Last week’s sweeping phishing scam impersonating a Google Docs request underscored a critical point in cybersecurity: Your defense against phishing is largely in the hands of your end-users. It’s an important reminder that “think before you click” isn’t just a helpful saying, it’s actually an important barrier between your data and the cyber-criminals targeting it.
Make no mistake, the Google Docs phishing scam was a savvy one and it fooled many, many smart end-users.
The message looked legitimate, supposedly came from a known contact, and didn’t include any of the common red flags of a phishing attack. And in this case, it didn’t use fake websites or malware, but instead it tricked the users into granting permission to a third-party application.
And no firewall, anti-virus or anti-malware software can counteract an end-user letting a hacker waltz through the front door, grabbing up data as he goes.
It was social engineering at its best, to the detriment of those unsuspecting end-users.
Which of course begs the question, how is it possible to avoid a scam that is this sophisticated?
Tips for Avoiding Modern Phishing Attacks
While there are no foolproof methods to be applied here, the best way to bolster your defenses against all varieties of phishing is through awareness, training and education. “Think before you click” means truly training end-users to resist that urge to click, as strong as it may be.
Instead, you should take a step back and consider the following any time links or attachments are in play:
- Were you expecting to receive that link or attachment from that contact?
- Does anything about the message seem “off?”
- What URL is revealed by hovering over (NOT clicking) the link or button?
- Are your instincts telling you to doubt this message?
If there is any doubt at all, the best course of action is to first contact the sender and confirm that they actually sent it. While this represents an extra step, it’s a critical one that can mean the difference between a close-call and a costly attack.
A “when in doubt, throw it out” mindset is a good one, if you receive a message that cannot be verified directly with the sender.
Other best practices for defending against phishing include:
Have Strong Protocols in Place for Financial Transaction Requests
We also strongly recommend that businesses adopt standards around any requests for financial transactions that require phone or in-person verification first. Spear phishing emails are extremely difficult to spot, but if you have a two-step process in place already, you will be protected against financial loss resulting from clever email spoofing.
Enable Two-Factor Authentication
Two-Factor authentication (also referred to sometimes as multi-factor authentication) is a helpful tool as well, because it requires that a second piece of information (a code or pin #) be entered if someone attempts to log into your account from an unknown device. That second piece of information is sent to another trusted device, typically a mobile phone. In this way, you can prevent unauthorized access even if your password is lost or stolen.
Adopt a Culture of Cyber Awareness
Your team can’t stay vigilant against what they don’t know.
But cybersecurity is now every employee’s responsibility, based on the use of targeted attacks coming into their inboxes. So circulate educational materials, find training opportunities, and keep security best practices and tips top-of-mind for everyone in the company.
It only takes one bad click to let a hacker in to the network, so even one uneducated end-user represents a threat to the heart of your business.
This includes giving team members the flexibility (and time) to verify questionable messages before responding.
A Healthy Dose of Skepticism Goes a Long Way
Above all else, staying cautious – even skeptical – about emails is a good plan.
(That includes accepting that if something sounds too good to be true, then it definitely is. People don't just give away money or trips or expensive electronics via the internet!)
And I'll give you a real world example. I actually happened to receive one of the Google Docs phishing emails. It was from a contact that I knew and had corresponded with via email numerous times before.
But never, in the entire time that I’ve known her, has she ever sent me an invitation to a Google Doc.
And while I did consider clicking (because I'm human), I paused, reconsidered, and ultimately decided that it was probably not prudent to click on that invitation, because it just didn’t fit with any past behaviors. (And wow, am I breathing a sigh of relief that I didn't!)
So even though you’re dealing with the gray area of human behavior, if you train yourself and your staff to approach messages – in particular those that don’t fit the norm or just seem "off" even in the slightest way – skeptically, the end result is a much stronger defense system of your data.
A Multi-Layered Approach to Network Security is a Must
There is no "one and done" solution for cybersecurity anymore. No one feature alone is going to prevent an attack, which is why a modern network security plan has to adopt a layered approach. This includes firewalls, anti-virus, anti-spam, patch management, employee training and education, data backups management and even regular maintenance of your technology.
Alone, no one component is enough to fully protect you. But in concert, all of these layers will work together to create the best possible defense system for the lifeblood of your business.
Corsica's managed IT service customers all benefit from our industry-leading network security tools and practices, including bare metal backups for all servers and desktops on the network, managed firewall security solutions, anti-spam and anti-virus that integrates with our monitoring software, and more. To learn more about Corsica's Network Security solutions, click here.
Want more great technology updates, news and other industry information delivered directly to your inbox? Subscribe to the blog and each week you'll get new useful tech news you can use.