Treat Every Eamil as if it is a Phishing Attempt
Although phishing has been a problem for years, phishing emails have increased by an estimated 600% over the past two years. Setting a record number of cyber-attacks in that time, phishing continues to be a go-to source for hackers.
Because of the mass amounts of phishing emails targeting victims every day, it is more important now than ever to remember The Golden Rule of Email. This modern version of the well-known principle is to treat every email as if it’s a phishing attempt.
The cybersecurity field as a whole has been preaching phishing training for years. October 2021 marked the 18th year for Cybersecurity Awareness Month, yet we still see record-breaking attacks and losses.
To help fix this recurring problem, organizations should consider modifying their training approach to focus on building habits versus one-off lessons. Instead of solely teaching specific details to look for, focusing on building a repeatable process can have a more significant impact. It’s not the security awareness training alone that makes the difference, but the repeated process taken while investigating an email.
Implementing The Golden Rule of Email Process
The first step in implementing The Golden Rule of Email is establishing it as part of onboarding techniques and general practices, similar to how employees comprehend the mission or values of a company.
Ultimately, the rule would be adopted by leadership and management teams and woven into training and educational tools to be mastered by every employee.
If every employee was prompted to recite The Golden Rule of Email and the process it takes to spot phishing, with everyone responding promptly and accurately, employers and businesses might get a better sense of just how their company sits when it comes to defending against phishing attacks.
Once the initial concept of the rule is adopted across the company, it’s time to start building the skills necessary to support the rule and act against any suspicious activity.
A crucial step in helping employees steer clear of phishing emails is asking the three Ws – who, what, and why.
Questions similar to the following should be considered for every email received:
Who?
- Do I know the sender?
- Is this someone with whom I usually communicate?
- Is the email sent to an unusual group of people?
- Is the email address spelled correctly?
- Does the email address match the email in the signature?
What?
- What action does the sender want me to take?
- Does the email contain bad grammar, odd styling, or typos?
- Is the email written in style consistent with the sender?
- Is the action something you’d expect from the sender?
- Is it an urgent request?
Why?
- Why do they want me to click on a link, download an attachment, or send information?
- Are they presenting a sense of urgency?
- What is the consequence they are threatening if no action is taken? Is it something I should expect?
- Have they presented an unusual situation? Is it something I should expect?
It’s also important to be wary of different phishing types:
- Email phishing – Emails using fake domains to collect private and financial information.
- Spear phishing – A more malicious email targeting specific people. Hackers normally have private information about the individual they’re targeting, like their name, job title, and email address.
- Whaling – Emails that aim for senior-level staff and management, using scams and spoofed website links to pry into bank accounts, financial information, and personal details.
- Smishing and vishing – Instead of emails, this form of phishing utilizes texting and over-the-phone conversations where scammers pose as fraud investigators warning individuals of “breached” accounts. Scammers will also ask for payment details to verify identities and attempt to transfer funds.
- Angler phishing – Hackers use social media to gain sensitive information and download malware. They can also use data from social media to create more advanced and targeted attacks.
In addition to warning employees of the various ways to phish, organizations can put technical controls in place to help filter down phishing emails and security controls to ensure emails are coming from valid sources.
The final step in the process is taking accountability. Each employee should know exactly what steps to take when they spot a phishing email. Also, anyone who accidentally clicks on a phishing email and realizes it should immediately report the incident to their respective IT or security department(s) for faster identification and quicker response times.
The goal is for The Golden Rule of Email – treating every email as if it’s a phishing attempt – to become second nature for everyone. If you habitually follow this rule, you will instinctively verify certain elements before taking any action on an email. It becomes more than just another rule to follow; it’s a habit backed up by a process.
For more information, contact Reece Simpson at 605-270-3916 or reece.simpson@sbscyber.com. SBS delivers unique, turnkey cybersecurity solutions tailored to each client’s needs, including risk management, consulting, auditing, network security, and education. To download a free computer background and poster of “The Golden Rule of Email,” please visit sbscyber.com/Education/Free Downloads.