Although most of us have heard plenty of times to watch out for business email compromise (BEC), often employees still feel tempted to click on the bait before they really think through the consequences. Even worse, as soon as they realize they should have investigated before reacting, they become fearful of the repercussions. How do you ensure that your employees feel safe to report their risky behaviors so that your company can take immediate action to remediate the situation? Furthermore, if your employees already have an authoritative leader, consider how easy it would be for a malicious actor to pose as the boss giving demands to his/her junior staff members.
They Got Me
Once an employee falls for a phishing email that appears to come from someone they know, it's too late. Attackers take time to include company logos, to use similar fonts and to speak in the tune of the impersonated. There's other tactics that include changing the domain ever so slightly so that the recipient doesn't notice. For example, the fraudster changes a lowercase letter L for the number 1. Many email programs only show the name of the sender rather than the email address and so when your employee sees their boss's name, they do not investigate further.
If the employee clicked on the link, they are either redirected to a fake website asking for sensitive information such as a login or they just downloaded a virus to your device. The virus could even send itself to all of the user's contacts under the false pretense that the email is coming from the user. Most malicious software that infects a company through a phishing attack is unique to the victim. In other words, the attackers often rewrite the code each time used so that the virus appears unique and has a better chance of bypassing anti-virus protocols.
Employees are Scared to Report
Once an employee realizes that he/she made a mistake, they are often scared to come forward and tell their superior. This comes as no surprise because there have been numerous stories of employees losing their job over these types of oversights. The sooner the security team knows of an incident or a potential breach, the better chance that it can be contained or resolved effectively. Imagine the CEO is on vacation and the finance director receives a request to pay a client $25,000 to secure a contract. The order states to take care of the request immediately so that he does not have to worry about work related matters while on holiday. Anyone with proper security awareness training knows to verify first, but an employee who feels highly cautious about questioning authority may not confirm this request with a phone call to authenticate. Employees recognize that a mistake of this magnitude could easily result in the termination of employment.
Maybe the incident doesn't involve the transfer of funds but it's simply a scenario that involves an employee who fell for a phishing email and he/she clicked the link. Without even filling out a form the employee could now be susceptible to malware, ransomware, spyware or adware. If your employee understands the benefit of telling someone who can help immediately, he/she can minimize the damage. Inform your employees of how coming forward quickly can benefit everyone. Ensure that they can feel safe to report an incident to your Facility Security Officer (FSO).
What Should You Do Next?
- Disconnect from the Internet and power down your machine.
- Back up your files offline such as using an USB.
- Run a full scan using antivirus/anti-malware software.
- Change your email password.
Before you end up in a situation that needs remediation, teach your employees about how to verify an email and not to fall for urgent or catchy headlines. If your employees receive an email that appears to be phishing, report it to the Federal Trade Commission at ftc.gov/complaint. Use phishing simulators that send out test phishing emails to your employees to measure if they would recognize a phishing email and provide your team the analytics to know the level of security awareness training in need. Educate your employees to understand that even if the only action taken was clicking on one link that seemed harmless, the consequences could still be dire. Last, ask yourself, does your work culture provide a safe space for employees to admit to mistakes without fear of getting fired?
To learn more about about phishing or to read more blogs about phishing, click the link below.
Written by Michelle Stamps
Michelle has over 10 years of experience in marketing and business development across various industries including government and non-profit. Her background in writing, facilitating presentations and event planning allows her to use her creative skill-set and her relationship building skills strengthens her ability to understand the human element role in cybersecurity and to support positive behavior change. Whether she is out in the community, blogging or developing the next social post for TechGuard, she believes in telling the company’s story and uses relatable, real-life examples to connect with our clients. If you know Michelle outside of work, you would know that she loves sunny days and tropical places.