We’ve all been there. Whether it’s browsing Facebook, scanning your Twitter feed, or simply perusing email, curiously worded messages promise great fortunes—or spectacular destruction of your personal worth. While these phishing techniques immediately send our phony detectors into overdrive, not everyone is quite so savvy about these emails’ malicious nature.
Here are a few tips on how to prevent a data invasion due to an overly curious employee.
Diagnose the problem
Phishing attacks are, at their core, a form of social engineering. Someone, somewhere, has carefully picked each word and sentence of that alarming email with the intent of squeezing some sensitive information out of you. Admittedly, some choose their words more carefully than others, but the basic aim is the same: to deceive you into believing they are who they say they are.
After the social engineering aspect of phishing, things get a bit more diverse. These attacks come in forms ranging from social media posts to text messages and everything in between. Essentially, if you can communicate with it, you can phish with it.
Phishing techniques using analogue communication methods are obviously after tangible data: things like financial, identification, and authorisation information. On the other end of the spectrum are more complex attacks through digital means, like email, websites, and social media.
Both are harmful, and both can lead to larger data syphons if they aren’t addressed. In particular, digital techniques can spread malware through entire networks with the single click of an insidious attachment. In organisations with more than a handful of users, this can present a nightmare-inducing dilemma. How can you keep your users from falling victim to these attacks?
3 steps to help users detect phishing
The success of phishing attempts boils down to two things: charisma and gullibility. If the charisma of the enemy outweighs your gullibility, then you’re in for some tough times. With this in mind, you should focus on reducing the gullibility of your users and enlightening them to the suave tactics of phishing experts. For example, most people don’t actually realise that email is one of the easiest forms of communication to defraud. Case in point: this recent news item from CNBC.
Don’t be a victim. A good strategy should generally include the following three steps:
Education can be as simple as showing your users exactly what phishing attacks are capable of. Inform them of the myriad ways in which these attacks are presented and how they can compromise both the user and the organisation.
Reinforcing this education is key, especially as attacks continue to evolve. Think outside the box to prevent death by boredom. For example, you could send mock phishing attempts and offer prizes for those users who spot the attack first. Basically, anything to get your users to see things from your perspective in a less monotonous way is good here.
The goal is to fend off grandma syndrome in your users—the types who believe everything they read online—even in an era of fake news. Install a healthy dose of scepticism and generally sound surfing practices in your users, and you’ll be in good shape.
Finally, don’t be afraid to take things into your own hands. Stay proactive by keeping antivirus software, SPAM filters, and security patches current. Look for central solutions to monitor network activity and device health. Since your users’ willpower will likely fail at some point, it might even be worth looking into self-healing infrastructure.
Follow these simple steps, and your organisation will be safer than it was yesterday. Better yet, you won’t walk into work one day and curse when an employee walks up to you with a computer brought down by a sophisticated phishing attack. That’s one more headache avoided.