Does your organisation have a clicking culture? Do you know what the impact would be if one of your users clicked a link in a convincing phishing email?
Although phishing is not new, cyber criminals are continuing to use phishing attacks to gain access to credentials and confidential information, including passwords from unsuspecting recipients.
In December 2015, I predicted the resurgence of phishing and if we now look at our Global Threat Intelligence Report (GTIR), it seems well founded. Such attacks were responsible for 73% of malware delivered to organizations. Furthermore, over 60% of recent NTT Security incident response engagements were initiated to help organizations manage phishing attacks.
Phishing messages are often successful because they are designed to look genuine – and they are becoming more sophisticated and harder to detect. To defend your business and users against phishing attacks, it’s important to recognise the warning signs of a potentially malicious email.
Here are our five questions every business must ask if they think they’ve received a suspicious email:
- Do you recognise the sender? Are you subscribed to the service? Never respond to an email from an unknown source.
- Does the domain or email address look odd? Is the hyperlinked address different to the one displayed? Although phishing emails may appear similar to the legitimate company format, the email address in the ‘from’ field doesn’t guarantee that the email came from the person or organization named.
- Do the links within the email have obfuscated or unfamiliar encoding? Cybercriminals may encode or obfuscate URLs in different ways to bypass spam filtering or mask malicious activity.
- Does the email read in an unusual way? Does it contain poor grammar or spelling mistakes? Official emails sent by reputable businesses are usually professionally written – so a message filled with typos and grammatical mistakes probably isn't authentic.
- Is the email requesting urgent action? A legitimate email is unlikely to contain phrases like ‘you only have three days to reply’ or ‘urgent action required’.
The bottom line? Don’t open a message if you’re not 100% sure who it has come from. If you do open the email, but are in any doubt, don’t click on any links or downloads.
Finally, organizations should look to implement social engineering testing for its employees in order to confirm their ability to detect and respond to genuine phishing scenarios. Standard security awareness training alone is not adequate enough for organisations – especially those that maintain or access highly sensitive data – and this is why social engineering (phishing) training should form part of every information security and risk management strategy.