Cybersecurity Awareness Month was established to provide resources to organizations and their employees to help them stay safer and more secure online. It is an opportunity to focus on four key behaviors: creating strong passwords and using a password manager, enabling multi-factor authentication, updating software, and recognizing and reporting scams. Each of these key behaviors are necessary to help keep organizations, their clients, and their employees secure.
Safeguarding Digital Assets by Identifying, Avoiding, and Reporting Phishing Attempts
Cyber criminals deploy scams to try to convince people to give their passwords, information, or money. Malicious emails are one of the primary methods for these cyber scams, and remain one of the top risks facing organizations, especially as advances in artificial intelligence give cyber criminals the ability to craft highly sophisticated and hard-to-identify phishing emails. No email filter can detect and catch all malicious emails, so some will pass through—leaving employees as the final barrier between an organization and cyber criminals. How can organizations educate employees to recognize and report phishing attempts?
- Emphasize the dangers of phishing. Phishing emails are a top cyber risk for organizations. As phishing emails become more advanced, spotting phishing indicators is getting harder. Train employees to respond methodically to suspicious emails by pausing to check sender names and email addresses, verify link URLs, and confirm that the type and context of the request make sense. It is also important to emphasize that cyber criminals may have access to and be monitoring a compromised account. To confirm a suspicious email’s legitimacy, employees should always call or text the purported sender on a known phone number rather than replying to the email or creating a new email. Interacting with the potentially suspicious email creates an opportunity for the criminals to communicate with the victim and convince the victim to comply with their request.
- Provide a security awareness program for all staff. Organizations’ most effective anti-phishing filters are employees who have been trained to identify, avoid, and report phishing emails. Organizations should educate all staff—employees, executives, and contractors—on phishing awareness and other digital security best practices. Rather than offering an annual training that repeats the same material as previous years, organizations should implement a Security Awareness Program that uses continuous communication to appeal to employees’ different interests and learning styles. A mix of live classes, online modules, newsletters, and phishing simulations can help employees learn and apply cyber best practices.
- Train employees on the variety of methods employed by cyber criminals. Cyber criminals use social engineering techniques to try to trick employees by manipulating their emotions. They focus on psychological triggers—such as fear, empathy, sex, curiosity, and other emotions—to convince people to take an action (e.g., click a link) or share information (e.g., a password). Phishing emails with malicious links remain a common form of social engineering, but cyber criminals also use business email compromise (BEC) emails and vendor email compromise (VEC) emails, as well as text messages, QR codes, phone calls, and direct messages in social media and online games. They sometimes even create fraudulent “email chains” that include a bogus invoice and reference a payment authorization from an “executive.” Organizations should train employees to identify, avoid, and report all types of attempts.
- Conduct internal phishing campaigns. Organizations can reinforce information security policies and training with simulated phishing campaigns. Challenge employees with exercises that mimic real-life techniques used by hackers to try to penetrate a network, such as emails with links that open a network sign-in page, BEC emails that appear to be from an executive, and phone calls that simulate IT support. Ensure that the campaigns include emails without spelling or formatting mistakes that appear nearly perfect, mimicking malicious emails that now can be created with AI. All users should be included in these campaigns—if a worker can access the organization’s network, even just through an email account, then they pose a risk to the organization.
- Encourage good cyber-hygiene habits on social media. An employee who overshares on social media can negatively impact an organization. Educate employees that information gathered about them can be used against them. Cyber criminals collect information from social media, other public online sites, and even the dark web to target and manipulate employees to provoke an emotional response; employees are more likely to respond without pausing or checking for red flags when an email appears personal. Anyone with access to the organization’s network can be targeted—not just executives—so everyone should be wary of how their online information can be used against them and the organization. Help employees understand that the more they post about themselves, the easier it is for hackers to target them.
- Establish guidelines for the use of personal email accounts. Using a personal email for work correspondence (or even cc-ing a personal email address) can make it difficult for colleagues to determine if an email from a purported personal account is valid or if it’s a phishing email. If a cyber criminal were to pose as an employee by sending a spoofed (or fake look-alike) email, prior use of a personal account may mean that recipients think the email is legitimate and respond with confidential information. If the use of personal email is required for business purposes, establish business rules around its use and ensure employees are aware of those rules.
- Ensure employees are familiar with reporting channels. Clear guidelines around what should be reported—and to whom—ensure that, if a security incident needs to be reported, employees will contact the correct channel. Train them to report suspicious emails, phone calls, and other security incidents in a timely manner. Emphasize that if an employee has responded to an unexpected or suspicious email in any way—clicked on a link, opened an attachment, typed a password, scanned a QR code, or replied—they must report it immediately so the organization’s Information Security team can begin investigating a potential compromise.
Each year, cyber criminals become more sophisticated in their attacks against organizations, and artificial intelligence is helping them execute near-perfect phishing emails and other scams. Continuous education can help ensure that cybersecurity best practices—creating long, unique passwords and passkeys, enabling multi-factor authentication, regularly installing updates, and evading phishing emails—are followed throughout the year, helping to keep confidential information secure.