Smart Buyer
  • Shop On NeweggBusiness
  • Categories
    • Buying Guides
    • Components
    • DIY and How-to
    • Industry Trends
    • NetSec
    • Networking
    • Storage
    • Systems – PC & Laptop
    • Windows
  • About
  • Why NeweggBusiness?
  • Contact Us
Top Posts
PC Cooling: How to Set up Computer Case...
5 Ways to Stream from PC to TV...
How to Choose the Correct RAM Upgrade
How to Troubleshoot a PC Power Supply
Four Apps that Make Your Tablet a Second...
2019 Solid State Drive (SSD) Buying Guide
6 Reasons Your PC is Slow and How...
How-to Guide: Small Office Network Setup
Born in the USA: Computer Hardware Made in...
Computer Monitor Buying Guide 2019

Smart Buyer

  • Shop On NeweggBusiness
  • Categories
    • Buying Guides
    • Components
    • DIY and How-to
    • Industry Trends
    • NetSec
    • Networking
    • Storage
    • Systems – PC & Laptop
    • Windows
  • About
  • Why NeweggBusiness?
  • Contact Us

There are plenty of malware tools designed for detecting malicious software that infects computers and applications, and just as many anti-phishing spam filter programs aimed at keeping users’ inboxes free of potential attacks. Even though firewall technology grows more sophisticated and secure each year, fraudsters hunting sensitive user data and financial information continue to thrive.

Phishing is an old scam that dates back almost 20 years. Attacks grow more effective each year—to the tune of costing businesses USD $5.9 billion annually worldwide in 2013—a figure that is expected to grow again this year.

With that in mind, it makes sense that phishing is more troublesome than ever for IT professionals. A July 2014 HP TippingPoint survey of 205 corporate IT security workers revealed that nearly 70 percent are targeted by phishing attacks as often as once a week . The survey also indicated that 75 percent receive untargeted spam in their organization at least once a week if not more, and around 70 percent reported that the attacks stemmed from a malware infected host.

These attacks are not the “Nigerian prince” wire transfer scams found in just about everyone’s spam filter. Phishing attempts can be pretty convincing. Recently, millions of JPMorgan Chase customers received a phony e-mail masquerading as correspondence from the financial institution in hopes of stealing user credentials. This particular attempt used a screen shot of an authentic e-mail used by the bank, and it was sent from its domain. It urged recipients to click a link to view a secure message, and once clicked, it asked users for logon information while simultaneously trying to install the Dyre banking Trojan.

Anyone who thinks they are smart enough to sniff out every phishing attempt should try this Phishing IQ test by DELL SonicWall.  It will reveal that spotting fakes is not that simple.

Why Technical Solutions Are an Incomplete Fix

The main reason why phishing continues to be an effective method of attack is that the technical solutions deployed to combat phishing do not address the source of the problem: the user. Users are the ones clicking the link, downloading the malware, and forking over his or her account number or other sensitive information. Phishing attacks get around the best firewalls and filters, but should be no match for a vigilant, properly trained user.

Security implements built into Web browsers can pretty effectively flag unsecure sites.  However, as is the case with these types of warnings, too many are triggered due to browser misconfiguration rather than a legitimate security threat. This creates disdain among users, and desensitizes them to the warnings. This results in users blindly clicking through security safety nets without much thought— a dangerous habit to develop.

Likewise, spam filtering software can keep most unwanted e-mails out of a user’s inbox. However, in the event that some clever phishing e-mail does get through (which research tells us happens on a fairly regular basis), then what? The user, trusting that their IT department puts significant resources behind blocking malicious e-mails, might have his or her guard down as a result.

Here’s a famous example: Visiting West Point Military Academy teacher and National Security Agency expert Dr. Aaron Ferguson sent out a message to 500 cadets asking them to click a link to verify grades. Ferguson’s message used a phony West Point e-mail domain, belonging to a fictional faculty member named Colonel Robert Melville. Over 80 percent of recipients clicked the link in the message. In response, they received a notification that they’d been duped and warning that their behavior could have resulted in downloads of spyware, Trojan horses, and other malware.

Remember: Phishing Attacks Prey on Misguided Trust

Dr. Ferguson coined it the “Colonel Effect”—where users are more likely to take the bait when they perceive the communication as coming from a reputable source—and it illustrates an important principle: the illusion of trust is the foot in the door for an effective phishing attack.

Social media phishing attacks have become increasingly common because the level of trust is already built in. On Facebook, for example, a friend’s hacked account produces phony materials that appear in a newsfeed, and if clicked, redirects to a fake Web site that looks like the Facebook logon page. If a user attempts to log in on this page, his or her password becomes compromised.

Reports of malware hosted on reputable sites have also made headlines recently. The proportion of malware-hosting Web sites on Amazon Web Services more than doubled since 2013. Phishing attacks are more successful when they attempt to drive traffic toward a trusted, widely-used domain like Amazon.

10 Training Tips for Conducting an Anti-Phishing Simulation

Any measure to curb phishing starts with user awareness training.  Simulated phishing attacks are one of the more popular methods of training used by IT security professionals. When conducting simulated phishing in your organization, there are a few things to keep in mind.

