Everyone knows what phishing emails are and how to spot them, right?
I’m sure everyone’s seen the really obvious ones, the ones that are laughably bad, the ones that are perhaps designed to identify naive or particularly vulnerable people.
But what about the sophisticated ones that use real people’s names, real logos and perhaps even have some genuine links in them?
You probably won’t know you’ve been hacked till it’s too late
The chances are that if you did click on a malicious link, you probably wouldn’t realise it. In most cases nothing obvious happens.
Sony Entertainment was hacked some time ago, but perhaps more frightening is that the criminals had had access to Sony’s network for about a year – no one knew they were there. It was only revealed later that the hackers had used spearing phishing emails to get in.
One report states that 12% of recipients will open a phishing email – which is really high, but only 4% will click on a malicious link within the phishing email.
Worryingly, you only need one to get through any physical or human layers of protection to cause a massive amount of harm, and cyber criminals know this.
Another area of concern is that some people are more likely to keep on opening phishing emails than others – even after training.
Some might argue that ‘training doesn’t therefore work’. But that’s not right.
Adapting to different learners’ needs
We believe it means that sometimes you have to adapt your approach to meet different learners’ needs, and elearning can be really good at that.
Things like ‘little and often learning’ help. In other words small pieces of training which focus on different aspects of a topic. These can be far more effective than a one off ‘hit’. It’s like any form of practice, doing regular short periods of practice is more effective than one long session.
A lot of cyber crime protection is about getting into good habits
For example, using strong, unique passwords, checking links before you click on them, updating software and so on. We need to do these things at work, and we also need to do that at home. This is about an attitudinal change from – ‘it will never happen to me’, to ‘better safe than sorry’. We still lock the front door even though it might be unlikely that we’ll be burgled when we’re out.
Being vigilant and reporting
As with other forms of attack, we need to be ever more vigilant. In order to do that, we need to hone our skills in recognising what is suspicious, and adopt a more curious, more suspecting attitude and not take things at face value all the time.
A lot of companies have a no blame culture to encourage people to report it if they realise that they have clicked on something which might be suspicious or have visited a potentially malicious website. This can be really helpful as it informs the people in charge of security where the attack has come from and how to shore up any vulnerabilities.
Examples of videos that can be used to help colleagues
You can see all our videos on our showreel page, but if you’d like to pass on and share links with friends, family or colleagues, here are some of our YouTube versions.
Spotting phishing emails. It’s not the ones you spot that are the problem, it’s the ones you don’t.
One consequence of being a victim of a phishing email scam can result in a ransomware attack. This video explains what a ransomware attack is and steps which can be taken to help prevent an attack.
We all use passwords. How many of us use unique, strong ones?
Elearning can be really effective tool in the fight against cybercrime. It doesn’t have to be through an LMS with logins, tracking, reports and so on. It can be a short video embedded on an intranet page, or a link sent out in an email.
An approach which doesn’t see topics like information security as a once a year activity, and recognises that things such as phishing emails are a threat to us in our personal lives as well as at work, should, in our view, be part of an ongoing process.