Intro: Phishing Awareness In The Workplace
This article clarifies what phishing is, and how it can be prevented with the proper tools and training. The text has been transcribed from an interview between John Shedd and David McHale of HailBytes.
What is Phishing?
Phishing is a form of social engineering, typically through email or through SMS or over the phone, where criminals are trying to get some kind of information that they can use to access things that they shouldn’t be able to access.
For people that were unaware, there are a couple of different types of phishing attacks.
What’s the Difference Between General Phishing and Spearphishing?
General phishing is typically a super mass mailing of emails that have the same format to try and get somebody to click on it without a lot of effort.
General phishing is really a numbers game, whereas spearphishing criminals will go and research a target.
With spearphishing, there’s a little bit more preparation involved and the success rate tends to be much higher.
As a result, people who use spearphishing typically aim for more valuable targets. Some examples include bookkeepers or CFO’s who have the ability to really give them something of value.
In Conclusion: General phishing is pretty much self-explanatory with the term general and spearphishing is more specific with the individual target.
How Do You Identify a Phishing Attack?
Typically what you’ll see for general phishing is a domain name that doesn’t match or a sender name that you’re unfamiliar with. Another thing to be aware of is poor spelling or poor grammar.
You may see attachments that don’t make a ton of sense or attachments that are file types you wouldn’t normally access.
They may be asking you to do something that is outside of the normal process for your company.
What Are Some Good Practices to Prevent a Phishing Attack?
It is important to have good security policies in place.
You should have an understanding of the processes that are common high-risk activities like sending out payroll or sending wire transfers. Those are some of the most common vectors we see for criminals basically taking advantage of that trust and then damaging a company.
You should have an understanding that if something is suspicious, they should be reporting that and having some kind of process in place to make it easy for users to ask for assistance.
You should know the basic things to check for in every email, because a lot of users don’t know what to look for or they are simply unaware.
How Does Hailbytes Help With Phishing Awareness and Training?
We offer phishing simulations where we will send companies phishing emails that users click on, and we can get an understanding of what their security posture looks like. Ultimately, we are able to discover which users are vulnerable in their organization.
Our tools allow them to forward emails and get a report back to understand what about the risky factors in that email and then the security team internally we’ll also get that report.
We also have basic and advanced security trainings that will show those users a lot of the common tactics that are used and a lot of the common things that they need to look out for when they are suspicious that an email might contain a phishing attack.
Conclusion Points:
- Phishing is a form of social engineering.
- General Phishing is a widespread form of attack.
- Spearphishing involves research on the phishing target and is more successful for the scammer.
- Having a security policy in place is the first step to mitigating cybersecurity threats.
- Phishing can be prevented through training and through phishing simulators.
