Most people aren’t aware of how sophisticated phishing email templates and websites have become, according to David Dufour from Webroot. Dufour recently told the CyberWire that criminals are realizing the effectiveness of improved social engineering techniques, and that the majority of employees are unprepared to face these tactics.
“They're hyperfocused on improved spelling, improved grammar, and they are becoming more psychologically focused, where they're trying to get you to react rather than just saying, hey, maybe you can get a million dollars, or hey, it's your bank – maybe you should call us,” Dufour explained. “They're really trying to play on things like, hey, this is your boss – I need something urgently. Or this is your financial institution – your account's been hacked, we need you to click here right now and update your account information. They're really getting good at that psychological component.”
Dufour said there’s an extreme lack of awareness surrounding this problem, with most people vastly overestimating their ability to identify phishing emails.
“There's not only a little bit of a disconnect; it's huge,” he said. “Around 80% of folks really, genuinely feel like they can identify it, but then once we start drilling into interviewing, they're struggling with finding phishing emails because they still hearken back to the days of the poor grammar and things like that.”
Dufour recommended employee training with realistic examples of phishing emails as the best way to mitigate the problem.
“So, we're a huge proponent of that because the number one thing you can do in terms of if you're an employer is to train your employees to identify phishing emails and what to do with it,” he said. “Obviously, if people don't know what a phishing email looks like, they don't know how to respond to it. So training is always imperative because they're playing psychologically on folks.”
Dufour told the CyberWire’s Dave Bittner that employees need to know they won’t get in trouble for falling for a phishing email. After they’ve realized their mistake, the most important thing they can do is report it, and they might be reluctant to do so if they’re worried about being punished.
“And the second part of that is, what do they do if they suspect a phishing email or if they've been phished?” he asked. “You know, people can be embarrassed. They can be a little bit like, oh, my gosh, I'm going to get in trouble. You have to spell it out that you're not going to get in trouble. And in fact, if you have been phished, it's imperative that you tell your organization because then they have tools they can put in place to monitor for activity around that phish. So it's really important that you let people know. All of us get phished, David. It's not a question of if – it's more of a question of when.”
Criminals are always switching up their tactics to try and stay ahead of user education. New-school security awareness training can provide your employees with up-to-date knowledge on the latest techniques attackers are using.
The CyberWire has the story: https://thecyberwire.com/podcasts/cw-podcasts-daily-2019-10-25.html