender’s email address is narrowed, and most mobile users will not open the sender’s name to inspect the email address.
The most common type of spoofing is a display name spoofing, e.g, criminals can use Keepnet’s legitimate company name as the email sender, such as firstname.lastname@example.org to trick their targets, but the actual email is email@example.com.
4. Phishing Attacks Can Occur Any Time
It is possible to reduce the risks of phishing attacks by checking your emails with care and looking at the signs for phishing scams. Also, it is important to be careful while browsing online and see phishing signs.
Beware of emails asking for confidential information or login credentials. Legitimate organizations like financial institutions never request sensitive information by email.
Even if it appears to be from a known, trusted source, never click on links, download files or open attachments in emails or on social media. Call the sender and verify email before doing anything on it.
Never click on links in an email to a website unless you are absolutely sure that it is authentic. When necessary, type the URL into an address bar in the browser to see it is a real website.
5- Browse Only Safe Web Addresses
Today many web browsers already include security features to help you stay safe online. These built-in browser tools can block annoying pop-ups, send Do Not Track requests to websites, disable unsafe Flash content, stop malicious downloads, and control which sites can access your webcam, microphone, etc.
- Chrome: Settings > Advanced > Privacy and security
- Edge: Settings > Advanced settings
- Firefox: Options > Privacy & Security
- Safari: Preferences > Security and Preferences > Privacy 
Visit web addresses that start with HTTPS. HTTP (Hypertext Transfer Protocol) is the fundamental protocol for sending data between your web browser and the websites you visit. And HTTPS is just the secure version of this. (The “S” simply stands for “secure”.) It is often used for online banking and shopping because it encrypts your communications to prevent criminals from stealing sensitive information like your credit card numbers and passwords.
Check for the HTTPS and green padlock icon in your browser’s navigation bar. If you do not see it, then the site you’re on is not using a trusted SSL digital certificate, you should never submit sensitive information, such as credit card details.
If you don’t see the padlock, take your shopping elsewhere
Moreover, you should never use public Wi-Fi spot for important transactions such as banking, shopping or entering personal information, instead use your mobile connection for phishing protection.
6- Beware of The Fake Emails
As they are not professional proofreaders, cybercriminals often make mistakes in phishing emails. Therefore, phishing emails are generally obvious due to plenty of grammar errors, redundant words in capitals.
An example of fake email content (Source: makeuseof)
Read your email carefully, and find out if the content has grammar errors for phishing protection. Also, email content can be intriguing to arouse the interest of the users for manipulating them into clicking on the fake link in the email content. If you suspect the content, delete it.
7- Phishing Attacks Are Becoming More Personal
Personal phishing attacks or spear-phishing attacks are proven to be more efficient. Cybercriminals make research on their target using social media shares to generate customised emails that victims are more likely to open.
Targeting a specific individual using social engineering techniques by combining technical and psychological factors, cybercriminals are easily able to bypass spam detection systems.
8- Criminals Use Real Brands
Criminals imitate the authentic website of a legitimate brand by utilising a related domain name or URL and webpage design to the original website. The link to the fake website is mostly sent to targets by email or sometimes text message. The email can also include logos from the legitimate company. The fake website usually includes a fake form to hijack users’ credentials, payment details or other sensitive data.
9- Shortened links
Cybercriminals often use shortened links to manipulate you into thinking you are clicking a legitimate link, however, you can inadvertently be redirected to a fake web address. You should always place your mouse over an address link in an email without clicking, to see if you’re actually being sent to the right website.
Link shorteners cybercriminals mostly use (Source: loookinglasscyber)
If you click on the fake link, you can inadvertently be directed to a fake web address in which once you have entered your credentials such as name, surname, email address and passwords and so on, cybercriminals get your all details. At the same time, you can download malware from this fake page, which can result in giving your entire system into the hands of cybercriminals.
10- Phishing Links Can Be in an Attachment
Phishing emails mostly include a fake link, but to bypass email protection technologies, phishers can use an attachment, such as a PDF or Word doc, to use a fake link to a fake webpage. Also, sandbox technologies look for malware in these attachments, not links, they can easily access to the target users.
11- Pop-up Notifications / Warnings
Phishers can attempt to tempt you with a support pop-up window that appears on your computer screen, which may seem like an error message from your operating system or antivirus software. Also, it can seem legitimate using logos of legitimate brands. It can trick you and take you a fake landing page to steal your sensitive data.
12- Spelling mistakes
Brands are pretty serious about email. Legitimate messages usually do not have major spelling mistakes or poor grammar. Read your emails carefully and report anything that seems suspicious.
Try Keepnet’s email security solutions/phishing protection modules for free to protect your organisation.
Phishing simulator replicates many of the real-world threats such as Spear Phishing, malicious Macros and Ransomware, with customizable campaign templates. Keepnet Labs’ dashboard provides insights into simulation statistics, actions, and schedules.
Security Awareness Training
Keepnet Labs recognizes the power of experience-driven, targeted and continuous training that affect behaviour change. You can use free awareness educator to measure the effectiveness of existing cybersecurity awareness training with pre/post-attack simulations.
Cyber Threat Intelligence
Cyber Intelligence Module automatically searches against leaked databases for possible sensitive data leakages, compromised access information, fraudulent domains, and implanted malware and it generates alarms if any leakage is detected.