Security awareness is important to any organization, particularly awareness about phishing and social engineering. However, no matter how much online training and how many quizzes are assigned, phishing simulation tests, when done right, provide you with a reality check about how effective your security awareness efforts really are. If you had to train staff about what to do in case of a fire, would simply showing them an evacuation plan and explaining to them the relevant procedures be sufficient?
CEO Fraud is a type of Business Email Compromise in which the malicious actor pretends to be a figure of high authority, often the CEO, to try and get an employee to transfer funds to their account or divulge sensitive information. CEO fraud is one of the most common types of phishing and social engineering attacks faced by organizations since employees are hard-wired to follow orders from authoritative figures with little question.
Typosquatting phishing, also known as typo-phishing or typo-scamming, is a form of phishing in which a cyber-criminal relies on users making typos when manually typing in a URL which leads them to a different website instead. More commonly, the malicious party relies on the human brain’s inability to differentiate between two similar Iooking characters when sending a phishing link. For example, while reading this definition, have you noticed that the word “looking” has been spelled incorrectly with a capital ‘i’?
Phishing has many faces. Criminals keep inventing new social engineering techniques to steal money or valuable information from their victims. They come up with new ideas, follow trends, and make use of new technologies to make attacks more efficient. Here are the top 5 phishing techniques in use by criminals today and the dangers associated with them.
1. Classic email phishing Phishing is not as old as email itself but it is pretty old.
We’re excited to announce new Training, Slack and Generic Webhook integrations in PhishDeck, allowing you to get alerted on Campaign events and redirect Targets to security awareness training.
Training integration You can now set-up a training URL to redirect Targets to a training page of your choice in the event of credentials being entered.
Slack and Generic Webhook PhishDeck now allows you to configure Slack notifications to alert you when Targets click links and, more importantly enter credentials in phishing simulation tests.
The need to keep information safe has made people more aware of the importance of securing their accounts. Passwords by themselves are no longer sufficient for this purpose. Users often pick easy to guess passwords and worst still, reuse these passwords over multiple accounts. To further complicate the situation, password breaches allow malicious actors to easily obtain login information—including passwords.
The easiest way to improve the minimal security provided by a password or passphrase is by enabling two-factor authentication (2FA) on your accounts.
Realtime phishing, otherwise referred to as Man-in-the-Middle (MitM) phishing, is a type of novel phishing attack that tricks a victim into accessing a proxy server (a server that acts as an intermediary) controlled by an attacker. The attack relays network traffic to and from the victim’s browser to the legitimate website. Essentially, to the victim, the realtime phishing proxy pretends to be the legitimate website, and to the legitimate website, the realtime phishing proxy pretends to be the legitimate user.
Running phishing tests, also commonly referred to as phishing simulations, helps you to identify and track weaknesses and points of improvement in your security awareness program. Phishing tests can also help identify the types of phishing attacks that are most successful against your organization.
However, if handled incorrectly, it is easy for people to feel hard done by phishing tests. They may sometimes appear to be “unethical” or “unfair”, and it might leave your colleagues with a bitter taste in their mouth.
Simulated phishing attacks provide an effective way to help identify, track and measure weaknesses and improvements in your security program as they relate to phishing and social engineering. Phishing simulation can also help you identify which types of phishing attacks are most successful against your organization and which groups of employees to focus more on as part of your security awareness training efforts.
There are several ways to run phishing simulation exercises across your organization.
The annual release of the Verizon Data Breach Investigations Report (DBIR) is personally one of my most anticipated “news” releases of the year since 2016. It’s a great opportunity to take a macro and micro view of how cybersecurity is impacting our social and economic activities in a format that lends itself well to answering nuanced questions.
This year’s report definitely extrapolates trends from previous years and the purpose of this opinion piece is not to tell you how bad phishing and social engineering is — we all know that.