FBI Releases Guidance on Social Engineering: Email Phishing

By April 21, 2020Cyber Security

As we all (hopefully) know, Phishing is one of the most prevalent and likely risk to compromise for ALL organizations. The FBI just released the following information about a major threat;https://www.ic3.gov/media/2019/190610.aspx

This has some great information! We, at Cyber Self-Defense would like to help you further mitigate risks like this. We offer the following suggestions;

1.      It is no longer an option to conduct security awareness training. Your company should be talking to staff about cybersecurity and enabling your employees’ success through knowledge. Sorry to say, in our experience, online training alone does not work. People do not get excited about sitting at their computer and watching/interacting with a monotone computer. Employees want and need to be energized through real world experiences. They want to hear stories, they want to ask questions. We recommend at least an annual in-person training session. This can be supplemented with additional training but cannot replace the in-person training.

2.     Your training should include a section on how to identify phishing and social engineering (con-man/woman schemes).

3.     Use https://www.virustotal.com/gui/home/upload to test links and attachments.

4.     Consider (based on your risk assessment) web and email proxies.

5.     Test your employees; hire a company to conduct phishing and social engineering testing. Our experience shows that hacking systems (overall) is about 20% effective. Social engineering is 80% effective.

6.     Reward employees for quickly reporting issues; their early reporting can save your company.

7.     Have policies that require non electronic approval for ANY money movement. We see a ton of companies hit by wire transfer schemes that are “coordinated” through email.

8.     Encourage staff to send suspicious emails to IT for proper review.

9.     Establish a second look process where employees are encouraged to ask for a second person review of any suspicious telephone calls, emails, or visitors.

10. Validate anyone who wants access to your facilities and accompany them at all times.

As business people, we tend to treat people really well.  I pride myself on trying to treat everyone well. Unfortunately, we don’t often receive the education and knowledge to learn where and when to stop. We do not always understand that we can say “No” in a polite manner.

Leave a Reply