Although most of us have heard plenty of times to watch out for business email compromise (BEC), often employees still feel tempted to click on the bait before they really think through the consequences. Even worse, as soon as they realize they should have investigated before reacting, they become fearful of the repercussions. How do you ensure that your employees feel safe to report their risky behaviors so that your company can take immediate action to remediate the situation? Furthermore, if your employees already have an authoritative leader, consider how easy it would be for a malicious actor to pose as the boss giving demands to his/her junior staff members.
They Got Me
Once an employee falls for a phishing email that appears to come from someone they know, it's too late. Attackers take time to include company logos, to use similar fonts, and to speak in the tone of the impersonated. There are other tactics that include changing the domain ever so slightly so that the recipient doesn't notice. For example, the fraudster changes the lowercase letter L for the number 1. Many email programs only show the name of the sender rather than the email address and so when your employee sees their boss's name, they do not investigate further.
If the employee clicked on the link, they are either redirected to a fake website asking for sensitive information such as a login or they just downloaded a virus to your device. The virus could even send itself to all of the user's contacts under the false pretense that the email is coming from the user. Most malicious software that infects a company through a phishing attack is unique to the victim. In other words, the attackers often rewrite the code each time used so that the virus appears unique and has a better chance of bypassing anti-virus protocols.
Employees are Scared to Report
Once an employee realizes that he/she made a mistake, they are often scared to come forward and tell their superior. This comes as no surprise because there have been numerous stories of employees losing their job over these types of oversights. The sooner the security team knows of an incident or a potential breach, the better chance that it can be contained or resolved effectively. Imagine the CEO is on vacation and the finance director receives a request to pay a client $25,000 to secure a contract. The order states to take care of the request immediately so that he does not have to worry about work-related matters while on holiday. Anyone with proper security awareness training knows to verify first, but an employee who feels highly cautious about questioning authority may not confirm this request with a phone call to authenticate. Employees recognize that a mistake of this magnitude could easily result in the termination of employment.
Maybe the incident doesn't involve the transfer of funds but it's simply a scenario that involves an employee who fell for a phishing email and he/she clicked the link. Without even filling out a form the employee could now be susceptible to malware, ransomware, spyware, or adware. If your employee understands the benefit of telling someone who can help immediately, he/she can minimize the damage. Inform your employees of how coming forward quickly can benefit everyone. Ensure that they can feel safe to report an incident to your Facility Security Officer (FSO).
What Should You Do Next?
- Disconnect from the Internet and power down your machine.
- Back up your files offline such as using a USB.
- Run a full scan using antivirus/anti-malware software.
- Change your email password.
Before you end up in a situation that needs remediation, teach your employees about how to verify an email and not to fall for urgent or catchy headlines. If your employees receive an email that appears to be phishing, report it to the Federal Trade Commission at ftc.gov/complaint. Use phishing simulators that send out test phishing emails to your employees to measure if they would recognize a phishing email and provide your team the analytics to know the level of security awareness training in need. Educate your employees to understand that even if the only action taken was clicking on one link that seemed harmless, the consequences could still be dire. Last, ask yourself, does your work culture provide a safe space for employees to admit to mistakes without fear of getting fired?
Learn more about how TechGuard Security can help your organization avoid a Phishing-related incident.