According to the 2019 Verizon Data Breach Investigation Report, a full third of cyber attacks involve phishing tactics. While there is evidence that employee education and phishing prevention solutions are effective in stopping basic phishing attempts, attackers have responded by making phishing emails more sophisticated and convincing. Examples include targeted spear phishing messages based on victim’s social media posts, phishing via text messages, sextortion, and creating fake login pages for legitimate web sites. Users are always the weakest link in security, and that’s why it’s more important than ever for organizations to train their employees to spot phishing attempts.
WatchGuard Sr. Security Researcher Marc Laliberte recently wrote a guest article about phishing education for Help Net Security. He explains why phishing education is so critical to organizations’ overall security posture and gives best practices for success, like establishing a baseline, covering text message phishing and including technical phishing controls like DNS filtering. Here’s an excerpt from the article:
“Phishing awareness training should include the latest phishing delivery method: text messages. While text message phishing tends to go after user’s bank accounts, there is nothing to stop an attacker with knowledge of a company’s organizational structure from pretending to be the CFO in an “urgent” text to a finance employee.
The 2019 Verizon Data Breach Investigation Report points out a few reasons why text message phishing has the potential to be even more effective than emails. First, users tend to be distracted with other tasks like walking or talking while interacting with their mobile phones. This may cause them to miss indicators that the message is not legitimate. Additionally, mobile apps are more streamlined than their desktop counterparts, which includes removing or hiding elements that might verify the validity of a link, like SSL certificates. Many phishing training companies now include text-based phishing awareness services too, that help teach users how to spot these more difficult-to-find red flags.”
Read the full article to get all four of Marc’s tips on phishing prevention. Read more about defending against mobile phishing and about a new phishing attack that goes after MFA tokens here on Secplicity. Check out our DNSWatch security service for details on how WatchGuard can help prevent phishing attacks.