PhishDefense
Phishing Training

Phishing is a type of cyber attack in which social engineering messages are sent by email, text message, voice, or posted as content on social media sites, with the intent of tricking victims into clicking on a phishing link, opening a malicious attachment, or taking other actions that are against their best interests. The cyber criminal's goal in a phishing attack is to steal valuable information such as identity credentials or financial information, or to install malware, like ransomware, on the victim's computing device.

Smishing, or SMS phishing, is a type of phishing attack in which a social engineering message is sent via a phone text with the goal of tricking the victim into revealing sensitive personal or financial information, or installing malware. Smishing messages often contain phishing links or phone numbers to call, but can also be a Business Email Compromise (BEC) attack. Smishing is a particularly successful form of phishing attack because it plays on the user's trust of their mobile device and phone number. Smishing has accelerated greatly in recent years, and shows no sign of abating.

Vishing, or voice phishing, is a type of phishing attack in which the phisher, pretending to be a trusted organization, calls a target and attempts to get them to disclose sensitive personal or financial information over the phone. Vishing attacks often utilize Caller ID Spoofing to hide their real name and phone number.

Look for these phishing clues in the message:

• The sender (From address) is unknown, or the message is unexpected
• The sender appears to be someone you trust, but the domain is not legitimate
• The greeting and/or the content are generic
• There are grammar or spelling errors in the message
• The actual destination of the URL doesn't go to where it should or is unknown
• The message threatens you, tries to scare you or entices you with free offers
• There is an unexpected or suspicious attachment
• You are requested for private information like credentials or financial account numbers

To protect yourself from phishing attacks, run anti-malware software and keep it updated.

A phishing test is a form of cybersecurity training, where organizations send simulated phishing emails, also known as phishing tests, to their employees. These simulated phishing emails are designed to look like real phishing messages that employees might receive. Through the phishing tests, employees are taught both to recognize a phishing attack, and not to engage in risky behaviors related to unexpected or unsolicited messages (e.g., clicking on links, opening attachments and filling in web forms).

Phishing campaigns should be run frequently enough to test employees' cyber resilience to phishing and to expose them to the new phishing attacks that cyber criminals are constantly introducing. The consensus from security professionals is that a phishing campaign should be run at least monthly, and ideally more frequently.

Phishing training focuses on teaching employees how not to get phished. Phishing is one of the leading causes of cybersecurity incidents, so teaching about phishing is critical. However, phishing is only one of a multitude of cyber threats and cyber risks that employees face every day. Organizations whose only type of cyber security training for employees is phishing simulations leave themselves vulnerable to data breaches and cyber security incidents which could be caused a multitude of other cyber threats including weak, shared, or reused passwords, lost or stolen mobile devices, inappropriate use of cloud accounts, connecting unauthorized devices to the networks, and exposure of sensitive information, just to name a few.

1. A lack of stakeholder support or clear goals for the phishing program
2. Failing to communicate with employees prior to phishing program launch
3. Not establishing an initial baseline for the susceptibility of employee to phishing attacks
4. Conducting phishing campaigns too infrequently and without an organized plan
5. Embarrassing or punishing employees who were phished, or otherwise making phishing training punitive
6. Failing to provide follow-up training when an employee falls for a phishing test
7. Not regularly analyzing the results of phishing campaigns or performing deeper analysis on an annual basis

Ransomware is a type of malware (malicious software) that encrypts the files on a computer, but can also encrypt the computing system itself. The cyber criminal then demands that a ransom is paid to get the decryption key. Ransoms are usually required to be paid in a cryptocurrency, like Bitcoin. Another tactic ransomware attackers use is to threaten to sell or publish stolen sensitive data on the Dark Web, if the ransom is not paid. This tactic is used when the data holds intrinsic monetary value or its publishing could be embarrassing to the owner. More recently, ransomware attacks using the combination of these two tactics, called double extortion ransomware, have become more prevalent. In double extortion ransomware, files are exfiltrated before they are encrypted. A ransom is demanded to be paid for the data decryption key and then a second ransom is demanded in order to stop the exposure or selling of the exfiltrated data.

Focus on preventing, and preparing for, ransomware by implementing these cyber security best practices.

• Ransomware usually begins with an employee clicking on a phishing email link or opening a malicious attachment. The best cyber defense is to provide general security awareness training, as well as targeted phishing training, that teaches employees how to avoid phishing scams.
• Keep all end user software updated, including workstation operating systems, applications and browsers. Run anti-malware and other anti-phishing software. For IT infrastructure, keep all server, network and system software updated.
• Carefully configure servers, systems and networks, including changing default passwords, turning off unused services, and closing unneeded ports.
• Make frequent backups that are stored offline or on a separate cloud service. Test backups on a regular schedule to ensure that they can be accessed and recovered.
• Prepare a Cyber Incident Response Plan, including the people, processes, and technology, which will be implemented if a cybersecurity incident occurs. The Stop Ransomware website by the Cybersecurity & Infrastructure Security Agency (CISA) provides useful resources for combating ransomware including a downloadable ransomware prevention guide.

A Business Email Compromise (BEC) attack is a type of phishing attack, where a cyber criminal impersonates a business executive within an organization by sending an email to an employee asking them to take an action that will result in a business compromise. The wire transfer of funds to a malicious account, payment of a fraudulent invoice, or exposure of sensitive information are a few examples of the endgame of BEC attacks.