Everyone is vulnerable to social engineering and no security tool can block every phishing email, according to Kevin Casey at The Enterprisers Project. Casey talked to a number of security experts in order to clear up some misconceptions, and offer advice about the reality of phishing attacks. Arun Kothanath, Chief Security Strategist at Clango, told him that the sudden shift to remote work offers attackers an opportunity.
“Remote employees need to be extra vigilant for phishing attacks,” Kothanath said. “The rapid proliferation of work-from-home policies driven by COVID-19 creates a potentially serious identity and access management vulnerability, and offers a rare opportunity for bad actors to pose as employees to access critical information by exploiting and profiting from this crisis.”
Matt Wilson, chief information security advisor at BTB Security, told The Enterprisers Project that the number-one mistake when it comes to phishing emails is believing that technically minded people are immune.
“The biggest misconception about phishing attacks is that tech-savvy users won’t fall for it,” Wilson said. “When working with organizations and testing their security posture, we regularly succeed in carrying out a staged phishing attack, even when targeting IT, InfoSec, and senior management.”
The Enterprisers Project also quotes Mike Bursell, Red Hat's chief security architect, as saying that phishing attacks often appear legitimate to the recipient.
“Many phishing emails look exactly the same as a normal email from the relevant party,” Bursell said. “To be clear, it is impossible for anyone, even an expert, to ascertain at first look whether a polished and sophisticated phishing email is genuine or not. There are ways to tell, if you’re an expert, by looking in more detail at the actual details of the email, but most people will not be able to tell.”
This is why security training is important for all employees. You may not be able to spot every sophisticated phishing email, but you can follow some simple guidelines to prevent attackers from succeeding. These guidelines include avoiding clicking on email links and attachments, implementing two-factor authentication on your accounts, and verifying emailed requests from coworkers using a separate mode of communication.
New-school security awareness training can enable your employees to defend themselves against phishing and other forms of social engineering in both their professional and personal lives.
The Enterprisers Project has the story: https://enterprisersproject.com/article/2020/4/remote-security-5-phishing-myths
