We’ve all played Simon Says at some time in our childhood, or later on with our own children. The rules are quite simple. The leader of the game calls out a simple command that the others must perform. The only catch, is they are not to comply with the command unless it is preceded by the phrase: “Simon Says”. If the action is performed without those being spoken words, the player is out of the game.
The rules are not difficult to learn. Successfully following the instructions is also not difficult. It requires skill, however, as the leader increases the speed with which commands are issued. The players become so focused on doing the commands that they impulsively react without thought.
Now consider your inbox. When you receive a few emails it is relatively simple to be diligent. You are focused on the content and can watch for telltale signs of a phishing attack. Imagine your self on a busier day. Dozens of emails arrive. You are on the phone, you’re reading a website, talking to a coworker. You are not focussed. You’re not waiting for the “Simon Says”. It’s at those times you are most susceptible to being fooled. A decent phishing attempt will lull you into acting.
I speak from experience. I spend my days counseling corporations on employing techniques for preventing phishing attacks and how to spot a malicious or devious email. I have become quite adept at picking up subtle traces of an attack. It has become second nature to me. In spite of that, I came perilously close to swallowing the hook.
As happens to us all, I was busy multitasking, catching up on emails and returning phone calls. After reading about a dozen emails, I came to one from Linkedin. Or at least one that appeared to be from Linkedin. The logo looked legitimate, the format was familiar, and the content seemed safe. At first glance, it seemed credible. I was being asked to accept a contact request just as I had been hundreds of times previously. I was preoccupied and lulled into a state of trust.
Fortunately, at that moment, I was interrupted by a phone call. It acted like a timeout. Thirty minutes later when I went back to the email, I had snapped out of my auto-mode and upon closer examination, it became clear I was dealing with a phishing attempt.
The point I am making is this: educating yourself on the rules is not enough. Knowing how to identify a bogus email is not enough. Technology is not enough. Users must be constantly vigilant. Opening an email is like a high stakes game of “Simon Says”.
Someone in your organization might open an email containing malware, and may never become aware of what they just did. Successful hackers may warehouse your information for a year or more before they use it. The user never learns from the experience and too much time may have passed to trace the point of failure. Without immediate feedback, the staffer (and the organization) has failed to learn from the event. Our experience at Virtugard has shown that a consistent, ongoing education program with immediate feedback can effectively help employees be more cautious and diligent. A training staff with “test” phishing emails, requiring immediate training and testing, helps ensure that they don’t react without thought. Those users who were tested on a regular basis were more aware of the dangers of acting carelessly. They have learned how easy it is to be fooled by a familiar looking email or by one they thought required an immediate response.
The primary goals of such an educational program include:
- Educating staff on how to identify phish attacks
- Training staff to use those techniques on EVERY email, and that errors can be costly
For more information contact us here.