A recent study by a Security Awareness Training platform showed that the average rate at which employees of small banks clicked on phishing emails was 25% (the rate for bigger banks is even worse!).
Ransomware (malware that encrypts your data and only provides a decryption key if you pay a ransom) continues to be a threat to banks. This malware can hide in links in emails, as hidden code in email attachments, or even embedded in seemingly safe websites. If technology can’t filter out all the sources of malware, it is critical to train employees on how to recognize and avoid these hidden traps. A well-designed Security Awareness Training program turns everyone in your company into a “human firewall.”
What does an effective training program look like?
An effective Security Awareness Training program should illustrate with real-life examples the danger of social engineering and the importance of constant vigilance to avoid malware infections. The training should be attended by everyone in your organization who has access to the internet, repeated at least annually (we recommend every six months), and should be part of the standard onboarding process for new employees.
To ensure that the training “takes,” the program should include regular social engineering tests. The easiest way to do this is to use a service to send your own unannounced phishing emails to see who “clicks.”
In the programs that we administer at RESULTS Technology, we typically see about a 15 percent hit rate on phishing emails sent out before training is initiated. This dramatically drops to less than five percent after training is completed. Over time, the hit rate creeps back up, so it is important to refresh training regularly.
Here are a few training tips to pass along to get your program going:
- Do not open attachments unless you are 100 percent certain of the sender and the purpose of the attachment. When in doubt, pick up the phone and call.
- Never click embedded links in messages without hovering your mouse over them first.
- Look for “fake” domains. Note that www.microsoft.com and www.support.microsoft.software.com are two different domains (and only the first is an actual Microsoft site).
- Always check the e-mail ‘From’ field to validate the sender. The ‘From’ address may be spoofed.
- Do not “unsubscribe” – it is easier to delete the e-mail than to deal with the security risks.
- Do not respond to spam in any way. Use the Delete button.
- Do not open any e-mail attachments that end with: .exe, .scr, .bat, .com, or other executable files you do not recognize.
- Always check for so-called ‘double-extended’ scam attachments. A text file named ‘safe.txt’ is safe, but a file called ‘safe.txt.exe’ is not.
- Alert co-workers and friends of suspicious emails. RESULTS provides its employees with a Microsoft Outlook Plug-In called Catch Phish. This gives them a quick, easy way to analyze a potential phishing attempt and report it to the rest of the staff.
- Do not whitelist your own domain, this allows actors to bypass spam filtering by impersonating your domain.
- Do not respond to chain emails, that alerts potential malicious actors that you are receptive to targeted emails.
- Let employees know that they are being tested. There’s nothing as embarrassing as being the one employee caught in a phish test. You can even have a little fun with it. At RESULTS, if someone clicks on a phishing test, they are the lucky recipient of our “Fish Trophy” (a Big Mouth Billy Bass that sings “Take Me to The River”). It’s embarrassing but fun.
- If you suspect a malicious sender, you can utilize header analyzers like https://mxtoolbox.com/EmailHeaders.aspx. This can be a valuable tool to verify a sender’s address.
- If you are expecting an attachment but are not 100% of its safety there is another free tool that will help analyze its safety: https://www.virustotal.com/gui/home/upload. Do not provide it with any potentially sensitive PII documents as that is always a concern, but if you want to be sure if something is safe or not this is a fantastic tool.
Remember, even with the best firewall, antivirus, and fully security-patched systems, you are still vulnerable to malware and phishing attempts. Proper Security Awareness Training is key to a comprehensive cybersecurity program.
As always, don’t hesitate to contact us if you need help or have questions.