And just like that...
You clicked on a link that could have potentially been a phishing attack.
It happens to all of us as we traverse today's world and are hyper exposed to mobile devices, email, and social media on an hourly basis. The way we interact with technology has changed our behavior, and at times it almost seems as if we will scroll and click on a link without even thinking about it.
That human condition is the exact weakness that attackers leverage to gain a foothold in your systems or gain access to your credentials.
Human wants, needs, and curiosities drive them to click on enticing links that, in fact, lead them to a familiar (but just not right) looking login screen or a malicious website. In the best cases, If the human has some level of security awareness, they will quickly identify the anomalies in the login screen or the website and realize they have been duped into a nefarious affair.
In the worst cases, the login page or website is crafted so well that the human does not even realize and continues to provide their enterprise login credentials or click on links that then execute malicious malware granting unwanted access to their workstations.
There are no tech-only based solutions to this reality, as the human variable falls under culture rather than technology. The answer has to be one that changes the culture of the company to be more security-aware.
This is done by implementing a security awareness training program that tests your employees with simulated phishing attacks regularly and as unintrusively as possible. These tests, especially the first one, are an eye-opening experience for the IT Security practitioner, and you quickly realize how susceptible your employee population is to phishing. With no training in place, a company can easily expect to see phishing susceptibility numbers well into 45%+.
That is a chilling prospect. If your company has 1000 employees and the phishing susceptibility is at 45%... That means that the bad guy has a good chance of tricking 450 of your employees into clicking that email.
The reasons it is so chilling is that it only takes one successful phishing email to:
Convince one of your HR employees to change one of your employees' bank account information, causing that employee’s paycheck to go to bad actors.
Trick your Accounting team into ‘paying’ a ‘vendor’ that, in fact, is not a vendor.
Fool your employee to type in their authentication credentials, providing the attacker access to their email or network account.
Direct employees to a malicious website that injects back doors to one of your employee machines and provides a beachhead to the attacker to then pivot and plan further attacks downstream or, worse, initiate a ransomware attack.
It is serious business.
The good news is that a security awareness program can help whittle down your companies' phishing susceptibility percentage, train your employees to recognize attacks, report them, communicate with their teammates and leadership, and help them become stakeholders in the overall company security posture.
If you need assistance with establishing a security awareness program or need help managing a security awareness program, book a consultation with our team, and we can answer all your questions.
Implementing a program within your company easier than you think and relatively inexpensive compared to the cost of a breach.