Before adding and sharing your Fraud Alert please check to see if a similar alert has already been posted, thank you:


5 ways to minimize phishing attacks

Fraud Alert:

Data breaches are a hot button topic right now. Many vendors are quick to point out how their device (I often simply refer to as a “blinky box”) solves all the problems. I beg to differ. Despite the CAPEX used to secure the device and the OPEX used to maintain the device, there is another avenue that reaps catastrophic outcomes: social engineering. More specifically, phishing.

In the wake of having won the DerbyCon Social Engineering Capture the Flag (SECTF), I offer the following advice based on my experience. 

1. Implement technical controls

There are numerous technical controls available to help minimize the impact of social engineering attacks. For starters, Proofpoint is a company that specializes in detection and response to phishing. If you ever see an email with [EXT] or [EXTERNAL] added to the subject line, Proofpoint is likely the culprit of these changes to the subject line.

If you are involved with a US Federal agency, the Department of Homeland Security has promulgated Binding Operational Directive 18-01 (BOD 18-01). This directive recognizes the threat from phishing and web attacks. The email portion specifically aims to minimize or eliminate Business (or Agency) Email Compromise (BEC) and requires two aspects: encryption via STARTTLS and the technical controls of the following: