do your senior management know how to spot a phishing · pdf filedo your senior management...

Do Your Senior Management Know How to Spot a Phishing Attack?

+44 (0) 800 093 2580

[email protected]

www.fusemail.com/en-gb/

Staffordshire | United Kingdom

mailto:[email protected]

http://www.fusemail.com/en-gb/

Page | 2

Want the course in a separate document you can send directly to colleagues?

Send an email to:

[email protected]

and we will send it straight over.

Spear phishing attacks are on the rise and therefore so are the number of victims of successful attacks. In

order to protect your organisation from threats like this you need to have a multifaceted approach to email

security.

You may have invested in the best technology to prevent or mitigate a phishing attack but equally important

to your defence is your staff and that aspect can be difficult to control. It takes just one person to open a

phishing email or click on a malicious link to put your entire network and company at risk.

Senior management, decision makers, and people with access to transfer finances are the most likely to be

targeted by phishing attacks.

FuseMail, the email security experts, have developed leading email security technology to identify and prevent

phishing and spear phishing attacks in the cloud, before they reach your network. But we have also designed

this short 15 minute course for you to give to your Senior Management Team (or indeed anyone in your

organisation) to help them better understand and identify phishing, learn to be suspicious, and help prevent a

successful attack.

We’re FuseMail, we allow you

to connect with confidence

everywhere and every way.

The 15 minute spear phishing course This course has been designed to be used in two ways. It’s up to you!

1) You can gather your senior management team together in one location and present it to them as you

would a traditional training session.

OR

2) You can send them this document and get them to work through it in their own time.

However you go about using it, make sure to follow up with each person you have given the course to.

The rise of spear

phishing attacks

…learning to be suspicious


Page | 3

Let’s get started!

Page | 4

Introduction

Phishing is described as any website, online service, phone call, text message or email that poses as a company or

brand you recognise. Phishing attacks are generally undertaken on a large scale – a big net is cast to try to catch

as many victims as possible.

Spear phishing is similar to phishing but is undertaken on a more targeted level. The spear phishers target specific

individuals using social media, telephone calls and in some cases the hacking of accounts in order to get more

detailed information about their potential victims. They invest time and effort to get as much information as

possible about their target and then use that to make their requests appear very authentic.

Both types of phishing are designed to convince you or your team to hand over valuable organisational details,

money, or trick you into downloading something that infects your computer and corporate IT network. The

impostors phish for potential victims by sending emails, social media messages or text messages or making phone

calls with urgent messages in the hope of persuading someone to visit the bogus website or pay out sums of

money.

Why do they do it? Because it works.

One in four companies reported a cyber breach in the last 12 months.

According to research compiled by the University of Portsmouth for the 2016 Annual Fraud Indicator report, fraud

is taking place on an industrial scale and is one of the biggest crimes afflicting UK PLCs today.

It just takes a single click.

You may have invested in the best technology to prevent or mitigate a phishing attack but the mainstay of your

defence is your staff and that can be difficult to control. It takes just one person believing a phishing email or

clicking on a malicious link to put your entire network and company at risk.

Staff knowledge and awareness is the balance between success and failure

By arming your staff with the knowledge to identify phishing scams you will benefit from money and time savings,

a clean reputation and an improved staff mood. In fact; being able to detect a potential malicious email and act

promptly makes your staff feel important, empowered and active in the fight against cyber-crime.

Adopting a user awareness programme combined with traditional anti-malware enhances your anti-phishing

capabilities, by understanding that employees can serve as a valuable active defence layer inside the

organisation.

We have designed this short spear-phishing awareness course to help you or your senior management team

begin to identify ways in which phishing attacks can be recognised and avoided.

Page | 5

Exercise 1 - Email from the BOSS! Look at the below email and decide whether you think it is legitimate or not. Don’t be overly suspicious; accept

that it is just another email. What about it would make you think it was real and from your boss?

Hi John

I’m out of the office all week, but have managed to secure a discount on our rent if we pay the next three months

upfront today. I think they must be having cash flow problems.

Can you please transfer the £7,500 to their new bank account below ASAP?

