Before adding and sharing your Fraud Alert please check to see if a similar alert has already been posted, thank you:

6 ways to equip your phishing tackle box

Post a Fraud Alert:

Cyber attackers would likely unanimously agree that using “social engineering” to exploit human vulnerabilities where software and hardware cannot limit all threats is one of the top tools of the trade.

These methods of human deception have become uncomfortably widespread.  Phishing attacks can range from basic individual financial theft (such as stealing credit card numbers) to sophisticated campaigns against organizations, companies, or people of interest.  This article will help to raise awareness of the threat landscape and introduce six common problems and solutions that can prevent you from minimizing risk for your company.

Most companies buy tools that promise to filter out a majority of nefarious email traffic and adopt “ethical phishing” programs that teach employees not to click on links or attachments.  Despite these two common investments, companies still experience significant successful attacks. Tools and phishing programs can also create false confidence that prevents leaders from adapting to change or thinking about the bigger picture.

Efforts to prevent phishing or train employees can also backfire or yield the wrong behaviors. For example, we have seen cases of individuals (occasionally leaders directing staff) nominating one person to click the link to confirm it was “a test” from the company so they can warn others.  In another real example, a senior engineer forwarded the suspected email to his personal email account and opened it (also on his company laptop) to see if it was a company test. In yet another example, a corporate email filter blocked an official notice to a violent crime victim about the early release of his attacker from prison.

From a technology standpoint, companies can find themselves somewhere between inadequate protective and detective security tooling and having so many tools that they are conflicting, partially implemented, understaffed, or forgotten about. 

Whether you work at a school, church, doctor’s office, SMB, or a Fortune 500 company, your organization should be taking a comprehensive risk-based approach to combat phishing versus playing a random game of whack-a-mole with technology or flavor-of-the month training.