Information Technology Education

User training is the best defense against phishing attacks

According to Microsoft, 20% of all small to mid-sized businesses have been cybercrime targets.

Phishing attacks use social engineering in emails and messages to persuade people to hand over information, such as passwords or financial information. Thwarting phishing attempts comes down to user behavior, and understanding what phishing involves is the best way to protect your business against some of the most common hacking methods.

According to the Anti-Phishing Working Group’s (APWG) Phishing Activity Trends Report for Q4 2021, phishing attacks have remained steady but high in 2021. APWG is an international consortium that attempts to eliminate fraud and identity theft caused by phishing and related incidents. The 2021 phishing numbers follow substantial increases in 2020 when it was reported that the final quarter saw almost twice as many phishing attacks as the same time in 2019. Phishing attacks have increased over 600% since the start of the COVID-19 pandemic, and almost 65% of organizations have experienced a phishing attack in the last year.

With more than 80% of all cyberattacks being phishing attacks, cybercriminals have certainly found their preferred method of exploitation. Most of these attacks come through email and they often happen in two different types, from broad-stroked attacks aimed across the entire organization, or highly targeted toward specific individuals such as C-level executives or finance directors. Unfortunately, it takes only one clicked link or downloaded attachment by someone in your organization to put your company at significant risk. The size of the organization doesn’t matter, as hackers are just as likely to target a smaller business, especially if their security measures are weaker.

What can you do to prevent a successful phishing attack on your organization? The single most effective way to stop phishing attacks is through user training. Providing proper end-user security awareness training and educating employees on how to recognize a scam are the key to protecting against phishing. Employees need to know that they are targets as much as the leaders of the organization, and they should be trained to know how to recognize and respond to threats that arise daily.

At Christian Brothers Services, employees complete regular, mandated security training as part of a coordinated campaign that combines training and phishing simulation. Automated, simulated phishing attacks are emailed to employees. These emails mimic a genuine phishing attack email and are tracked to determine who clicks the link. The information collected shows which employees require additional education to improve their ability to better spot red flags. These efforts work to create a healthy, continuous dialogue among all employees to help them and the company improve and practice safe computing, which should help to improve its security posture and risk profile.

The following are some key concepts to include in end-user training:

Instruct users to choose strong passwords or pass phrases and be wary of posting their personal details on social media. Information like birth dates, addresses and phone numbers is valuable to an attacker. Instruct them to use a password manager to create and store unique passwords so they aren’t repeated on multiple sites.

Teach users to contact your IT team if there are any suspicions about an email or social media post.

Only open attachments from a trusted source. When in doubt, check with the alleged sender directly.

Note any language differences in messaging or emails that vary from legitimate organizational communications.

Never give away personal information in an email or unsolicited call.

Inspect emails for typos and inaccurate grammar.

Don’t supply personal information via email or text.

Beware of urgent or time-sensitive warnings. Phishing attacks often prompt action by pretending to be urgent.

Verify emails and other correspondence by contacting the organization directly. A phone call can quickly identify a legitimate call from a fake one.

Every organization needs to acknowledge the threat that cyberattacks and scams pose to their existence. Christian Brothers Information Technology & Website Services can assist your organization meet its cybersecurity needs. If you have questions or would like guidance on online IT security measures, contact us at 800.807.0200 or customerservice@cbprograms.com.

Which of the following is an example of a “phishing” attack?

An email that contains a malicious link disguised to look like an email from someone you know
A fake website that looks nearly identical to a real website in order to trick you into entering their login information
A text message containing a malicious link disguised to look like a notification that you have won a contest
All of the above

See next page for correct answer.

53% percent of cyberattacks resulted in damages of $500,000 or more.

Answer: Which of the following is an example of a “phishing” attack? D. All of the above.