Email phishing and email spoofing attacks are very simple and on the rise. According to the FBI, there’s been a 270% increase in email based attacks in just the last year. The same FBI report showed that in Arizona the attacks cost companies anywhere from $25,000 to $75,000 per attack.
These attacks don’t require a lot of technical knowledge to execute. They primarily prey on human flaws—people not understanding the software they use everyday, or simply tricking them into thinking an email is legitimate by using social hacks and a method known as spoofing.
Protecting yourself is a 2 pronged strategy:
- Train your team both on operating procedures and how your software works.
- Ensure your software is configured properly to prevent spoofing and to catch & filter phishing emails.
Training software street smarts
The software we use on a daily basis (yours and your partners’) is where we’re most vulnerable. The features built into software is made to keep us secure, but also to provide convenience and that is where we become complacent and comfortable. Attackers use this to try to find their way in. Setting up training and on-going orientation sessions should focus on the login, sharing, collaboration, and access flows. Answer these questions:
- What are the official urls of the cloud platforms we use? Like Dropbox, Google Drive, etc.
- What do log in screens look like?
- When does the software ask for a log in? (Like when you’re logged in.)
- What does the share process look like? The acceptance of shares?
Configuring your filters and firewalls
It goes without saying these should be configured to catch malicious email. Emails spoofing internal email addresses can be blocked with proper filter configurations. Look into setting up SPF records on your website hosting nameservers. Other malicious emails can be filtered as well with modern algorithm based filters.
Perform email attack simulations
Sometimes the biggest eye opener is being caught red-handed. While we don’t want to hire actual attackers, there are safe ways to test your team. These simulations try to phish and trick your team, while providing you with reporting on your team’s actions. You’ll know which departments, subset of employees, and/or individuals are at risk and can provide customized training.
Software security filters, virus scans, etc, will not be enough. Malicious email attacks rely on signals that will trick your filters and software as well as your team. A savvy team is your best defense against these types of attacks. Next week I’ll explore 3 specific types of malicious email attacks and how to identify them.
Take some time to configure your email platform and train you team. And if you need a little help just let us know here.