Managing IT security has many facets and layers. However, phishing continues to stand out as likely the most persistent and dangerous threat of all. Moreover, it appears to be getting even worse. Awareness programs and training to help everyone identify phishing emails and how to handle them are essential components of any security management plan.

An awareness program succinctly reminds people what to look out for and what to do. This might be implemented as a section in your employee handbook, some papers or posters on a few walls throughout the office, and an occasional email reminder. Training may involve in-person or video training, which might be assigned. A simulated phishing campaign can be a particularly effective training technique where someone who clicks on a simulated bad link is directed to a site that provides training. Additionally, a report of who clicked when they shouldn’t have can be reviewed by management.

A single click can be all that it takes for malware to infect a system or worse. However, the “payload” may not be malware at all. It may be inducing someone to share information that should not be shared or perform a financial transaction. A common scam that has been making the rounds is to have an email that purports to be sent from someone in the company to their assistant. This message requests that they go to the store and get a number of gift cards, scratch the cover to reveal the codes, and reply to the email with those numbers.

The phishers are getting much smarter at figuring out the names and email addresses inside companies so that the requests appear legitimate. Automation and artificial intelligence appear to be helping gather the correct information so that these scams seem can seem very believable. In addition to the gift cards, scammers sometimes request wire transfers. In virtually all cases, the scammers convey a strong sense of urgency. The goal is to convince the recipient of the email (or text message) that this is something that immediate action is required. The phisher is counting on their target not to stop and ask questions.

One item that I’ve been working on with my clients to combat this is with a special notification that is automatically added to all email received from outside the company. This notification alerts the recipient that the message came from an ** External Sender **.

example email with external sender noticeThe notification text is highlighted with a yellow background to ensure that it stands out by providing a clear visual cue. Everyone should be looking out for phishing messages regardless if it is tagged as an external message. However, this notification provides an additional reason to treat these external messages with an extra bit of suspicion. Of course, always treat messages that are caught in your spam filter quarantine with a high degree of suspicion as well. Sometimes legitimate messages are accidentally flagged as spam, but often it may be a phishing email masquerading as a legitimate message. Never blindly release a suspected spam email and trust it.

The phishers are continually improving their game, so we need to improve ours as well. If in doubt, assume that a message is not legitimate and take extra steps to validate it. The quality of these phishing messages may be quite good and look legitimate when it is not. Put yourselves in the shoes of the phishing email creator. What might a “bad guy” try to fool you into doing? Click on a link? Send them money or gift card codes? Reveal confidential information? Expect deceptive emails, texts, or calls and be prepared to deal with them.

I recommend having an active company policy for dealing with suspicious emails. With respect to suspected phishing emails, company policy should be to avoid clicking on any links, opening any attachment, or responding to a suspected phishing email sender in any fashion. Additionally, I recommend that company policy be to forward any suspicious email to your IT support team with a notification of either:

  1. You’ve assumed it’s not legitimate and deleted the message, so this is just FYI or
  2. You would like confirmation that the message is legitimate or not

Your IT should confirm if the message appears to be legit or not. If it is not, IT may be able to use this information to update your email filtering blacklist and further improve your defenses.

A little proactive phishing prevention goes a long way towards improving your IT security.