There’s a new term you should learn if you don't know it already: Business Email Compromise (BEC).
It’s a formal way of saying someone’s email was used as a part of a cyber attack.
The FBI calls BEC “one of the most financially damaging online crimes” and according to the cyber security awareness training company, KnowBe4, more than 90% of successful data breaches began with an email tactic called phishing.
Phishing is an email scam designed to trick your user into doing some kind of action, like clicking a link or downloading a file, to get access to your organization’s network.
Email is a prime target for cyber criminals and it continues to be a necessity in business, even though executive concerns about email security are increasing.
And improving email security isn't as easy as installing a new spam filter. (Although, if you're not using advanced tools to filter email, that's an area that needs attention.) Cyber criminals can still sneak around spam filters and your other cyber security measures with email phishing.
So, how do you prevent your employees from inviting cyber criminals into your network? Through interactive, fun, and engaging ongoing training.
There's no surefire way to block all phishing, so training employees how to spot these types of email scams is critical.
Before we get into the specifics of the email security training, it's important to understand the tactics that hackers are using to manipulate your people.
To start, let’s take a minute to understand phishing.
With phishing, humans are your biggest threat to email security. The better informed your team is about social media and email security, the better chance your organization has to protect itself from these attacks.
Because so many data breaches happen as a result of human behavior, it's not realistic to expect your IT department to ward off all cyber threats. The high-tech security measures are important and should be in place, but nothing is foolproof from human error.
The first thing you need to do is to make sure that any member of your team with access to your network (like email) is aware of the risks and implications that can happen with every CLICK.
Many executives are taking action against phishing attacks with awareness and protection applications like KnowBe4. Here at VC3, we’ve partnered with KnowBe4 to help our clients train their users to recognize and identify the signs of dangerous phishing emails.
KnowBe4 is a company whose priority is to educate the world on how to avoid being a victim of email scams. They partner with real companies whose names and logos are recognizable to make phishing simulations as difficult to detect as possible.
You can also create tests that spoof your own domain, so they look like internal emails -- this happens for real ALL the time, so it's important to train employees to spot them.
Because their emails look so authentic, KnowBe4’s phishing tests are highly effective. KnowBe4 email security training can be done right at your team’s own workstation or phone.
Here's what one of their phishing simulations can look like:
Looks legit, right? That's the idea.
Training with KnowBe4 begins with a customized simulated phishing test to your team.
The first simulated phishing campaign will give you a baseline for how likely your employees are to fall for phishing scams overall, and who specifically is most "phish-prone."
Let me give you an example: We recently ran a phishing simulation campaign for a healthcare provider with 100 employees. Out of those 100 employees, 22 people clicked on the phishing scam. The email looked like password reset instructions sent by their IT team. Of those 22 who clicked, 13 people entered their username and password into the website that fake email sent them to. THIRTEEN!
So, now that company knows who needs some extra training.
Here are a few things you can do with KnowBe4:
When your objective is to train your team, you want a program designed with those people in mind -- and who knows them better than you?
The executives we work with typically choose to randomize their simulated phishing tests to be sent at different times of the day, on different days, and to different people. Most of our clients are set up on the automated customization for the tests to be delivered 1-2 times a month.
In addition to training with simulated phishing tests, training can be delivered as informational emails.
Let's say you think this training is a good idea and you roll it out -- how will you know if this approach to email security training is working?
Enter: monthly reports!
KnowBe4 delivers a summary report PDF and a link to a full detailed report of the test’s results each month.
This report will show you how users responded to the simulated phishing tests, and will help you to identify which members of your team are putting your organization at risk.
Whether or not your team eventually catches on that you are testing them, they'll still be gaining the skills and tools necessary to recognize real phishing attacks. Your priority is to get your team more aware and more mindful of email security, and KnowBe4 can help you do that.
If you’re not sure where to start, feel free to reach out to us here at VC3 any time. We’re here to make your life easier through fast, friendly, frustration-free IT services.