Protect Your End Users from Phishing Attacks with Security Awareness Training
Does this exchanges between employees in finance departments and the CEO of the company sound familiar?
“What’s with that email you sent?”
“The one where you told me to wire money to that bank in China.”
“I never sent such an email.”
CEO fraud usually starts with thieves either phishing an executive and gaining access to that individual’s email, or emailing employees from look-alike domains. For example, if the domain name for the organization is abc.com, the thieves might send emails from abc.co. To date the FBI has calculated the loss from CEO fraud to be at $1.2 billion.
These types of emails often don’t get caught or quarantined and are targeted to specific people in the organization. The thieves usually do their homework and scour the web for any information about a company (LinkedIn). Once they’ve built up a good knowledge base, they go after those they know will likely fall prey to the “CEO’s” demands to wire money.
These thieves have gone to school and done their homework. Now, organizations and their employees must do the same. Security awareness training is paramount in today’s world. Employees need to know how to recognize simple yet key indicators in phishing emails. Key indicators include looking at the “from” address, the body of the email (English is usually not the attackers first language), and perhaps the easiest indicator, the origin of the bank where the money needs to be wired to. If your organization has never conducted operations in countries such as China or Russia, why would a CEO request such a transfer? Two-factor or multi-factor authentication should be a must for transferring large sums of money.
The “CEO Fraud” example above is just one of many ways attackers go after employees via email. Attackers can also embed links in emails with malicious executables, and all it takes is one person to click that link and the network could be compromised.
SWC offers comprehensive security awareness training to educate end users on how to detect these malicious scenarios. We also offer phishing campaigns simulated from an attacker’s perspective to gain an understanding of whether or not your users are clicking on these emails, as well as implementing right-sized technologies to assist a company’s overall security.
Want to learn more? Contact one of our security professionals. (I promise it’s not a bad link…or is it?)