[BreachExchange] Stop training your employees to fall for phishing attacks

Wed Jul 11 20:33:06 EDT 2018

https://www.csoonline.com/article/3287655/phishing/stop-
training-your-employees-to-fall-for-phishing-attacks.html

I recently received an email from an address I didn’t recognize, that
purported to be from a trusted authority, using urgent language to insist
that I open an unexpected attachment. Clearly, this message must be a
phishing attack that I deleted immediately, right?

As you may have guessed, after careful research I found that it was a
legitimate message that did include important information, even if it was
significantly less urgent than the message’s wording implied. I also found
that people who should absolutely “know better” are sending messages that
actively groom recipients to fall victim to phishy messages. The only way
that “avoid phishing” tips work is if actual trusted authorities don’t use
the same techniques as criminals.

Let’s look at a few common “how to recognize phish” tips that the message
in question fell afoul of:

- The message itself is unexpected
- It appeals to a sense of authority
- It comes from a sender other than the named authority
- The text conveys a sense of urgency
- The greeting is absent or generic
- The message contains little to no explanation
- The message contains an unexpected attachment

This list of traits is more than enough to set a security-conscious
employee’s hair on end. And yet, this sort of email is distressingly common.

Sometimes these messages are sent directly by actual human employees who
could benefit from a slightly different variety of anti-phishing training.
Perhaps more commonly, they are sent by Software as a Service (SaaS) apps
like those for fax or shipping services, human resource or accounting
portals, collaboration tools, newsletters or even party planners. This
drastically increases the range of “legitimate” email addresses well beyond
the corporate domain, thus making it much harder for employees to track
which domains are “known” and therefore “more-trusted” senders.

What can we do to make our emails less phishy-looking? Here are a few
things to consider:

- Forewarning to make emails “expected”: If you’re going to send an email
about shipping, event planning or other things requiring employee action,
let them know ahead of time. The more info you can give them about what to
expect – such as the sender’s email address, a brief summary of the
content, etc. – the better able they will be to verify that the email is
genuine. Understand that email addresses are easy to spoof, so the more you
can customize an email to make it unique (rather than using basic
boilerplate text), the easier it will be for your employees to identify as
being legitimate.
- Keep calm: There’s no good reason to employ social engineering tactics to
create fear in your employees. Presumably the people you hire are all
responsible adults, and you can motivate them to action by accurately
describing the level of urgency in a way that does not require panic. As
much as possible, make sure the email sender matches the message and uses
an appropriate level of authority. If you’re sending “an important message
from the VP of Bureaucracy,” make sure that it is actually sent by the Vice
President of Bureaucracy rather than someone else in the Bureaucracy
Department. Or better yet, ask yourself if it even needs to be sent by the
VP at all, rather than simply being a “message from the Department of
Bureaucracy.” And for the sake of everyone’s blood pressure, please avoid
sending messages in all capital letters.
- Favor security-conscious products: Can you digitally sign or encrypt
emails from your third-party apps? Can you send them from within your own
corporate domain? Can you customize them with your own text or a
recipient’s name? Can emails be sent in plaintext rather than using
image-heavy or HTML formatted messages? These are a few questions you
should be asking when pondering implementing new SaaS apps.
- Keep messages simple: Default to using text formatting; use HTML content
only if absolutely necessary. If at all possible, recipients should not
have to clink on a link or attachment to read the substance of the message.
Make it as quick and easy as possible for your employees to get at least a
basic summary of the information, and have them go to a standard location
(such as an internal company site) to get more detailed information, rather
than a link embedded in the message.

Phishing, business email compromise (BEC), and email account compromise
(EAC) cause hundreds of millions of dollars’ worth of losses each year, and
this number seems unlikely to decrease if we continue to give employees
conflicting information about how to interact with email safely. By making
sure all correspondence follows good security hygiene advice, we can allow
employees to consistently follow anti-phishing advice and hone their
instincts for recognizing which emails are truly safe.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20180711/41a6ae74/attachment.html>