On this edition of the X-Force Red in Action podcast series, senior security consultant Chris Sethi joins us with tips for fighting back against phishing season fallout. How can companies protect their assets and promote phishing awareness to limit overall risk, especially during the holidays?
How Phishing Fraudsters Exploit Human Nature
While phishing attacks have become more difficult for attackers to execute thanks to increased awareness and improved technology, this threat vector remains popular because it still works. Why?
Sethi points to human nature — our psychological makeup boosts the efficacy of social engineering, especially when coupled with a sense of urgency. That’s why cybercriminals are still out there phishing for credit card data to commit fraud and corporate credentials to facilitate network attacks.
How are attackers breaching corporate defenses? According to Sethi, they’re creating ruses that fly under the radar and bypass filters to reach user inboxes. By creating high-quality phishing emails that appear to be from a valid source and carry a sense of urgency, malicious actors convince users to provide login and password information.
When Testing Goes Too Well
The X-Force Red team is often called upon to test corporate phishing defenses. In one engagement earlier this year, Sethi and her colleagues crafted a fake benefits update email that seemingly linked to the client’s legitimate benefits provider. Within an hour, the client called off the test — more than 50 users clicked through and provided access credentials. The story is amusing but also worrisome, since it only takes one set of valid credentials to facilitate a data breach.
Tips to Boost Phishing Awareness During the Holidays
Sethi advises users to avoid clicking email links and instead go directly to websites by typing their URLs into browser bars or using reputable search engines. Using WHOIS provides IP address information, but users need enough tech savvy to know whether the address is valid or suspicious.
For Sethi, the best way to fight phishing fallout is to improve organizationwide security awareness. This means adopting a multipronged approach that includes posters around the office, regular emails about known issues and cultural shifts that prioritize reporting suspicious messages above email efficiency.
Worried about phishing attacks this season or heading into a new year? X-Force Red can test employee response and provide insight about what could happen during an attack — without exposing your company to real risk. Think of it like a fire drill for phishing: It enables security professionals to discover weaknesses and process problems before they lead to a five-alarm IT emergency.