Do Your Senior Management Know How to Spot a Phishing · PDF fileDo Your Senior Management...
Transcript of Do Your Senior Management Know How to Spot a Phishing · PDF fileDo Your Senior Management...
Do Your Senior Management Know How to Spot a Phishing Attack?
+44 (0) 800 093 2580
www.fusemail.com/en-gb/
Staffordshire | United Kingdom
Page | 2
Want the course in a separate document you can send directly to colleagues?
Send an email to:
and we will send it straight over.
Spear phishing attacks are on the rise and therefore so are the number of victims of successful attacks. In
order to protect your organisation from threats like this you need to have a multifaceted approach to email
security.
You may have invested in the best technology to prevent or mitigate a phishing attack but equally important
to your defence is your staff and that aspect can be difficult to control. It takes just one person to open a
phishing email or click on a malicious link to put your entire network and company at risk.
Senior management, decision makers, and people with access to transfer finances are the most likely to be
targeted by phishing attacks.
FuseMail, the email security experts, have developed leading email security technology to identify and prevent
phishing and spear phishing attacks in the cloud, before they reach your network. But we have also designed
this short 15 minute course for you to give to your Senior Management Team (or indeed anyone in your
organisation) to help them better understand and identify phishing, learn to be suspicious, and help prevent a
successful attack.
We’re FuseMail, we allow you
to connect with confidence
everywhere and every way.
The 15 minute spear phishing course This course has been designed to be used in two ways. It’s up to you!
1) You can gather your senior management team together in one location and present it to them as you
would a traditional training session.
OR
2) You can send them this document and get them to work through it in their own time.
However you go about using it, make sure to follow up with each person you have given the course to.
The rise of spear
phishing attacks
…learning to be suspicious
Page | 3
Let’s get started!
Page | 4
Introduction
Phishing is described as any website, online service, phone call, text message or email that poses as a company or
brand you recognise. Phishing attacks are generally undertaken on a large scale – a big net is cast to try to catch
as many victims as possible.
Spear phishing is similar to phishing but is undertaken on a more targeted level. The spear phishers target specific
individuals using social media, telephone calls and in some cases the hacking of accounts in order to get more
detailed information about their potential victims. They invest time and effort to get as much information as
possible about their target and then use that to make their requests appear very authentic.
Both types of phishing are designed to convince you or your team to hand over valuable organisational details,
money, or trick you into downloading something that infects your computer and corporate IT network. The
impostors phish for potential victims by sending emails, social media messages or text messages or making phone
calls with urgent messages in the hope of persuading someone to visit the bogus website or pay out sums of
money.
Why do they do it? Because it works.
One in four companies reported a cyber breach in the last 12 months.
According to research compiled by the University of Portsmouth for the 2016 Annual Fraud Indicator report, fraud
is taking place on an industrial scale and is one of the biggest crimes afflicting UK PLCs today.
It just takes a single click.
You may have invested in the best technology to prevent or mitigate a phishing attack but the mainstay of your
defence is your staff and that can be difficult to control. It takes just one person believing a phishing email or
clicking on a malicious link to put your entire network and company at risk.
Staff knowledge and awareness is the balance between success and failure
By arming your staff with the knowledge to identify phishing scams you will benefit from money and time savings,
a clean reputation and an improved staff mood. In fact; being able to detect a potential malicious email and act
promptly makes your staff feel important, empowered and active in the fight against cyber-crime.
Adopting a user awareness programme combined with traditional anti-malware enhances your anti-phishing
capabilities, by understanding that employees can serve as a valuable active defence layer inside the
organisation.
We have designed this short spear-phishing awareness course to help you or your senior management team
begin to identify ways in which phishing attacks can be recognised and avoided.
Page | 5
Exercise 1 - Email from the BOSS! Look at the below email and decide whether you think it is legitimate or not. Don’t be overly suspicious; accept
that it is just another email. What about it would make you think it was real and from your boss?