Bank: National Westminster

Account no: 35611896

Sort code: 45-85-17

IBAN: GB29 NWBK 6016 1331 9268 19

Apologies for the short notice, I know it’s month end. Can you just reply to this email once you have made the

payment and I can call them to confirm?

Much appreciated,

Bob Hurt

CEO

This is your official company email signature.

With your logo, www.website.com and accurate contact details.

From: Bob Hurt <[email protected]> To: John Frost <john,[email protected]> CC: Subject: Urgent payment to go through today

Jot down what you spotted…

http://www.website.com/

Page | 6

How did you do? This is what we picked up on as potential reasons people might not question the authenticity of this email.

There are no spelling errors in the email – so no suspicion would be raised by this.

The email itself is familiar yet professional and there is a logical reason for the cash transfer

explained in the email.

There is a sense of urgency created in the email but not enough to raise suspicion – who wouldn’t

want a discount on their rent?!

It has come from your CEO’s name and email address.

The email has your organisation’s email footer – so looks real. It even has your logo and looks like

any other internal email you receive every day.

The email asks you to confirm the cash transfer so the CEO knows that it has been completed and

can get on with his holiday.

It is courteous - the sender apologises as he knows that month end is a busy time for the Accounts

Team and he acknowledges that.

1

2

3

4

5

6

7

Page | 7

Email from the BOSS - Take 2 Look again and this time, highlight or circle anything that would make you suspicious. Be very suspicious.

Hi John






Sort code: 45-85-17

IBAN: GB29 NWBK 6016 1331 9268 19



Much appreciated,

Bob Hurt

CEO




Jot down what you spotted…


Page | 8

Here’s what we spotted. Let’s take a closer look at the email and start learning how to be suspicious.

Hi John






Sort code: 45-85-17

IBAN: GB29 NWBK 6016 1331 9268 19



Much appreciated,

Bob Hurt

CEO




1

Did you look closely at the ‘From’ email address? At first glance you might be fooled into thinking it came from Bob

Hurt. But if you look more closely, you may have spotted that the email has not in fact come from your company’s

domain, but actually from yourc0mpany’s domain. The ‘o’ in company was replaced by a zero 0.

This can be even harder to spot in some email software (Outlook, Thunderbird, smartphone apps, etc) as you don’t

even see the full email address a message is coming from. In Microsoft Outlook for example, this message would

normally be displayed as coming from ‘Bob Hurt’ not ‘[email protected].

TOP TIP - by double clicking on the name you can see and check the full email address of the sender. If you are ever

in any doubt about the authenticity of an email start your investigation by checking the full email address.

The From Email Address


Page | 9

Hi John






Sort code: 45-85-17

IBAN: GB29 NWBK 6016 1331 9268 19



Much appreciated,

Bob Hurt

CEO




2

We have all worked for those mad men and women who work from the beach. But a healthy dose of suspicion

should always be applied to anyone asking you to transfer large sums of money whilst they are on holiday.

Emails like this are designed to make you feel uncomfortable for questioning the boss. “They are on holiday, it’s a

simple request; shouldn’t I just do what they are asking? Otherwise I have to call my boss who is in the Bahamas on

his first holiday in 12 months… awkward!”

Even with your suspicious hat on, you might be thinking, “well how would a phisher know that my boss is on

holiday?” The simple answer? By using LinkedIn to find out who the boss is and then using their Facebook, Twitter

and Instagram accounts to find out what they are up to.

Conveniently Out of the Office


Page | 10

Hi John






Sort code: 45-85-17

IBAN: GB29 NWBK 6016 1331 9268 19



Much appreciated,

Bob Hurt

CEO




3

Let’s zone in on the reason for the transfer. Ok, this is a fictitious reason in a fictitious email and we’re not criminal

masterminds. But a discount on the rent is a good reason to pay upfront. Rent is paid every month by the majority of

SME businesses and a good thing to target for a discount.

However, again be suspicious, is this likely? Would your boss want to remove three months of cash from your bank

account even with a good discount? Rent is a pretty big outgoing expense.

