Recent Posts

Recent Blog Posts

The PhishLabs Blog

How To Fight the War Against Phishing

Posted by Dane Boyd on Feb 20, '18

Making the move from the typical security awareness training approach to a powerful anti-phishing program isn’t an easy sell.

Read More

Topics: Phishing, Employee Defense Training

Who Says Holiday Romance is Dead? Catphishers, That’s Who

Posted by Lindsey Havens on Feb 14, '18

It’s that time of year again.

A day of romance, crowded restaurants, overblown gestures of love, and…

Well. You get the idea.

For those of us in the security world there’s another, less enjoyable component to Valentine’s Day. Yes, even less enjoyable than trying to share a romantic meal while sitting less than a foot away from four other couples.

Yes, I’m talking about holiday themed phishing scams. We’ve written about this precise topic many times before (including last Valentine’s Day) but so far we’ve never tackled the specific scams that surround this romance-centric annual event.

So before you send those dutch-courage fueled love notes, just take a moment to consider…

Read More

Topics: Phishing, Spear Phishing, Employee Defense Training

How To Make Reporting a Phish So Easy Even Your Busiest Execs Will Do It

Posted by Dane Boyd on Feb 13, '18

bigstock-blueprints-and-planning-80666213.jpgFrustrating, isn’t it? 

You design a powerful anti-phishing program, secure funding from your executive board, provide world-class training. You do everything right…

Oh, your users are probably spotting phishing emails. After all, they’ve engaged with the training, and seem to be taking it seriously.

But no matter how many times you remind them, they just won’t report those phishing emails.

Read More

Topics: Spear Phishing Protection, Employee Defense Training

7 Reasons Why Spotting a Phishing Email is Just the Beginning

Posted by Dane Boyd on Feb 6, '18

bigstock-Portrait-Of-Businessman-With-C-80860418.jpgIn most organizations, a user who can identify and delete phishing emails is considered a huge asset.

And, let’s be honest, they’re certainly a big step in the right direction. Users who can't spot a simple phishing email can easily jeopardize the security of an entire organization, even with a comprehensive set of technical security controls in place.

But in our eyes, there’s still a long way for these users to go. Deleted phish are better than clicked phish, but they shouldn’t be the end goal.

Read More

Topics: Phishing, Employee Defense Training, security awareness training

Why Failure Isn’t the Enemy in the Fight Against Phishing

Posted by Dane Boyd on Jan 29, '18

bigstock-Virus-Detection-92802713-1.jpgTraining users to identify and report phishing emails is far from an overnight fix.

It takes time, persistence, and engagement to make a meaningful impact on user email behaviors.

But you already knew that, didn’t you? In fact, you probably already have a program in place to help users identify potentially malicious emails.

Read More

Topics: Employee Defense Training, security awareness training

How to Build a Business Case for Powerful Security Awareness Training

Posted by Lindsey Havens on Nov 29, '16

You're probably thinking security awareness training for employees is a no-brainer, that you shouldn't have to sell the idea up the ranks. However, with several other technology controls in place for securing your organization, you may be faced with a surprising "what's this...is this really necessary" when you slide that line item into next year's budget. 

So you re-consider what you have budgeted and entertain a once-a-year, check-the-box option to satisfy compliance needs. But how much will your organization benefit from this status-quo approach? 

Getting signoff for a security awareness training program that actually works can be much harder.

But it doesn’t have to be. With a little research and a few calculations, you can produce a business case for security awareness training that holds up even under purely financial scrutiny.

Here’s how.  

Read More

Topics: Phishing, Employee Defense Training, security awareness training

Hitting Back Against Security Awareness Training Nay Sayers

Posted by Dane Boyd on Sep 13, '16

There’s a lot of talk in the security industry about the effectiveness of security awareness training for employees. Some highly respected members of the community have repeatedly asserted that it’s a total waste of money, and this sentiment seems to have picked up some momentum in recent years. 

In our last post we discussed human vulnerability in Why Your Users Keep Falling for Phishing Scams. People generally assume anything that makes its way into their inbox is a legitimate attempt to contact them. Just because security professionals see a shady email and think ‘phishing’, doesn’t mean everybody else does, too.

The argument against security awareness training goes that since normal users have no responsibility for network security, and they don’t understand the implications of their actions, it should be down to IT to create an environment in one which can’t harm the organization.

But we disagree.

The fact is that while that is a good target to aim for, it isn’t possible right now, and probably never will be.

Read More

Topics: Employee Defense Training, security awareness training

Why Your Users Keep Falling for Phishing Scams

Posted by Dane Boyd on Sep 7, '16

We’ve all been there. That awful moment, when you realize it’s happened again.

“Why do they never learn?” You ask yourself. “It really isn’t that hard!”

Time and time again, your users click on malicious links and attachments in phishing emails, and it seems like no matter what you do to improve their awareness, it never gets any better.

So why do they keep falling for phishing scams? Is it just complacency? Or something more?

Read More

Topics: Phishing, Spear Phishing, Employee Defense Training, security awareness training

Why Security Awareness Training – Alone – Doesn’t Solve the Spear Phishing Problem

Posted by Jon Hilfiger on Jul 14, '16

Every CISO, in every industry, is aware that spear phishing can be a problem – a big one – despite millions of dollars invested in (necessary) layers of technology defenses. In May 2016, CSO Online reported ANOTHER three firms were hit by targeted phishing attacks – attacks that stole employees W2 data. I guarantee all of these firms had security devices in place on their networks. These attacks were a form of social engineering that bypasses traditional security technologies and much can be done to help enlist employees to be part of any company’s overall defense. Many CISO’s have done just that - taken steps to ensure their employees are aware and work to reduce the likelihood of opening a malicious email. But, this still isn’t solving the spear phishing problem. Companies have been conducting varying degrees of security awareness training for years. But, the attacks are still happening and they are successful in spite of the training. So, what is a well-intentioned CISO to do? Give up? Train more? Find a better training approach?

Read More

Topics: Threat Intelligence, Spear Phishing Protection, T2, Employee Defense Training

Top Five Phishing Awareness Training Fails

Posted by Dane Boyd on Jun 30, '16

Phishing awareness training is an essential security function. But while it may seem straightforward, training employees to spot phishing attacks is no simple task. Done poorly, phishing awareness training can be counterproductive and leave your organization more vulnerable instead of more secure.   Here are 5 common pitfalls to avoid when training your users to spot and report phishing attacks.

Read More

Topics: Employee Defense Training, security awareness training

   

What's this all about?

The PhishLabs Blog is where we share our insights and thoughts on cybercrime and online fraud.

Recent Posts

Upcoming Events

Calendar_Mock_

Posts by Topic

see all