Hi John
I’m out of the office all week, but have managed to secure a discount on our rent if we pay the next three months
upfront today. I think they must be having cash flow problems.
Can you please transfer the £7,500 to their new bank account below ASAP?
Bank: National Westminster
Account no: 35611896
Sort code: 45-85-17
IBAN: GB29 NWBK 6016 1331 9268 19
Apologies for the short notice, I know it’s month end. Can you just reply to this email once you have made the
payment and I can call them to confirm?
Much appreciated,
Bob Hurt
CEO
This is your official company email signature.
With your logo, www.website.com and accurate contact details.
From: Bob Hurt <[email protected]> To: John Frost <john,[email protected]> CC: Subject: Urgent payment to go through today
Jot down what you spotted…
Page | 6
How did you do? This is what we picked up on as potential reasons people might not question the authenticity of this email.
There are no spelling errors in the email – so no suspicion would be raised by this.
The email itself is familiar yet professional and there is a logical reason for the cash transfer
explained in the email.
There is a sense of urgency created in the email but not enough to raise suspicion – who wouldn’t
want a discount on their rent?!
It has come from your CEO’s name and email address.
The email has your organisation’s email footer – so looks real. It even has your logo and looks like
any other internal email you receive every day.
The email asks you to confirm the cash transfer so the CEO knows that it has been completed and
can get on with his holiday.
It is courteous - the sender apologises as he knows that month end is a busy time for the Accounts
Team and he acknowledges that.
1
2
3
4
5
6
7
Page | 7
Email from the BOSS - Take 2 Look again and this time, highlight or circle anything that would make you suspicious. Be very suspicious.
Hi John
I’m out of the office all week, but have managed to secure a discount on our rent if we pay the next three months
upfront today. I think they must be having cash flow problems.
Can you please transfer the £7,500 to their new bank account below ASAP?
Bank: National Westminster
Account no: 35611896
Sort code: 45-85-17
IBAN: GB29 NWBK 6016 1331 9268 19
Apologies for the short notice, I know it’s month end. Can you just reply to this email once you have made the
payment and I can call them to confirm?
Much appreciated,
Bob Hurt
CEO
This is your official company email signature.
With your logo, www.website.com and accurate contact details.
From: Bob Hurt <[email protected]> To: John Frost <john,[email protected]> CC: Subject: Urgent payment to go through today
Jot down what you spotted…
Page | 8
Here’s what we spotted. Let’s take a closer look at the email and start learning how to be suspicious.
Hi John
I’m out of the office all week, but have managed to secure a discount on our rent if we pay the next three months
upfront today. I think they must be having cash flow problems.
Can you please transfer the £7,500 to their new bank account below ASAP?
Bank: National Westminster
Account no: 35611896
Sort code: 45-85-17
IBAN: GB29 NWBK 6016 1331 9268 19
Apologies for the short notice, I know it’s month end. Can you just reply to this email once you have made the
payment and I can call them to confirm?
Much appreciated,
Bob Hurt
CEO
This is your official company email signature.
With your logo, www.website.com and accurate contact details.
From: Bob Hurt <[email protected]> To: John Frost <john,[email protected]> CC: Subject: Urgent payment to go through today
1
Did you look closely at the ‘From’ email address? At first glance you might be fooled into thinking it came from Bob
Hurt. But if you look more closely, you may have spotted that the email has not in fact come from your company’s
domain, but actually from yourc0mpany’s domain. The ‘o’ in company was replaced by a zero 0.
This can be even harder to spot in some email software (Outlook, Thunderbird, smartphone apps, etc) as you don’t
even see the full email address a message is coming from. In Microsoft Outlook for example, this message would
normally be displayed as coming from ‘Bob Hurt’ not ‘[email protected].
TOP TIP - by double clicking on the name you can see and check the full email address of the sender. If you are ever
in any doubt about the authenticity of an email start your investigation by checking the full email address.
The From Email Address
Page | 9
Hi John
I’m out of the office all week, but have managed to secure a discount on our rent if we pay the next three months
upfront today. I think they must be having cash flow problems.
