As you mayalready know, this is Safer Internet Day. Although the day itself tends to be aimed at educating the next generation of Internet users, it also represents a great opportunity to reengage your end users about the importance of staying safe online.
If you are working in IT or security, you no doubt already know about security hygiene basics. But you could probably do with some help getting end users to take you seriously. So this week, in support of Safer Internet Day, CBR has teamed up with Lee Weiner – SVP of products and engineering at Rapid7, provider of security risk intelligence solutions – to bring you a series of useful guides that you can cut and paste into an email and send to users as a good reference for safe online behaviour.
User education is hugely important because increasingly the usersare the ones that represent the greatest threat to your environment – clicking on links, sharing information, losing laptops, downloading shady apps and using cloud services without telling you. Essentially every user is now a point on your perimeterand every user is a potential target.
First up to go under the spotlight is phishing. It can be easy to assume that everyone knows about phishing and wouldn’t fall for an email claiming they’ve won £100,000 or click on a link from a recipient they don’t know. But don’t be so sure. Reminding users again and again of the risks might help them become more judicious about which links they click.
So, here’s the lowdown on phishing:
What is phishing?
Phishing is basically someone using email to try to get you to do something or tell them something that enables them to compromise you in some way. As the name suggests, this typically works by dangling some kind of bait in front of you. One of the most famous examples of phishing is the Nigerian 419 scam, which lured people into giving their bank information with the promise of huge riches.
Other kinds of phishing emails try to convince you to open an attachment or click on a link. These can lead to your computer (or whatever device you read the email on) becoming infected with something nasty. Or it could lead you to unknowingly giving a criminal your security credentials for a site. For example, say you receive an email from LinkedIn saying someone wants to connect with you. You click on the link and you get the login page for LinkedIn. Pop your password in and land on the page you expected to be sent to. Everything looks normal and you have no idea that you just gave your LinkedIn password to a criminal.
Phishing that specifically targets you is called "spear phishing." This means the attacker uses information hehaslearned about you – for example from calling the switchboard or looking at your social networking profiles and interactions – and then creates an email specifically designed to look highly plausible to you. These emails can be very credibleand hard to spot. Why would someone want to target you in this way? They might not be targeting you personally, but using you as a way to get a footinthedoor of your corporate network. Or it could be that they’re ultimately after someone in your network. You never know how tempting a target you might represent to an attacker, so it’s important to be vigilant.
How can you protect yourself?
Perhaps the best way to view email is that potentially lurking behind every one could be a giant shark waiting to make its move. This is true whether it’s work or personal email, so you must treat every email with a basic level of caution.
Here are some tips to get you started:
Protect your information
Do not send sensitive information, such as bank details, over email. If it can’t be avoided, be sure that you know who you are sending them too and start a new email thread as opposed to replying to a chain and be sure to check the email address carefully.
Check the address
Be mindful of who is emailing you. Check email addresses for accuracy and look for signs of suspicious activity, for example if an email is not in the format you’d expect or a name appears to be spelt incorrectly. Email addresses made up of seemingly random combinations of letters and numbers may also be suspicious.
Don’t click on links
Hover over links WITHOUT CLICKING – the destination will show in the bottom left of your screen and you can see whether it looks right. If in doubt, Google the address you need rather than clicking on a link.
Don’t open attachments
Treat any attachment that you didn’t request as highly suspect. Send to the IT and security team if you’re not sure whether it’s safe and they will check it out for you.
Check with IT/ Security
If in doubt, email your IT and security team. They will let you know whether something is safe to open or click on. It’s better to be safe than sorry.
Phishing isn’t complicated, but this simplicity is the key to its success. Given the sheer amount of email we all receive every day, it’s tough to remember to be vigilant. So remember that shark lurking behind you!