  • Do not blindside users with simulated phishing, as it might create a negative attitude towards the program. Inform everyone that a phishing simulation training is launching, and let users know of its goals to make the work environment safer.
  • Do not take a fire drill approach, either. Some element of surprise is needed for the simulation to be effective.
  • Make sure that everyone is involved from the top down. Since everyone is subject to phishing attacks, everyone in the company should receive training.
  • Be careful about training users to click. Many programs redirect users who fall for phish links to an online training session or game. By making them click the link to receive the training, it places users in the wrong mindset— after all, they are being trained not to click.
  • Use a familiar e-mail format and a trusted domain name for the phish bait e-mail. The best resource for drafting a fake e-mail is often located in a user’s own inbox.  Grab, copy, and alter just like a spammer would.
  • Set up a link you can track for the simulated malware link. Many free programs like Google Analytics have detailed click tracking features.
  • Stagger message delivery to mimic real world attacks, and lessen impact on operations staff conducting the simulation.
  • Set up a landing page for the simulated malware link. It can be as simple as a few words (“Oops, you’ve clicked on a phishing link!” or a simple 404 error.
  • Gather actionable data so that you can identify weaknesses and train accordingly. Track the who, what, when, where, and how of every clicked simulated phishing link.
  • Train over time. Phishing simulation training should not be a one-and-done endeavor. By making it an ongoing project, it heightens awareness for the real thing, which underscores the project’s goals.

Additional resource: Firewalls / Security Appliances

Anti-phishing training should be at the heart of an organization’s effort to secure its data network, and are just as important as an enterprise-grade firewall appliance. Nothing is as effective as a well-trained, vigilant user for snuffing out suspicious network activity, and will prove time and again to be the number one malware tool money can buy.

Image by elhombrenegro, taken from Flickr Creative Commons.
Adam Lovinus

Adam Lovinus

A tech writer and Raspberry Pi enthusiast from Orange County, California.

More Posts - Website - Twitter - LinkedIn - Google Plus

anti-phishingmalware toolssecuritysecurity softwaresoftware
6 comments
0
FacebookTwitterGoogle +PinterestEmail
Adam Lovinus
Adam Lovinus

A tech writer and Raspberry Pi enthusiast from Orange County, California.

previous post
Buying Guide: How to Choose a Business Laptop
next post
Twitter Buy Button a Slow-Go for Beta Testers; Five Takeaways for Small Business Marketing

Related Posts

Remote Workforce Security: Tips and Best Practices

December 9, 2020

Aruba Instant On Wants to Simplify Your Small...

August 2, 2019

What is ‘Fileless’ Malware Found Inside Server Hardware?

October 4, 2018

How to Layer Antivirus Software Without Slowing Your...

May 21, 2018

Securing the Office Printer in Six Steps

May 14, 2018

How to Wipe a Hard Drive Securely

April 23, 2018

Six Router Features That Optimize Small Business Networks

March 21, 2018

Secure a Wireless Network with Access Point Isolation

March 7, 2018

How to Work Remotely While Keeping Secure and...

November 14, 2017

Tips for Ransomware Removal, Detection, and Prevention

November 1, 2017

6 comments

Most HIPAA Violations Stem from Network Server Breaches - HardBoiled July 21, 2015 - 9:26 am

[…] It is advisable that staff is aware of what legitimate security threats look like. Training staff to be aware of security threats is tantamount to having the proper infrastructure in place. Learn more about ways to conduct anti-phishing training. […]

Reply
Windows 10 Security: Beyond Windows Defender - HardBoiled October 7, 2015 - 11:21 am

[…] more about how to conduct anti-phishing training in the […]

Reply
8 in 10 SMBs Don’t Have an Incident Response Plan—Do You? - HardBoiled November 20, 2015 - 8:58 am

[…] taking a layered approach with security software. Staff using the company network should receive anti-phishing training so they can detect and thwart attempts to gain unauthorized access to company data. Vigilant users […]

Reply
2016 Guide to Data Protection for a Growing SMB - HardBoiled February 25, 2016 - 3:40 pm

[…] Technical tools and solutions can filter out most phishing e-mails, block malicious websites, and prevent users from unwittingly clicking on bad links that invite cyberthreats into your business network.  More effective than any of these solutions, however, are users that can spot malicious attempts to compromise data security.  Learn more about training users for data protection: 10 Steps for Effective Anti-Phishing Training. […]

Reply
How to Set Up Free Anti-Phishing User Training - HardBoiled May 11, 2016 - 11:39 am

[…] 10 Steps for Effective Anti-Phishing Training […]

Reply
Anti-Phishing Training vs. Software: Does Security Awareness Training Work? August 10, 2018 - 11:31 am

[…] https://www.neweggbusiness.com/smartbuyer/netsec/vigilant-users-best-malware-tools-10-steps-effectiv… […]

Reply

What's your take? Cancel reply

Subscribe

Savings Spotlight
  • 1

    PC Cooling: How to Set up Computer Case Fans

    September 25, 2015
  • 2

    5 Ways to Stream from PC to TV or Digital Display

    May 23, 2016
  • 3

    How to Choose the Correct RAM Upgrade

    April 28, 2015
  • 4

    How to Troubleshoot a PC Power Supply

    July 11, 2018
  • 5

    Four Apps that Make Your Tablet a Second Monitor

    January 9, 2018
  • 6

    2019 Solid State Drive (SSD) Buying Guide

    December 6, 2018
  • 7

    6 Reasons Your PC is Slow and How to Fix It

    February 28, 2019
  • 8

    How-to Guide: Small Office Network Setup

    December 20, 2018
  • 9

    Born in the USA: Computer Hardware Made in America

    September 27, 2018
  • 10

    Computer Monitor Buying Guide 2019

    January 4, 2019

Newegg + Business

How is this different from Newegg.com?

Why NeweggBusiness?
  • Facebook
  • Twitter
  • Linkedin
  • Email