Phishing your employees before someone else does

The recent ransomware attack on the NHS has again focused attention on cyber-crime and phishing attacks. Matt Rhodes of Quiss IT support services, provides timely advise for all those involved in handling patient data

The mishandling of patient information can have severe consequences, especially following any security breach and/or leaking of data. The focus of any investigation is likely to consider whether every step had been taken to ensure security was robust and resilient. Unfortunately, criminals are becoming more sophisticated in their attempts to hack secure systems – often the weakest link in an organisation’s IT system is the people that use it.

Clues to a fraudulent email

Regardless of who an email appears to be from, it should be assessed appropriately. The following clues are useful:

The sender – Look very carefully and ask yourself: do I know this person? Is this their usual email address or just similar to one I recognise?

Subject – Always give your emails meaningful subject lines and expect the same. Ask yourself if the subject looks unusual or unexpected. Be wary of spelling mistakes, excessive punctuation and irrelevant, extraordinary or poorly written subject lines – check every time.

Content – Fraudulent emails typically ask for actions to be completed. This might be to visit a website, send some seemingly innocuous data or simply reply to the email. Be particularly wary of emails that claim to be from your IT team or managed service provider.

Criminals will often use emotional language and scare tactics delivered with a sense of urgency to ensure the recipient responds. Be on your guard if there is no personal greeting as most legitimate organisations know your name and will often include partial account numbers, etc., to reassure you.

Links – Links in emails can easily be disguised and could take you to malicious websites that resemble genuine sites.

Attachments – Ask yourself if you recognise the format of the attachment. Does the email mention the attachment and what to do with it? Am I expecting an attachment? Attachments can transmit viruses, so open them only when necessary and do so with caution.

It is difficult to list popular methods used by cyber-criminals because they change regularly – and thinking you know what to expect can lead to complacency and catastrophe.

Phish your staff

There are now specialist service providers that will conduct simulated phishing attacks on your employees to help address the growing threat of cyber-attack.

Working closely with the organisation, the service provider will create credible emails that appear to come from contacts known to employees. The recipients will be unaware they are being tested at first, although hopefully word will spread and strengthen the defences.

The software records how each employee responds to the ‘fake’ phishing email; it notes their actions – whether they opened the email, clicked on links, downloaded attachments, etc.

Comprehensive reports identify areas for improvement and reveal which individuals are constantly caught out. This helps an organisation concentrate its training budget on those who need support most.

Cutting the number of employees likely to be caught by a well-disguised phishing email requires a change in security culture based on more education and regular testing.

About the Author: Matt’s primary role is to expand the hosted solutions division of Quiss Technology and to liaise with software vendors to help them develop their Software as a Service (SaaS) offering. He is a regular commentator on industry topics, covering subjects as diverse as cyber security, hybrid cloud solutions, new technology and the Code of Connection (CoCo).

Don’t forget to follow us on Twitter like us on Facebook or connect with us on LinkedIn!

Be the first to comment

Leave a Reply