By Ethan Butts – Information Security Analyst – Intrinium
If it weren’t for human error, information security would be a lot easier. Most security incidents are the result, at least in part, of an avoidable human mistake. The biggest area for errors is incoming email. When people trust a phishing message, they can give away secrets or let malware into their networks.
Practice makes safety
Employee training is an excellent way to keep those tricks from working. People need to develop habits that will hold them back when they get a dubious message.
It’s tempting to react to a message without thinking. Just knowing the need for caution isn’t enough. Testing employees with in-house phishing messages will give them experience and check how well they’ve learned. If they respond, they’ll get a warning that they fell for a trick.
Conducting regular exercises with test email will keep employees alert and give an indication of how well they’re learning. It will identify the ones who need additional training.
10 tips for recognizing deceptive mail
This list of safe practices will help to get users on the right path. Regular exercises will make these practices instinctive. New threats keep emerging, but the need for caution stays the same, and following these points will frustrate most attacks.
- Look, don’t click. Don’t click on links without thinking. With most mail clients, you can hover over a link with the mouse and see where it leads. If the target address is something strange, don’t click on it without further checking. A handy way to check links is with VirusTotal.com.
- When in doubt, don’t open attachments. When your message has an “important attachment,” leave it alone unless you’re sure it’s legitimate. Attachments can contain scripts to load malware onto your computer, wiping out your files or giving an outsider access to private data.
- Don’t enter credentials into an insecure website. A secure site has a URL that starts with “https:” rather than “http:”. You’ll see a padlock icon in the browser when you open it. Even if it’s legitimate, someone could intercept your login ID and password in transit. Legitimate sites almost always set up secure connections, so be suspicious of ones that don’t.
- Be suspicious of misspellings and poor grammar. Spammers often use low-paid people with a poor command of English to compose their messages. Legitimate businesses care how their messages look and proofread them. A message with serious errors is likely to be fake.
- The more urgent or threatening it is, the more caution you should take. Spammers try to rattle you with warnings that you have to act immediately or face serious consequences. They want you to act first and think later. Don’t let them throw you.
- Don’t believe everything you see. Criminals are getting better at their craft, and some messages look very convincing. The return address is right and the writing is good. If the message asks you to do something out of the ordinary, like transferring a large amount of money, verify before acting.
- Don’t send sensitive information by email. Email isn’t a secure medium, and forgery is easy. Get directly in touch with the company or person to make sure you’re sending any sensitive information to the right place through a secure channel.
- Look carefully at the greeting. If the message doesn’t mention your name but just says “Dear Customer” (or worse yet, “Dear Costumer”), it’s probably spam.
- When in doubt, ask the sender. If a message seems to be from someone you know but looks odd, make sure that person really sent it. Pick up the phone or send an email message to the person or company’s usual address and ask for verification.
- Be suspicious of bad design. Legitimate businesses put effort into making their messages look good. If elements overlap in an ugly way or the images look like bad imitations of company logos, that’s a bad sign. Text in an image could be a way to get past spam filters.
Neglecting these points can open networks to dangerous attacks and give confidential information to people who abuse it. The short summary of these points is: When in doubt, leave the message untouched and contact the sender or the information security department. Apply these points to your home and personal mail, not just at work, and you’ll be safer all the time.
Stressing these principles of caution and conducting regular testing of users gives a business a more secure position against the attacks it will inevitably face. Intrinium provides managed security services and security awareness training. Schedule a meeting with us to learn more about training in safe practices.