The key takeaway here ? Phishing is no longer about infecting your computer . The primary goal of phishing is to steal people ’ s credentials , logins and passwords so they can then log in as their victims . In addition , we see both Imposter based , like BEC and Telephone based phishing attacks continue to rise . Who needs to steal money or passwords when you can literally just ask for it ?
Phishing indicators
What should we teach people so they can easily detect these ever-evolving attacks ? We do not recommend that you try to teach people about every different type of phishing attack and every lure possible . Not only is this most likely overwhelming your workforce , but cyber attackers are constantly changing their lures and techniques . Instead , focus on the most commonly shared indicators and clues of an attack .
This way your workforce will be trained and enabled regardless of the method or lures cyber attackers use . In addition , emphasize that phishing attacks are no longer just about email but use different messaging technologies . That is why the indicators below are so effective , they are common in almost every phishing attack , regardless of the goal and if its via email or messaging .
Urgency Any email or message that creates a tremendous sense of urgency , trying to rush the victim into making a mistake . An example is a message from the government stating your taxes are overdue and if you don ’ t pay right away you will end up in jail . The greater the sense of urgency the more likely it is an attack .
Pressure Any email or message that pressures an employee to ignore or bypass company policies and procedures . BEC , CEO Fraud attacks are a common example .
Curiosity Any email or message that generates a tremendous amount of curiosity or too good to be true , such as an undelivered UPS package or you are receiving an Amazon refund .
Tone An email or message that appears to be coming from a co-worker , but the wording does not sound like them , or the overall tone or signature is wrong .
Generic An email coming from a trusted organisation but uses a generic salutation such as Dear Customer . If FedEx or Apple has a package for you , they should know your name .
Email address Any email that appears to come from a legitimate organisation , vendor or coworker , but is using a personal email address like @ gmail . com .
Obsolete indicators
These are typical indicators that have been recommended in the past , but we no longer recommend them .
Misspellings Avoid using misspellings or poor grammar as an indicator , in today ’ s world you are more likely to receive a legitimate email with bad spelling than a crafted phishing attack . Misspellings will most likely become even less common as cyber attackers use AI solutions to craft and review their phishing emails and correct any spelling or grammar issues .
Hovering One method commonly taught is to hover over the link to determine if its legitimate . We no longer recommend this method except for highly technical audiences . Problems with this method include you have to teach people how to decode a URL , a confusing , time consuming and technical skill .
In addition , many of today ’ s links are hard to decode as they are re-written by phishing security solutions such as Proofpoint . Also , it can be difficult to hover over links with mobile devices , one of the most common ways people read email .
Finally , if you train every employee in your organisation to hover over and analyse every link in every email , that is an extremely high-cost behaviour to your organisation . •
40 www . intelligenttechchannels . com