Can you please transfer the £7,500 to their new bank account below ASAP?
Bank: National Westminster
Account no: 35611896
Sort code: 45-85-17
IBAN: GB29 NWBK 6016 1331 9268 19
Apologies for the short notice, I know it’s month end. Can you just reply to this email once you have made the
payment and I can call them to confirm?
Much appreciated,
Bob Hurt
CEO
This is your official company email signature.
With your logo, www.website.com and accurate contact details.
From: Bob Hurt <[email protected]> To: John Frost <john,[email protected]> CC: Subject: Urgent payment to go through today
2
We have all worked for those mad men and women who work from the beach. But a healthy dose of suspicion
should always be applied to anyone asking you to transfer large sums of money whilst they are on holiday.
Emails like this are designed to make you feel uncomfortable for questioning the boss. “They are on holiday, it’s a
simple request; shouldn’t I just do what they are asking? Otherwise I have to call my boss who is in the Bahamas on
his first holiday in 12 months… awkward!”
Even with your suspicious hat on, you might be thinking, “well how would a phisher know that my boss is on
holiday?” The simple answer? By using LinkedIn to find out who the boss is and then using their Facebook, Twitter
and Instagram accounts to find out what they are up to.
Conveniently Out of the Office
Page | 10
Hi John
I’m out of the office all week, but have managed to secure a discount on our rent if we pay the next three months
upfront today. I think they must be having cash flow problems.
Can you please transfer the £7,500 to their new bank account below ASAP?
Bank: National Westminster
Account no: 35611896
Sort code: 45-85-17
IBAN: GB29 NWBK 6016 1331 9268 19
Apologies for the short notice, I know it’s month end. Can you just reply to this email once you have made the
payment and I can call them to confirm?
Much appreciated,
Bob Hurt
CEO
This is your official company email signature.
With your logo, www.website.com and accurate contact details.
From: Bob Hurt <[email protected]> To: John Frost <john,[email protected]> CC: Subject: Urgent payment to go through today
3
Let’s zone in on the reason for the transfer. Ok, this is a fictitious reason in a fictitious email and we’re not criminal
masterminds. But a discount on the rent is a good reason to pay upfront. Rent is paid every month by the majority of
SME businesses and a good thing to target for a discount.
However, again be suspicious, is this likely? Would your boss want to remove three months of cash from your bank
account even with a good discount? Rent is a pretty big outgoing expense.
The Hook! A Discount…
Page | 11
Hi John
I’m out of the office all week, but have managed to secure a discount on our rent if we pay the next three months
upfront today. I think they must be having cash flow problems.
Can you please transfer the £7,500 to their new bank account below ASAP?
Bank: National Westminster
Account no: 35611896
Sort code: 45-85-17
IBAN: GB29 NWBK 6016 1331 9268 19
Apologies for the short notice, I know it’s month end. Can you just reply to this email once you have made the
payment and I can call them to confirm?
Much appreciated,
Bob Hurt
CEO
This is your official company email signature.
With your logo, www.website.com and accurate contact details.
From: Bob Hurt <[email protected]> To: John Frost <john,[email protected]> CC: Subject: Urgent payment to go through today
4
If you take away nothing else from this document, take away with this: ALWAYS QUESTION NEW BANK ACCOUNTS.
If a supplier updates their bank account, call them to confirm. Don’t use the contact details at the bottom of the
email, go to their website directly in your web browser and use the contact details from there.
Common phishing tricks include using the email footer to include fake telephone numbers and link which direct you
to less than savoury or indeed harmful websites.
A New Bank Account
Page | 12
Hi John
I’m out of the office all week, but have managed to secure a discount on our rent if we pay the next three months
upfront today. I think they must be having cash flow problems.
Can you please transfer the £7,500 to their new bank account below ASAP?
Bank: National Westminster
Account no: 35611896
Sort code: 45-85-17
IBAN: GB29 NWBK 6016 1331 9268 19
Apologies for the short notice, I know it’s month end. Can you just reply to this email once you have made the
payment and I can call them to confirm?