The Hook! A Discount…


Page | 11

Hi John






Sort code: 45-85-17

IBAN: GB29 NWBK 6016 1331 9268 19



Much appreciated,

Bob Hurt

CEO




4

If you take away nothing else from this document, take away with this: ALWAYS QUESTION NEW BANK ACCOUNTS.

If a supplier updates their bank account, call them to confirm. Don’t use the contact details at the bottom of the

email, go to their website directly in your web browser and use the contact details from there.

Common phishing tricks include using the email footer to include fake telephone numbers and link which direct you

to less than savoury or indeed harmful websites.

A New Bank Account


Page | 12

Hi John






Sort code: 45-85-17

IBAN: GB29 NWBK 6016 1331 9268 19



Much appreciated,

Bob Hurt

CEO




5

The next thing we would like to draw your attention to is the ASAP. Why is this so urgent? Your boss says they must

be having cash flow problems, maybe they are but this should be a red flag for anyone receiving an email like this.

Victims of phishing scams report that it all happens in a matter minutes – leaving them no time to reflect or think

about what has happened. When we move quickly, we make mistakes. When we are asked to move quickly by our

boss, human nature dictates that we do what they say immediately. But in the case of money transfers, caution

always needs to be applied.

It’s an Emergency!


Page | 13

Hi John






Sort code: 45-85-17

IBAN: GB29 NWBK 6016 1331 9268 19


payment and I can call them to confirm.

Much appreciated,

Bob Hurt

CEO




6

The last thing we would like to draw your attention to is the email signature. It looks just like any email signature. It

has the senders name, title, company logo and link to the website.

However, links like this can redirect you to a malicious or phishing website. Also be particularly wary of things like

click here, read more here etc, as they could hide malicious URLs. TOP TIP - Before you click on a link in an email,

always hover over it with your mouse. This will show you the real destination the link is sending you to. For even

better protection, Using URL protection services like ClickSMART from FuseMail helps to defend your network

against webpages that would download ransomware and other malware onto your computer and network.

Things you should also be wary of, particularly if you are questioning an email is to double check telephone numbers

on the company’s official website. Go to the website by typing the URL directly in your web browser, as often

phishers will put a false website and telephone number in an official looking email signature.

The Email Signature


Page | 14

Course roundup

The many ways you can be fooled into giving your information to phishers, hackers and spammers is quite frankly

frightening. This is happening to unsuspecting businesses and private individuals all over the world today. No one

is immune, successful attacks have been made on hospitals, universities, charities and FTSE 500 companies.

Officials believe that the threat and success rates are actually much higher than that which we see reported, as

many businesses decide to just pay out and move on. They are often embarrassed or too busy to report what has

happened and the damage to their organisation’s reputation could impact their bottom line. However, a key

issue here is that if an attack is successful the first time around we are now seeing repeat attacks and repeat

successes. The attackers – rightly it would seem – are assuming that if they got away with it the first time around,

then why not a second and a third time.

So what can you do?

There is no single or easy thing you can do to prevent attacks like these but thankfully there are a few simple

steps you can take which go a long way towards reducing your risk significantly. We have compiled a short ‘Top 10

tips for senior management’ list below which helps you to identify 10 small ways you can make a big difference to

your company’s cyber security.

As for email security software, FuseMail can help in the form of our industry-leading cloud based email and web

security services. Contact us today to book your free trial or arrange an online demonstration.

Get in touch to discover our industry leading services

Call +44 (0) 800 093 2580

Email [email protected]

Visit www.fusemail.com/en-gb/

Your Network

Security

…is critical but so are your staff.

Take Action

Book your demonstration

Sign up for your free trial


https://www.fusemail.com/en-gb/book-demo/

https://www.fusemail.com/en-gb/email-security-free-trial/

Page | 15

Top 10 Tips for Senior Management

Change your passwords regularly. When selecting passwords, think random; use numbers and

symbols as well as words and steer clear of things like ‘123456’ or ‘Password123’.

Never adopt an ‘oh it will never happen to us, we’re too small/too big to be on their radar’

attitude. Ensure that your IT infrastructure is as robust as possible by investing in high quality

security products like email and web filtering and security from FuseMail.

