Security awareness training is best accompanied by simulated phishing. The initial simulation establishes a baseline percentage of which users are phish-prone. Continue simulated phishing attacks at least once a month, but twice is better. Once users understand that they will be tested on a regular basis, and that there are repercussions for repeated fails, behavior changes. They develop a less trusting attitude and get much
better at spotting a scam email. Phishing should not just be blasts to all employees with the same text. What happens then is that one employee spots it and leans out of the cubicle to warn the others. Instead, send different types of emails to small groups of users and randomize the content and times they are sent.
Security awareness training should include teaching people to watch out for red flags. In emails, for example, look for awkward wordings and misspelling. Be alert for slight alterations of company names such as Centriffy instead of Centrify or Tilllage instead of Tillage. Hackers have gotten good at creating spoofed email addresses and URLs that are very close to actual corporate addresses, but only slightly different. Another red flag is sudden urgency or time-sensitive issues. Scammers typically manufacture some rush factor or other that can manipulate reliable staff to act rapidly. Phrases such as “code to admin expenses,” “urgent wire transfer,” “urgent invoice payment” and “new account
information” are often used, according to the FBI.
Next time…Resolution and Restitution…till then Think Before You Click!
Tina Louise ~ www.cloudplusservices.com ~ 888.871.6584