One of the most common and successful forms of cyberattack is phishing, emails designed to trick users into providing valuable information, especially personal data information of clients. Phishing is such a potent threat because it occurs frequently and it’s effective, and can be costly for retailers. In fact, phishing scams cost companies half a billion dollars a year.1 Additionally, based on RSM’s work, we have found that retail has the third-highest click rate on phishing emails. As consumers value trust more than ever, it’s essential that companies take the proper steps to prevent an attack and protect their brand’s reputation.
Unlike other attacks, phishing does not rely on technical vulnerabilities or security misconfigurations to be effective. Instead, phishing preys on ordinary human weaknesses to gain access to sensitive systems or valuable information. For example, an employee sifting through email at the end of a long day may mistake a fabricated IT request or phony retail offer as legitimate and inadvertently compromise an entire company with one click. Many companies have taken advantage of secure configuration capabilities within email servers to help prevent spoofing emails sent from their domain name (e.g., @companyname.com) to customers. They also use spam filtering tools. However, the real opportunity to deter risk may begin with a retailer’s own employees.
The central element of a strong phishing awareness training program is employee education. Employee users should know both how to detect a phishing scheme and how it should properly be reported. Signs of potential phishing include:
- Unfamiliar or misspelled sender address. Attackers often use false sender addresses, particularly if controls (such as a properly configured Sender Policy Framework (SPF) record are in place to prevent spoofing from internal addresses. Train your employees to be on the lookout for internal emails coming from an address with a different ending than the actual domain. When in doubt, users should report suspicious domain names to their supervisor for further review.
- Unexpected or questionable requests. Emails asking users to perform an action for which they’ve had no prior notice, such as upgrading to a new system, should raise alarm bells. Though hackers are tailoring phishes to specific lines of business and using scenarios that people in that organization may have encountered before, it’s smart for employees to verify with a supervisor before clicking.
- Masked links. Attackers may mask malicious content in a seemingly innocent link. Hovering over the link reveals where it will actually send users. Employees should ask themselves: Does the link direct to a totally unfamiliar site? Does it take users to an unsecured site (HTTP) when it should be direct to a secured site (HTTPS)? Link scanners can also verify a link’s security without having to navigate to the site.
- Suspicious attachments. Phishing emails are often designed to trick users into downloading a malicious document and enabling macros. Attackers embed macro-based malware in documents and design a convincing pretext to get users to launch the file. Your organization may consider blocking attachments containing macros or train employees to double check the source of the file.
In the rush to reduce risk, it can be easy to focus entirely on phishing detection and forget that second step: reporting. Many organizations hope that regular awareness training will reduce user click rates for phishing emails to zero. However, eliminating failures entirely is not a realistic goal. By improving response time with a strong reporting procedure, your organization can reduce or eliminate the damage of a successful phish. Train users to take the following actions when spotting a phish:
- Immediately inform a manager or supervisor.
- Record the incident via a help desk ticket or email to security or IT personnel (depending on your organization). This will create a paper trail which can be important to the incident response or disaster recovery plan. It also sets the wheels in motion for a full security response.
- Do not forward the email to anyone, even when reporting the incident. This only acts to spread the risk, increasing the chances that another user may inadvertently click on a malicious link or attachment.
- If necessary, take a screenshot of the email to capture the relevant information.
At this point, your organization’s security or IT team can respond to the incident by:
- Alerting users of the phish
- Recalling the email from user inboxes to prevent further damage
- Blocking the IP address of the attacker
- Examining potentially compromised devices or systems and monitoring the network for unusual traffic
- Investigating what further access the attacker may have gained
- Changing passwords as necessary
These processes should be outlined in an incident response policy. The clearer the reporting and incident response policy, the faster your organization will be able to block attacks.
Another key element in an effective phishing awareness program is internal testing. Organizations should run regular phishing assessments, sending their own employees phishing emails to both assess and improve overall security awareness. Phishing assessments can help:
- Test the effectiveness of education efforts, allowing your organization to continually improve training methods
- Reinforce education by exposing users to realistic phishing emails, improving their ability to detect attacks
- Provide granular information about which departments or groups may need further training
- Track the effectiveness of the organization’s phishing awareness training program over time, showing benchmarks and improvements
To ensure the ongoing effectiveness of training and testing efforts and reduce the remaining risk, organizations should reinforce the training by offering incentives for secure behavior. The more employees feels they have a stake in the company’s security, the more likely they are to detect and report phishing emails. For example:
- Positive reinforcement can be an effective way to ensure employee buy-in to phishing awareness and security efforts. Companies can offer rewards to employees who properly detect and report phishing emails. In our work with retailers, we have found this to be the most effective tool in improving awareness.
- Setting clear expectations and consequences can be a good way to signal that everyone in the company is responsible. A simple measure such as locking users out of their computers if they fall for phish during testing can be an effect way to wake them up to the consequences of a security breach.
Phishing awareness training is essential to protect companies against one of the most common and effective forms of cyberattack. Developing a program built on continuous education, regular testing and well-calibrated incentives can reduce the risk of a breach and strengthen the organization’s overall security.