Making the move from the typical security awareness training approach to a powerful anti-phishing program isn’t an easy sell.
During our webinar focused on the Qadars Banking Trojan there was a great deal of analysis provided on just how evasive the threat is. This begs the question, how does your team handle malware analysis?
It’s that time of year again.
A day of romance, crowded restaurants, overblown gestures of love, and…
Well. You get the idea.
For those of us in the security world there’s another, less enjoyable component to Valentine’s Day. Yes, even less enjoyable than trying to share a romantic meal while sitting less than a foot away from four other couples.
Yes, I’m talking about holiday themed phishing scams. We’ve written about this precise topic many times before (including last Valentine’s Day) but so far we’ve never tackled the specific scams that surround this romance-centric annual event.
So before you send those dutch-courage fueled love notes, just take a moment to consider…
In most organizations, a user who can identify and delete phishing emails is considered a huge asset.
And, let’s be honest, they’re certainly a big step in the right direction. Users who can't spot a simple phishing email can easily jeopardize the security of an entire organization, even with a comprehensive set of technical security controls in place.
But in our eyes, there’s still a long way for these users to go. Deleted phish are better than clicked phish, but they shouldn’t be the end goal.
You receive an email, you are unfamiliar with the sender’s name or email address, and they are offering you a new service or deal on something. Is it malicious? Not necessarily. Perhaps you forgot about signing up for a newsletter a while back.
If you’ve been following our blog for a while, you’ll already be aware of our stance on anti-phishing training.
Experience has taught us that the only way to reliably improve a user’s ability to spot and report phishing emails is to test them in the real world. To put it another way, they need to see realistic phishing emails in their inbox on a regular basis… and you need to put them there.
It’s tempting (oh so tempting…) to treat this as a gotcha exercise.
It’s not exactly a secret that most security awareness training programs are… less than effective.
Something about the 12-month gap between sessions, decade-old content, and total lack of user engagement seems to limit the potential for behavioral change.
We can’t imagine why.
But if you’re reading this, it’s a reasonable bet that you take security awareness more seriously than many of your peers.
Wouldn’t it be great if every one of your users could be turned into an anti-phishing specialist?
Like sleeper agents, they’d be ready at any moment to drop their day jobs and sniff out every last malicious email that makes it past your perimeter defenses.
It’s an enticing fantasy.
But is it reasonable to expect your users to become genuine anti-phishing experts? We think not.
'Tis the season for shopping, time spent with friends and family, and preparations to celebrate the holidays. As most of us plan for the coming season, cyber criminals are looking for opportunities to catch victims off guard and steal valuable personal information. People looking to supplement their gift-giving budget with a seasonal holiday job should take a close look at job listings before pursuing offers found online or in their email inboxes. Job scams target those looking for part-time holiday work, specifically aiming to steal personally identifiable information that is often requested on applications for employment. We have observed mass spam email-based job scams using branding from well-known retailers such as Target and Walmart that commonly offer seasonal employment.
Have the well-meaning recommendations of the security community made web users more vulnerable to cyber attacks? Have we conditioned people to be phished?
The HTTPS Paradox
You know that little green padlock symbol that appears in your browser’s URL bar every now and then? What do you think it means?