Much appreciated,
Bob Hurt
CEO
This is your official company email signature.
With your logo, www.website.com and accurate contact details.
From: Bob Hurt <[email protected]> To: John Frost <john,[email protected]> CC: Subject: Urgent payment to go through today
5
The next thing we would like to draw your attention to is the ASAP. Why is this so urgent? Your boss says they must
be having cash flow problems, maybe they are but this should be a red flag for anyone receiving an email like this.
Victims of phishing scams report that it all happens in a matter minutes – leaving them no time to reflect or think
about what has happened. When we move quickly, we make mistakes. When we are asked to move quickly by our
boss, human nature dictates that we do what they say immediately. But in the case of money transfers, caution
always needs to be applied.
It’s an Emergency!
Page | 13
Hi John
I’m out of the office all week, but have managed to secure a discount on our rent if we pay the next three months
upfront today. I think they must be having cash flow problems.
Can you please transfer the £7,500 to their new bank account below ASAP?
Bank: National Westminster
Account no: 35611896
Sort code: 45-85-17
IBAN: GB29 NWBK 6016 1331 9268 19
Apologies for the short notice, I know it’s month end. Can you just reply to this email once you have made the
payment and I can call them to confirm.
Much appreciated,
Bob Hurt
CEO
This is your official company email signature.
With your logo, www.website.com and accurate contact details.
From: Bob Hurt <[email protected]> To: John Frost <john,[email protected]> CC: Subject: Urgent payment to go through today
6
The last thing we would like to draw your attention to is the email signature. It looks just like any email signature. It
has the senders name, title, company logo and link to the website.
However, links like this can redirect you to a malicious or phishing website. Also be particularly wary of things like
click here, read more here etc, as they could hide malicious URLs. TOP TIP - Before you click on a link in an email,
always hover over it with your mouse. This will show you the real destination the link is sending you to. For even
better protection, Using URL protection services like ClickSMART from FuseMail helps to defend your network
against webpages that would download ransomware and other malware onto your computer and network.
Things you should also be wary of, particularly if you are questioning an email is to double check telephone numbers
on the company’s official website. Go to the website by typing the URL directly in your web browser, as often
phishers will put a false website and telephone number in an official looking email signature.
The Email Signature
Page | 14
Course roundup
The many ways you can be fooled into giving your information to phishers, hackers and spammers is quite frankly
frightening. This is happening to unsuspecting businesses and private individuals all over the world today. No one
is immune, successful attacks have been made on hospitals, universities, charities and FTSE 500 companies.
Officials believe that the threat and success rates are actually much higher than that which we see reported, as
many businesses decide to just pay out and move on. They are often embarrassed or too busy to report what has
happened and the damage to their organisation’s reputation could impact their bottom line. However, a key
issue here is that if an attack is successful the first time around we are now seeing repeat attacks and repeat
successes. The attackers – rightly it would seem – are assuming that if they got away with it the first time around,
then why not a second and a third time.
So what can you do?
There is no single or easy thing you can do to prevent attacks like these but thankfully there are a few simple
steps you can take which go a long way towards reducing your risk significantly. We have compiled a short ‘Top 10
tips for senior management’ list below which helps you to identify 10 small ways you can make a big difference to
your company’s cyber security.
As for email security software, FuseMail can help in the form of our industry-leading cloud based email and web
security services. Contact us today to book your free trial or arrange an online demonstration.
Get in touch to discover our industry leading services
Call +44 (0) 800 093 2580
Email [email protected]
Visit www.fusemail.com/en-gb/
Your Network
Security
…is critical but so are your staff.
Take Action
Book your demonstration
Sign up for your free trial
Page | 15
Top 10 Tips for Senior Management
Change your passwords regularly. When selecting passwords, think random; use numbers and
symbols as well as words and steer clear of things like ‘123456’ or ‘Password123’.
