Wouldn’t it be great if every one of your users could be turned into an anti-phishing specialist?
Like sleeper agents, they’d be ready at any moment to drop their day jobs and sniff out every last malicious email that makes it past your perimeter defenses.
It’s an enticing fantasy.
But is it reasonable to expect your users to become genuine anti-phishing experts? We think not.
After all, they have their own jobs to do, and have limited time available to learn about security best practices.
Equally, though, it’s unreasonable to expect generic, high-level security awareness training to change user security behaviors. And if you attempt to cover absolutely everything in your anti-phishing training program, that’s exactly what you’ll wind up creating.
The solution is simple: Identify the anti-phishing tactics, strategies, and behaviors that provide the desired results… and build your program around them.
No fluff. No filler.
Just proven, fundamental skills that will enable an average user to spot and report the vast majority of phishing attacks.
User-reported emails can be monitored and analyzed in real-time and provide intelligence to better protect your organization. Attend the free, live Threat Monitoring Webinar to learn more.
The 5 Commandments of Anti-Phishing
When you analyze millions of phishing emails over the course of more than a decade, you start to realize that the vast majority of phishing emails share a number of common features.
Sure, some phishing emails are so sophisticated that even real experts might be fooled… but that isn’t the norm. Most phishing emails, no matter how well put together, can be identified using a handful of core anti-phishing skills.
So without further ado, here are the top five skills we think form the core of any high-quality anti-phishing program.
1) Spotting Errors
Think about some of the worst phish you’ve seen. If we had to guess, we’d say they were full of typos, misspelled words, and grammatical errors that would make even the most laid back English teachers wince.
Now of course, not every phishing email reads like it was written by a ten year old foreign exchange student. Equally, the presence of errors in an email certainly doesn’t guarantee malicious intent.
But what we’re looking for here are clues. For the most part, communications sent by business professionals don’t contain a whole lot of simple mistakes, particularly now that spell checkers have become the norm.
At the same time, a large proportion of malicious emails are written by non-native English speakers, particularly those from Russia, India, Eastern Europe, and India. Hardly surprising, then, that malicious emails routinely contain simple errors that would usually be found in legitimate communications.
The upshot: While not damning, the presence of one or more simple errors should be enough to put a savvy user on their guard.
2) Spotting Pretexts
A pretext, quite simply, is a reason given to justify the need for action that isn’t the real reason. In the context of phishing, a common example might look similar to the following:
“There has been unusual activity on your XYZ account. Please login using the following link to change your password.”
In this case, a fake reason (unusual account activity) is used to obtain the desired result: Convincing the victim to login using a fake link, thereby compromising their credentials.
Almost all malicious emails are designed to elicit action from intended victims, and some form of pretext is typically used to do so. As a result, teaching your users to identify pretexts is huge in the fight against phishing.
3) Examining Sender Info
Since the vast majority of emails that make it into business inboxes are legitimate, many users pay very little attention to the sender’s details.
Unfortunately, this places them at significant risk of being hoodwinked by phishers.
For instance, take a look at the email below:
At first glance, it might seem OK. Not the most sophisticated phishing email you’ll see, certainly, but it could conceivably catch off guard a busy person checking their email between meetings.
But if an average user were to stop for a moment, and take a look at the sender’s details, alarm bells would surely start to ring. Would an Oxfam employee really have an email address at gmail.com?
And in many cases, senders have even less believable email addresses, hidden behind seemingly legitimate display names.
4) Examining URLs
Of course, not all clues are right out in the open. Since many phishing emails seek to convince victims to follow malicious links, URL analysis can be an incredibly powerful tool in the arsenal of our everyday anti-phishing heroes.
And it really isn’t as complex as you might think. Users may initially be intimidated at the thought of analyzing URLs, but with very minimal training they will have all the information they need to start spotting potentially malicious links.
For more information, check out this short video we released during National #CyberAware Month.
5) Reporting a Phish
And here we have it. All at once the simplest, yet most important behavior to instill in your users.
Quite simply, if you can’t convince your users to report phishing emails, rather than simply deleting them, you’ll be forfeiting a huge part of the ROI from your anti-phishing program.
Prompt reporting of phishing emails gives you the opportunity to quarantine similar emails before they are opened. They provide you with free, real-world examples to use in the course of your training. They help you understand the phishing landscape, enabling you to tighten technical defenses such as spam and content filters.
Deleted phishing emails afford you none of these benefits.
Reduce Overwhelm, Maximize Results
If your users can master the five skills listed above, and you make good use of the all the reported phishing emails you receive from them, we absolutely guarantee you’ll have a world class anti-phishing program.
Yes, there are other skills that can be helpful in the fight against phishing, and yes, some phishing emails are so sophisticated that no average user could ever be expected to identify them.
But the vast majority of phishing emails aren’t created by nation state APT groups, or world-class hackers. They’re produced by financially motivated individuals or groups, often from other countries, and are designed to fool average users.
And with focused, consistent anti-phishing training, the vast majority of incoming phishing attacks can be thwarted.