One of the best methods to teach users about phishing security is to run your own internal phishing campaign and see how each user handles the email. IT must start by passing this idea on to management and HR to ensure they have the proper support for the campaign. Management must ensure that the organization is ready to handle an influx of phishing reports.
CEOs, CFOs, and other top executives are some of the most popular phishing targets. As high-ranking decision-makers, their access to sensitive information, as well as their authority to sign-off on things such as wire transfers makes them extremely attractive “trophies.” So, what does a phishing attacks look like for an executive? Typically, they take the form of sensitive information requests from a trusted source. By spoofing an email so that it carries a credible sender, attackers can make requests to other executives that are far less likely to be denied. The FBI reports that there have been more than $2 billion in losses to scams such as this in the last three years alone.
Masters of multitasking, administrative assistants are the unsung heroes in the corporate word. Between handling all the behind-the-scenes scheduling and screening phone calls, they often have access to company and individual executive accounts. Their frontline role and privileged relationships encourage attackers to view them as accessible targets who can give up the keys to the kingdom. Attacks on assistants often come in the form of a request from another executive, commonly asking to review an attachment or send along financial information. Eavesdropping software, when installed on an assistant’s system, can see all the privileged communications that the assistant is called upon to handle.
Always on the hunt for the next big deal, business development managers, account executives, and inside sales people constantly interact with prospective and existing clients in person, over the phone, and via email. As a result, they’re eager for emails from potential customers and want to be as responsive as possible. Phishers can typically find their name, phone number and email address online and can be reasonably confident that any message they send will be opened. A credential theft from these users would provide access to customer lists, pricing sheets, and confidential deal information. Stealing their accounts will also allow for a new phishing attack vector to members of the finance, management, and account teams, who would trust messages from the salesperson user.
Their roles can vary, but human resources professionals are generally some of the most highly connected people in an organization. Since they communicate regularly with current and potential employees, phishers posing as a potential employees will send malicious payloads disguised as resumes, or will impersonate a high-level executive asking for personnel information. During the 2016 tax season alone, over 50 organizations were tricked into leaking employees’ W-2 forms by phishing emails impersonating requests from CEOs.
Install a firewall and anti-virus software on your computer.
Be suspicious of emails from financials institutions or other organizations that ask you to provide personal information online.
Look closely for clues to fraudulent emails like a lack of personal greetings and spelling or grammatical mistakes.
Verify a phone number before calling it – if someone left you a message or sent an email claiming to be from your financial institution, make sure you check that the number is the one printed on the credit card or your bank statement.