If you aren't yet running phishing simulations across your company, it's time. 29% of data breaches involve phishing (source: Verizon) -- it's a problem worth resolving. We've covered phishing extensively on this blog. Everything from our top 113 favorite phishing simulation emails, to simple steps to help your team identify fraudulent emails, to this advanced guide showing 7 techniques we use to sniff out phishing. However, we think we've overlooked an important topic: what to do when an employee clicks a link on a phishing simulation email. Here are your options.
When a company’s phishing simulation emails land in the news headlines, that’s a bad thing. The recent news out of GoDaddy about a phishing a simulation email that claimed to be a holiday bonus is a prime example. So is the example out of Tribune Media a few months ago. Although we don’t know the particulars about what motivated those particular phishing simulations, we do know that they were not well received, and that there are much more appropriate strategies readily available. Here are four strategies that we recommend to our clients, and that we help them implement by leaning on our massive bank of preconfigured phishing email templates (113 phishing simulation email examples).
There are some easy email security best practices to follow when it comes to tagging emails that come in from external sources. This has become a huge topic recently because the increase in phishing attacks has made it incredibly important for employees to know whether a particular email came from an internal sender (e.g., your boss) versus an external sender (e.g. someone pretending to be your boss). Helping employees very easily distinguish between the two can be the difference between falling for a phishing attack versus staying safe.
Spear phishing training is an effort to fend off the most devious form of phishing: spear phishing. Spear phishing is a phishing attack that is targeted at an individual. Not a phishing attack claiming to be from Citibank sent to a million random recipients on the hope that some of them are Citibank customers. Not a phishing attack claiming to be package delivery information from UPS sent to hundreds of thousands of email addresses. A phishing attack whose message body is unique to one person, containing context relevant to that one person.
A few years ago this type of attack was talked about but not frequently seen in the wild: now it's seen by most of our clients, most months, but with some predictable patterns worth addressing via training. This post is our first shot at describing what we think that training looks like.
Smishing is on the rise, but every time we post a smishing example on this blog we strive to do our part in helping to share the "pattern recognition" tips that make unsafe messages obvious. Today is another one of those days: we've got a typical smishing example for you, but we'll dissect it in great detail including at least seven warning signs that the message is probably unsafe. None of these seven warning signs are so strong that they would (individually) predict with 100% accuracy that the message is unsafe. However, when considered as a group, it becomes pretty obvious that this particular message is a smishing attempt.
What makes a great phishing simulation email? We'll share our perspective, and reveal the top 113 phishing simulation emails that we use at Havoc Shield.
We learn as kids not to talk to strangers, but as adults, we sometimes forget this lesson when we engage with emails. That's why it is so crucial to put email security best practices in place in order to protect your data, customers and company as a whole.
UNC Path Injection is an attack that we consider to have originated in the 1990s. It's exact origins are difficult to trace, but the mid-1990s were a period of tremendous growth in terms of adoption of the Windows NT operating system, and anecdotally that seems to be the operating system that some of the early UNC Path Injection attacks occurred on.
Phishing training requires a holistic approach that is often overlooked by companies racing to "check the box" in terms of offering training on this increasingly important topic. A big mistake would be to treat phishing training the way that companies treat many other kinds of training. We've heard of far too many company training events that involve a manager speaking for 30 minutes, with slides in the background, followed by everyone going back to what they were doing.
If that approach sounds a bit like what your company does for phishing training, please read on.
Business Email Compromise is an interesting waiting game. At first, it might involve a high degree of patience on the part of the cyber attacker, but then, an incredible amount of urgency. That pattern is central to some of the most effective Business Email Compromise attacks we've seen. We'll explain.