It’s big business today. Training employees to defend themselves (and their organization) from phishing emails. And there’s a good reason for that. Phishing is big business.
It’s estimated that the average cost of a spear phishing attack is $1.6 million. So, no matter what a company spends to train its employees, if it keeps them from getting phished, it’s probably a good investment.
The stated purpose of awareness training is to make employees aware of all the various exploits hackers can use to phish them. There are definitely some awareness basics that should be included in every training.
Display name spoofing and domain name spoofing
The training should make employees aware of both types of spoofing. Display name spoofing is when a hacker replaces the “from name” in an email with a name the recipient will trust. Since most people don’t take the time to look at the “from address”, this is an easy way for them to get phished.
With domain name spoofing on the other hand, hackers send an email from what appears to be the correct “from address.” It only appears to be correct because the hackers used what’s known as a homograph attack in which they replaced ASCII letters in the domain name with identical looking, but quite different Cyrillic letters. So, even if people take the time to check the “from address,” they can still get phished with this technique.
Novel phishing techniques
The training should make employees aware of novel phishing techniques like conversation hijacking and invisible links. Conversation hijacking occurs when a hacker sends a malicious email in the middle of an ongoing email conversation between two people. The email appears to be part of the ongoing conversation so both parties have their guard down.
Invisible links is the latest phishing technique aimed at mobile phones. With this technique, hackers make a malicious link invisible and replace it with a “bothersome” graphical element like a speck of dust or hair. When the user goes to clean off their screen, they are actually launching a phishing attack.
Use two channel authorization for financial transactions
Employees should be taught that emails requesting financial transactions should always be confirmed via a second channel. In other words, if the boss requests a money transfer in an email, the employee should walk over to the boss’s office and confirm the intent of the email. This prevents one of the fastest growing forms of phishing attacks today: business email compromise.
The Real Purpose to Awareness Training
It’s essential that any awareness training include these items at a minimum. But the reality is that teaching these techniques isn’t the true purpose of awareness training. Why? Because hackers are constantly evolving and today’s techniques will be replaced by different techniques tomorrow that are even more sophisticated. The techniques taught today may not even be used in the future.
So, what is the real purpose to phishing awareness training? Paranoia. Generally heightening employees’ overall suspicion about email is the goal of awareness training.
When it comes to protecting organizations from phishing attacks, suspicious employees are good employees. They should be taught to be suspicious of everything and to question anything that looks out of place.
Awareness training + anti-phishing software
The winning combination today in the battle against phishing attacks is a combination of employee awareness training and anti-phishing software. Well-trained employees can keep about 90% of the phishing emails from causing harm and the anti-phishing service can handle the rest.
If you want to keep your company from needlessly spending $1.6 million to recover from a phishing attack, protect it with a combination of employee awareness training and anti-phishing software. You can deploy both for a couple a buck a month per employee.