I'm pleased to say someone very close to me was recently nabbed by a phish. The phish came into her email looking important and innocuous, so she opened it (and the attachment) and was immediately presented with a message that read, "Your corporate IT security team is conducting phishing training. You just opened what could have been a malicious email with malware, etc...." Lesson learned, and no damage done (except to her ego). On the positive side, perhaps a greater tragedy was prevented from happening down the road. Given the fact that so many of today's IT security nightmares start with a phish, here are three ideas you can use to help create phishing awareness and (hopefully) prevent people from getting hooked by a phish.
1. PhishMe Reporter
"Reporter, a patented technology in the PhishMe solution, improves an organization’s threat detection capabilities by organizing and normalizing user reports of phishing attempts; as a result, transforming users into a proactive network of human security sensors." I really like the button added to the MS Outlook toolbar because it is "in your face," helping to sensitize people to the possibility of being phished.
2. Add a Report Phishing Button in Outlook
For the DIY set, these instructions will work with Windows 7, as well as Office 2010 and 2013. From the Nerdosaur website: "If you are good at scripting or have some workstation management tools, this should be no problem to implement across the enterprise. [Included] are the steps you can use to reproduce a ‘report phish’ button in Outlook that automatically sends your security or IT department a full copy of the phishing emails."
3. Phishing Assessment and Training
A list of "11 commandments" of running a successful internal phishing exercise. Eyal Benishti CEO of IronScales, writes, "Assessment and training are significantly increasing employee awareness, reducing click rates, and increasing reports of phishing. However, if you don’t do it right, phishing assessment and training can go very wrong due to employee reactions." Andy Grove's "only the paranoid survive" rings true in so many ways. Employees need training to spot an incoming phish. They also need a way to easily report a potential phish. Finally, they must be constantly reminded about phishes, which is why the "in your face" button in the MS Outlook toolbar is so helpful. The State of Security published a great article on common phishing attacks here. It describes six common attacks and how to protect against them. Be careful and watch out for stinky phish!