Phishing In Your Company Pond?

6 Steps to Improving Your Security Training & Fighting Social Engineering

 Looking for more tips to protect your organization (and yourself)? Check out our security series, 10 Fail-Safe Tricks for Maximizing Security. We’ll be releasing new articles and videos each week for every topic. Click here to get the content directly in your inbox.

In the ongoing effort to improve information security for organizations, arguably the most important, yet widely overlooked, risk factor is human error.  Almost 90 percent of cyber-attacks are caused by human error or behavior. Just let that sink in for a moment. By simply adding or enhancing regular cyber security training and awareness efforts, you can potentially eliminate up to 90% of threats.

Typically, a solid security awareness training program should cover the following topics:

• Phishing and Social Engineering
• Device Security
• Physical Security
• Passwords and Access Control

In this post, we’ll take a look at Phishing and Social Engineering, including what they are, how to avoid them, and how to utilize the Office 365 Phishing Attack Simulator to test your end users’ preparedness to help avoid and prevent these types of attacks.

Setup Office 365 Phishing Attack Simulator

What is Social Engineering?

Social engineering is usually defined as an attack that tricks users or administrators into divulging or revealing information.  Phishing, an attempt to acquire sensitive information (passwords, usernames, payment details) from an individual through email, chat, or other means, is one of the most common types of social engineering attacks.

The reason that phishing and other social engineering attacks are so successful is because they’re disguised to look like they come from credible, trustworthy sources, creating a false sense of trust.  To help thwart off these threats, we’ve compiled a quick 6-step checklist to provide in your ongoing security awareness trainings.

The End User’s 6-Step Process to Avoid Phishing Schemes

1. “From” Line – Examine the address that you are receiving the email from. Pay close attention to the sender because the person may appear to be someone you know, but in reality, could be a spoof.  People are more likely to trust an email from someone they recognize, which is why an email made to appear as an existing contact is effective. Here is an example:

Real email: twatson@contoso.com
Spoofed email: twatson@cotnoso.com
Notice that the “n” and “t” are reversed in “Contoso” in the spoofed email, therefore it appears legitimate, but the domain is not accurate.

2. “To” Line – Often, a hacker will send an email to many different people. If you do not know the other people in the “to” line or are being cc’d on a strange email, this should be an automatic red flag.
3. Hyperlinks – Always be cautious of clicking embedded links within an email unless you are sure it is from a trusted source. Before clicking the link, hover over it with your mouse to see the destination URL.  If the URL does not match what the text says, do not click the link.  For more information, read
4. Time – Consider the time you receive an email and compare it with the normal time you receive similar emails. Do you generally receive an email from a board member of your company at 3:30 a.m.?  If not, this is an indication of a potentially spoofed email.  The same goes for a specific time of year.  Be extra cautious around holiday or tax season, as cybercriminals typically increase phishing attempts when financial information is being shared or online shopping is heightened.
5. Attachments – While they may seem harmless, attachments can contain malicious viruses or malware. As a rule of thumb, do not open attachments that you are not expecting.  Additionally, if the attachment has a strange file type, such as a duplicate .xls.xls or a ZIP archive, you should not download or open it.
6. Subject – Phishing attempts will try to trick you with immediate action requirements within the subject line. If the subject line seems strange, such as “Change password immediately” or “Verification needed,” you will want to validate the source before you take any action.  We have included a list of the most common phishing email subject lines used by cyber criminals for you to include in your security trainings.

It is important for businesses and organizations to take email hacking seriously.  Methods and targets can vary, so understanding social engineering and keeping up with attack trends is crucial.  Regular security awareness training for all staff can be one of your most effective weapons in combatting these attacks and maintaining a secure environment.  Contact us to schedule your free security awareness assessment and be safe out there!