If an email attachment asks you to run macros or download something –report it to IT

immediately.

Be suspicious of changes or urgent requests regarding credit cards, bank transfers or updated

bank accounts.

Hover over links in emails before clicking on them to ensure they are going to where they say they

are.

Don’t talk about your holiday on social media until you come back. This is where phishers get all

their information. They knew your boss was on holiday because he told them… on Facebook.

Never use the telephone number or links from the bottom of an email you are questioning. Go

online and get the contact details from the company’s website.

Phishing is not just for emails. Be wary of SMS phishing too. If your bank sends you a text

message, never click on the link in the text and always use their website to find contact details. A

phishing text message will come in to your phone under all previous text messages from your

bank. These are really hard to spot – so be very cautious.

If you are asked to send a payment to a new bank account, always call the supplier to confirm that

it has come from them. Remember to use their website to get their telephone number.

Invest in your staff. That means ensuring your IT Team has the knowledge and tools they need to

protect your network AND training all staff members in cyber security awareness.

1

2

3

4

5

6

7

8

9

10

Page | 16

Top 10 Tips for IT Teams

Don’t just train end users once, ensure you train them regularly.

Ensure you have a password update policy and enforce it.

Lobby to make email and web security a part of your company’s induction training.

Buy the best email and web security service your budget will stretch to, this is no place to scrimp.

Invest in an email URL protection service to reduce your risk further.

Make sure you have anti-spoofing set up for your domain.

Ensure your email security service invests in ongoing research and development, to make sure

you are protected from today’s threats, not yesterday’s.

A lot of companies like FuseMail will offer free training and updates on the industry in the form of

webinars and whitepapers, so try to keep yourself up to date with the latest developments and

threats.

Support companies are starting to offer a new service called cyber security awareness training.

This service aims to bring about an increased awareness and knowledge around phishing, spear

phishing and other types of cyber security threat in an effort to reduce risk. It might be something

to think about for next year’s budget.

Cyber security insurance is another way to mitigate against the risk of a successful attack. It might

be worth investigating the costs involved with such a service.

1

2

3

4

5

6

7

8

9

10

Page | 17

About FuseMail®

FuseMail® enables businesses around the world to communicate with confidence

every day. Our cloud based services provide simple, secure, and scalable solutions for

email security, spam/virus filtering, archiving, encryption, web security and email

hosting. With award-winning local support and an international suite of products and

features, FuseMail® is a world leader in email and web security.

SecureSMART email security SecureSMART’s multi-layered security keeps you safe from known and emerging email-based threats, using a

combination of custom filters and industry-leading anti-virus, anti-spam and anti-phishing engines. Read more

online.

ClickSMART URL protection ClickSMART provides yet another level of protection against phishing and ransomware attacks by preventing

email recipients from clicking on dangerous URLs. It rewrites web links in emails, enabling them to be

rescanned at the time of the click. Read more online.

ContinuitySMART email continuity Adding ContinuitySMART to your SecureSMART package upgrades SecureSMART to SecureSMART Suite. This

upgrade brings with it always-on email continuity and an additional 76 days of email replay from the

SecureSMART email logs bringing you to 90 days of email replay in total. Read more online.

ExchangeSMART Hosted Exchange ExchangeSMART is FuseMail’s® Hosted Microsoft Exchange solution that provides you with all the features and

collaboration options of an in-house installation of Microsoft Exchange, but without the prohibitive costs and

time-consuming administration. Read more online.

WebCritical web security WebCritical cloud-based web security gives you control over what employees do online and protects your

organisation from web-based threats. Read more online.

https://www.fusemail.com/en-gb/managed-email-services/email-security/

https://www.fusemail.com/en-gb/managed-email-services/email-security/

https://www.fusemail.com/en-gb/managed-email-services/url-protection-fusemail/

https://www.fusemail.com/en-gb/managed-email-services/email-continuity/

https://www.fusemail.com/en-gb/managed-email-services/hosted-exchange/

https://www.fusemail.com/en-gb/managed-email-services/webcritical-web-filtering/

do your senior management know how to spot a phishing · pdf filedo your senior management...

Documents