Refreshing Insights | McClone Blog

CyberSecurity: Do Your Workers Know How to Spot Threats?

Believe it or not, when it comes to managing your organization’s cybersecurity and risk, computers are the easy part. IT professionals can program computers to do exactly what they want them to do. People, on the other hand, are an unknown variable—they can be manipulated into taking actions that unknowingly create a security breach.

In many ways, your employees are your last line of defense against hackers, so employee training should be a key component in your cybersecurity plan. You can empower your employees to take their responsibility seriously by arming them with the knowledge to keep your data safe.

While the extent of training provided to employees will vary based on your organization’s needs, it should include common cyberattack scenarios and how to identify red flags.

Goals of Common Scenarios

All cyberattack scenarios have at least one thing in common—social engineering. Hackers will manipulate, influence, or deceive employees into taking actions that aren’t in their best interest, or in this case, the best interest of your organization.

One of the first things to teach employees is, unlike years ago, hackers are now very clever and precise when crafting their attacks. They will build trust and use relationships to get employees to share sensitive information or unwittingly give them access to information. The hacker’s goal is to trick employees into giving them system access, allowing them to prey on whatever data might be available. It’s not always sensitive data that’s the initial target. Any information gathered could lead to the payload.

Phishing scams

Phishing is the most used form of social engineering because you and your employees are most likely to click on links or open attachments as you quickly sort through email. A sly phishing scam can be difficult to distinguish from legitimate email messages, but the following areas most often contain red flags.

Subject Line Red Flags. The subject doesn’t pertain to your main responsibilities or regular duties. The subject line doesn’t match the topic of the email message, or it’s about an item you never requested or a receipt for something you never purchased.

To Line Red Flags. You don’t recognize the names of any other people who were sent the email, or you are not usually included on emails to this group.

From Line Red Flags. An email from an unknown address or unknown person is a red flag, but so is an email from a known sender (or organization) if the email is unexpected, out of character, or not relevant to your relationship.

Date Line Red Flag: The email was sent outside of normal business hours (e.g., 3 a.m.). The message was sent outside of a known sender’s normal business hours, or the message is typically sent at a different designated time.

Hyperlink Red Flags. The email contains hyperlinks asking you to take unusual actions (e.g., send money or take irrelevant surveys.) When you hover your mouse over the hyperlink, the address is for a different website entirely, or the link includes misspellings.

Attachment Red Flags. The email includes an attachment that you aren’t expecting, or an attachment is not the customary way your organization shares specific data. The sender threatens you with negative consequences or eludes to compromising or embarrassing photos of you or someone you know, or the sender lures you with promises of winnings or awards.

Message Red Flags. The hacker impersonates the CEO or other executives and emails you with an urgent need and instructions to do something like upload a confidential payroll file, send bank account information or perform a wire transfer of company funds.

This type of Spear Phishing is a specialized form of phishing scams that is growing in popularity. It typically targets management level employees who would likely have regular contact with the CEO or CFO.

Vishing and Smishing Scams

These scams often accompany a tactic called pretexting, where a hacker makes up a plausible scenario to gain your trust and get you to act over the phone (voice phishing or vishing) or via text (smishing). For both voice and text, the message implies a threat as well as a sense of urgency, plus it asks you to click a link and sign into email, social media or a bank account to verify information.

The hacker leads you to a fake website that looks like your real login where you enter your credentials and unwittingly give the hacker access to accounts and networks.

Red Flags can be difficult for employees to spot in these scenarios. A common approach is to call employees and tell them that the company just rolled out updates and IT needs them to validate a few things by visiting a certain website.

In some cases, the hacker will make a voice recording of the scam and use a robo-caller to trick as many people as possible into visiting the site.

Text messages often say that your account has been compromised and you need to login to verify information or change passwords.

The only way for employees to identify these hacks is if they know your real process for rolling out updates, or if IT has a special protocol they follow to confirm identities. Recognizing these red flags requires established processes and employee training.  

Identifying New Threats

New threats to cybersecurity emerge every day, but the vast majority of successful hacks still occur when an employee falls for a phishing scam by clicking on a link or opening an attachment in an email. Teaching your employees how to identify red flags and avoid those clicks not only protects you today, but also gives you a better chance of identifying new threats in the future.

Take a Holistic Approach to CyberSecurity

The cyber world is complex and constantly evolving. Employee training is just one piece of the puzzle to mitigate your cybersecurity risks. At McClone, our strategic risk advisors help you look at the big picture to comprehensively protect your business from cyber threats. Contact us today to schedule your cyber risk assessment.