t is all too easy to find out key company and individual information on public websites or LinkedIn. You can also purchase contacts from "Sales Intelligence" tools such as RainKing Online. Remember Jigsaw where it did not cost you anything if you entered in contacts and got credits for new people’s information. (Ugg please don’t do that and keep your contacts private). Jigsaw may have changed but the point is that lots of information is out there and easy to find and to compromise.
None of this is new and for the most parts businesses are aware and people are aware of potential phishing attacks and for the most part are on the lookout. However, with our quick to click, multi-tasking world that we live in, this is still a huge threat. We are tested at home and at work and are constantly a potential target. It is hard to move fast and to think clearly for many and for that reason email phishing is a good attack vector for the bad guys. Below are a few suggestions on how to minimize your business email compromise risk.
2 Factor Authentication
This does not need to be so hard. Please don’t make it hard. O365 has this feature that is easy to setup. Exchange with SecureAuth or Duo is even easier.
Yes many key employees and executives will push back due to time and inconvenience. There will be choices that need to be made due to phone numbers, policies etc. But make the choices and move on and implement them. No one likes changes in an already super quick day. Make the process simple and mandatory, expect issues, work around them and calmly move forward as if there is no other choice, because really there should not be.
Keep testing the weakest link
It only takes one for the bad guy to do his/her damage. The people that clicked and entered in credentials once, will likely do it again and again. Keep testing them over and over and over again until they stop. This will help them more than anything else. You want to stop their quick reaction pattern and be able to recognize the different types of potential emails. They will be annoyed but you are helping them at work and also at home. Keep testing them!
Don’t be stressed
About training content and portals. Of course training is important but it does not need to be perfect. Put up posters in the bathrooms. If someone sends a message to help desk on phishing, broadcast them to the company and tell them thank you for keeping our company safe. Do monthly newsletters of the latest and greatest email tricks. Do small videos with quizzes at the end to help with engagement and content. Big fan of Security Awareness Company for content and Moonami for hosting. Simplify the process for easy and fast content and distribution.
Is the most important thing. This is not going away. Keep people informed and tested regularly. Don’t worry if there is a spelling error in your fake phishing campaign email. Bad guys are nervous and spell things wrong all the time! Just sent the email. See if people are catching them and not clicking. Keep testing. Make your people smarter and better looking. This maybe will all go away someday and then we can worry about drone delivery attacks or our IoT Microwaves buring down our house.
This of course is always an option. Don’t handle all yourself. Have a company such as RedLegg handle your Social Engineering Awareness Program. Make sure the company can project manage, can pivot and create as needed and are responsive and simple.