Never adopt an ‘oh it will never happen to us, we’re too small/too big to be on their radar’
attitude. Ensure that your IT infrastructure is as robust as possible by investing in high quality
security products like email and web filtering and security from FuseMail.
If an email attachment asks you to run macros or download something –report it to IT
immediately.
Be suspicious of changes or urgent requests regarding credit cards, bank transfers or updated
bank accounts.
Hover over links in emails before clicking on them to ensure they are going to where they say they
are.
Don’t talk about your holiday on social media until you come back. This is where phishers get all
their information. They knew your boss was on holiday because he told them… on Facebook.
Never use the telephone number or links from the bottom of an email you are questioning. Go
online and get the contact details from the company’s website.
Phishing is not just for emails. Be wary of SMS phishing too. If your bank sends you a text
message, never click on the link in the text and always use their website to find contact details. A
phishing text message will come in to your phone under all previous text messages from your
bank. These are really hard to spot – so be very cautious.
If you are asked to send a payment to a new bank account, always call the supplier to confirm that
it has come from them. Remember to use their website to get their telephone number.
Invest in your staff. That means ensuring your IT Team has the knowledge and tools they need to
protect your network AND training all staff members in cyber security awareness.
1
2
3
4
5
6
7
8
9
10
Page | 16
Top 10 Tips for IT Teams
Don’t just train end users once, ensure you train them regularly.
Ensure you have a password update policy and enforce it.
Lobby to make email and web security a part of your company’s induction training.
Buy the best email and web security service your budget will stretch to, this is no place to scrimp.
Invest in an email URL protection service to reduce your risk further.
Make sure you have anti-spoofing set up for your domain.
Ensure your email security service invests in ongoing research and development, to make sure
you are protected from today’s threats, not yesterday’s.
A lot of companies like FuseMail will offer free training and updates on the industry in the form of
webinars and whitepapers, so try to keep yourself up to date with the latest developments and
threats.
Support companies are starting to offer a new service called cyber security awareness training.
This service aims to bring about an increased awareness and knowledge around phishing, spear
phishing and other types of cyber security threat in an effort to reduce risk. It might be something
to think about for next year’s budget.
Cyber security insurance is another way to mitigate against the risk of a successful attack. It might
be worth investigating the costs involved with such a service.
1
2
3
4
5
6
7
8
9
10
Page | 17
About FuseMail®
FuseMail® enables businesses around the world to communicate with confidence
every day. Our cloud based services provide simple, secure, and scalable solutions for
email security, spam/virus filtering, archiving, encryption, web security and email
hosting. With award-winning local support and an international suite of products and
features, FuseMail® is a world leader in email and web security.
SecureSMART email security SecureSMART’s multi-layered security keeps you safe from known and emerging email-based threats, using a
combination of custom filters and industry-leading anti-virus, anti-spam and anti-phishing engines. Read more
online.
ClickSMART URL protection ClickSMART provides yet another level of protection against phishing and ransomware attacks by preventing
email recipients from clicking on dangerous URLs. It rewrites web links in emails, enabling them to be
rescanned at the time of the click. Read more online.
ContinuitySMART email continuity Adding ContinuitySMART to your SecureSMART package upgrades SecureSMART to SecureSMART Suite. This
upgrade brings with it always-on email continuity and an additional 76 days of email replay from the
SecureSMART email logs bringing you to 90 days of email replay in total. Read more online.
ExchangeSMART Hosted Exchange ExchangeSMART is FuseMail’s® Hosted Microsoft Exchange solution that provides you with all the features and
collaboration options of an in-house installation of Microsoft Exchange, but without the prohibitive costs and
time-consuming administration. Read more online.
WebCritical web security WebCritical cloud-based web security gives you control over what employees do online and protects your
organisation from web-based threats. Read more online.
Page | 18
Want to get your hands on the PPT presentation
to go with this document?
Email [email protected]
+44 (0) 800 093 2580
www.fusemail.com/en-gb/
FuseMail® | IC 5 | Keele Science Park |Keele| Staffordshire | UK ©FuseMail UK Limited