A recent study by a security awareness training platform showed that the average rate at which employees of small banks clicked on phishing emails was 25% (the rate for bigger banks is even worse!).
Ransomware (malware that encrypts your data and only provides a decryption key if you pay a ransom) continues to be a threat to banks. This malware can hide in links in emails, as hidden code in email attachments or even embedded in seemingly safe websites. If technology can’t filter out all the sources of malware, it is critical to train employees on how to recognize and avoid these hidden traps. A well-designed Security Awareness Training program turns everyone in your company into a “human firewall.”
What Does an Effective Training Program Look Like?
An effective security awareness training program should illustrate with real-life examples the danger of social engineering and the importance of constant vigilance to avoid malware infections. The training should be attended by everyone in your organization who has access to the internet, repeated at least annually (we recommend every six months) and should be part of the standard onboarding process for new employees.
To ensure that the training “takes,” the program should include regular social engineering tests. The easiest way to do this is to use a service to send your own unannounced phishing emails to see who “clicks.”
In the programs that we administer at RESULTS Technology, we typically see about a 15% hit rate on phishing emails sent out before training is initiated. This dramatically drops to less than 5% after training is completed. Over time, the hit rate creeps back up, so it is important to refresh training regularly.
Here are a few training tips to pass along to get your program going:
- Do not open attachments unless you are 100% certain of the sender and the purpose of the attachment. When in doubt, pick up the phone and call.
- Never click embedded links in messages without hovering your mouse over them first.
- Look for “fake” domains. Note that www.microsoft.com and www.support.microsoft.software.com are two different domains (and only the first is an actual Microsoft site).
- Always check the email “From” field to validate the sender. The “From” address may be spoofed.
- Do not “unsubscribe” — it is easier to delete the e-mail than to deal with the security risks.
- Do not respond to spam in any way. Use the “Delete” button.
- Do not open any email attachments that end with .exe, .scr, .bat, .com or other executable files you do not recognize.
- Always check for so-called “double-extended” scam attachments. A text file named “safe.txt” is safe, but a file called “safe.txt.exe” is not.
- Alert coworkers and friends of suspicious emails. RESULTS provides its employees with a Microsoft Outlook Plug-In called Catch Phish. This gives them a quick, easy way to analyze a potential phishing attempt and report it to the rest of the staff.
- Do not whitelist your own domain; this allows actors to bypass spam filtering by impersonating your domain.
- Do not respond to chain emails; that alerts potential malicious actors that you are receptive to targeted emails.
- Let employees know that they are being tested. There’s nothing as embarrassing as being the one employee caught in a phishing test. You can even have a little fun with it. At RESULTS, if someone clicks on a phishing test, they are the lucky recipient of our Big Mouth Billy Bass trophy that sings “Take Me to The River.” It’s embarrassing but fun.
- If you suspect a malicious sender, you can utilize header analyzers like one from MX. This can be a valuable tool to verify a sender’s address. Scan the QR code to verify an address.
https://mxtoolbox.com/EmailHeaders.aspx - If you are expecting an attachment but are not 100% sure of its safety, there is another free tool by VirusTotal that will help analyze its safety. Scan the QR code to analyze an attachment.
https://www.virustotal.com/gui/home/uploadDo not provide it with any potentially sensitive PII documents as that is always a concern, but if you want to be sure if something is safe or not, this is a fantastic tool.
Remember, even with the best firewall, antivirus and fully security-patched systems, you are still vulnerable to malware and phishing attempts. Proper security awareness training is key to a comprehensive cybersecurity program.
As always, don’t hesitate to contact us if you need help or have questions.
Mike Gilmore is the Chief Compliance Officer of RESULTS Technology and a Certified Information Systems Auditor (CISA) with more than 30 years of experience in the banking industry. RESULTS Technology provides IT services to community banks across the Midwest. In his role as CCO, Mike provides compliance and risk assessments, audit and exam support and policy documentation. He can be reached at mgilmore@resultstechnology.com.