Phishing continues to be the major threat to end users and organizations as we enter 2020. As networks become more restrictive at the firewall level, attackers continue to create innovated ways around phishing and what they are after. I personally am tired of security sales people who discuss phishing as if they are all just based on the Nigerian Prince scams. These attacks have grown so much in stylistic evolution that the comparison to simplistic attacks really starts to take away from the real intrinsic threat that every organizations faces. 

Phishing Training is Only Part of It

Every organization should offer regular training on phishing prevention. The training should be delivered in-person by a professional trainer. It should be spoken to the end users through the lens of how it effects themselves and the organization. The training should not be offered only online, as people often checkout to automated training.

But training is only the beginning. You need an overall organizational approach to phishing prevention. This includes several items:

1. Phishing Awareness Posters Placed in Break Rooms and Hallways – We believe that posters like this work, and offer them at no charge because of that! Placing well-made signs in high-traffic areas will keep people engaged and aware that the email they receive may not be real. Even if these posters only reach 10% of your users, it creates a more cautious environment. It is all about reducing your susceptibility, even if it’s just 10% at a time.

2. External Email Notification on Email - This is a simple setting to turn on, and one we all have probably seen before.  These are notifications at the top of an email message as well as in the subject line alerting the internal employee recipient that this message originated from an outside user.  This is especially effective in reducing impersonation attacks. For further effectiveness, one can set the alerts to change in terminology and colors to help prevent people from becoming “eye-blind” to the alert. 

3. Regular Phishing Testing - Phishing training is most effective when a phishing test precedes it.  An effective phishing test is done as a spear-phishing attack through a non-automated service.  Automated services like KnowBe4 are fine for random testing, but they do not properly address how an attacker will target and get employees to fall for a real-life test.  This is only done through human testing.  These tests should be done annually.

4. Communicating Reminders - Sending frequent communications out to employees to remind them of the dangers of phishing is an excellent way to keep the reminders coming in.  This is especially effective for people in the field who won’t see any internal posters or reminders.  You can do this through employee newsletters, company video broadcasts, or conference calls.  Be creative and engage the HR and marketing departments to keep the information fresh.

5. Incident Reporting Procedures – If a phishing email is identified on the network of your users and they suspect that they have fallen victim to a phishing email, what are the next steps and how will it go reported? Make sure that you have clear, well known, reporting procedures in place.  I recommend setting up an email address such as Abuse@ for all email alerts.  Get your users to send to that address and call the help desk so an alert can be sent out.

6. Incident Response - Make sure your IT department has clear procedures on how they will respond when an issue occurs.  The plan should include blocking the email address and any URL’s that may be used within the emails. Furthermore, clear procedures on how to notify employees, remediation of infected or clicked computers, password resets, and notification to compliance departments should also have policies in place, if applicable. 

Conclusions

I hope this list will be beneficial for your organization.  Don’t just signup for an automated service and expect your end users to be prepared.  You have to take a holistic approach to phishing prevention.  You can’t stop attacks from trying to steal your information.  But you can dilute their effectiveness and increase your ability to defend yourself.  Don’t be the next victim.