This article was written with companies in mind; most of this applies to individuals as well. Most security incidents happen due to phishing, and I have a sure-fire way to avoid becoming a phishing victim. Just do not click on links in email or open attachments. Yes, I do realize that this advice is about as useful as telling someone to stop smoking or not eat donuts. It is a lot easier said than done. Also, any suggestion that starts with the word “just” tends to be suspect. Hear me out, though, as I explain how this could be implemented.
This needs to start with a culture of not sending unexpected links or attachments around. There needs to be an internal document repository site, which is automatically a part of everyone’s bookmarks. Rather than attaching a file or sending a link to it, in the email, describe where it can be found on the internal site. Something like “the document can be found under documents -> ProjectX -> design.”
This way, people will fall out of the habit of clicking on links or open attachments, and it will start to become abnormal and strange to do so. Emails offering free ice cream and the like will continue to be tempting because human beings love games, contests, and most of all, free stuff. If you set up an internal contest about finding malicious emails and notifying the security team, that could satisfy that urge, especially if free ice cream is the reward.
Rather than training folks in deciphering URLs and determining if the link is valid or not, make the training situational.
- They are signing up for a service that requires providing their email address, and the sign-up process says a confirmation email is being sent, and you need to click on it to confirm the registration. If you get an email within a few minutes that looks like it is from that organization, then clicking on that link carries a relatively low risk.
- They are on a conference call. Someone on the call says they are sending a document to everyone. They explain what it is all about and why it needs to be sent around rather than posted to the document repository. When you get an email from that person that matches the description, opening it carries a relatively low risk.
- If they receive an email with a link or attachment that does not match either of those scenarios, claiming to be from an internal contact or other known contacts, look up their contact information in the internal company contact list and call them up or send them a chat message asking them what this is about and why they choose to send it in an email rather than post it on the document repository. If they get a satisfactory explanation, the risk of opening it is low. Never reply to the email or use other contact information in the email. If alternative contact information is not available outside of that email, consider the email malicious. If the explanation for the email seems off or sketchy or the sender seems sketchy, the safe move is to consider the email malicious.
Additionally, it would be a good idea to train everyone in the hallmarks of phishing attempts, which include:
- Trying to scare you
- They are playing on your emotion
- Play up extreme urgency
Ensure all internal processes specify if there is ever a legitimate internal urgent email, that it does not contain links, and simply direct the recipient to an internal site. All internal announcements should be posted on an internal website as well.