Phishing emails continue to rise, and they remain the most common way that organisations are compromised. Both at home and at work, we all need to be vigilant against phishing: the right phish at the wrong time can catch us all.
And, while email remains the most common way that cyber criminals phish us, it's important to be aware that phishing can take place over any channel. We're seeing more and more phishes over SMS text message, social media, phone calls, and messaging apps like WhatsApp.
So, what can we do to spot a phish? Traditionally, security professionals would give the advice to 'avoid clicking on suspicious links'. I've always found this pretty hilarious / depressing. If only it was that easy! But, I guess it's one better than the often-shared 'avoid clicking on links'. Links were designed to be clicked on!
Other advice includes looking out for grammatical or spelling errors, checking the senders address (by clicking on it to expand it) and hovering over the link to see where it is pointing.
There are many problems with all of this advice. Phishing messages don't always include grammatical or spelling errors (and the ones that do, sometimes do so on purpose, as I spoke about here). It's impossible to expand the sender's address or hover over the link on some devices. The latter advice also ignores the fact that phishing messages don't always include malicious links. Many have malicious attachments or encourage the recipient to share information or transfer money. Others are designed to lure targets in, for example warming them up to social engineering that then follows over a phone call.
And, that's before we even talk about how much more confusing this all is when many legitimate emails look a bit phishy. I'll never forget the time that I received a legitimate email with this disclaimer at the bottom:
Cyber criminals evolve their tactics. When we just teach a tactical response to phishing, we don't build resilience and we fail to future proof our defences. The best defence against phishing is a mindset.
For many years now, I've been teaching people to adopt an anti-phishing mindset when I deliver awareness-raising. And this is what I wanted to share in this blog post. Rather than training people in a tactical response to phishing, help them tune into an emotional response.
I teach people to tune into communications that:
are unexpected
make them feel something
ask them to do something
With this mindset as a foundation, I encourage people to then check with the supposed sender by another channel to see if it was legitimate - or, with corporate clients, to simply report it as a suspected phish. People will always click links or download attachments; encouraging them to report suspected phishes is far more important.
Not every phish will prompt an emotional response in the recipient. But the ones that do make the recipient feel worried, scared, curious, flattered or hurried are the ones that are more likely to be successful. They are the ones that cloud our judgement and push us into acting before we think.
I spoke about this in my session at the World Government Summit in Dubai last week. You can watch a recording of my talk here:
By developing (and teaching) an anti-phish mindset, we move away from a tactical response to social engineering and into a strategic response. We empower people to be more resilient and we undermine the tactics of cyber criminals. They will keep evolving their methods - for example, I've been predicting for a while now that they are likely to start using deepfake technology more and more.
We need to change the rules of the game and elevate our response, away from tactics and into strategy.
To find out more about our cyber security awareness-raising services, get in touch.
And to be the first to receive our blog posts, sign up to our mailing list.
I appreciate Henry for making me realise the truth to a certified hacker who knows a lot about what he is doing. I strongly recommend you hire him because he’s the best out there and always delivers. I have referred over 10 people to him and all had positive results. He can help you hack into any devices, social networks including – Facebook, Hangout, iMessages, Twitter accounts, Snap chat , Instagram, Whatsapp, wechat, text messages ,smartphone cloning,tracking emails and also any other social media messenger or sites. It’s advisable to hire a professional hacker.Thank me later. Contact him here., Henryclarkethicalhacker@gmail.com and you can text, call and Whatsapp him on +1(201)4305865, or +1(219)7960574.....
Contact him for any type of hacking, he is a professional hacker that specializes in exposing cheating spouses, and every other hacking related issues. he is a cyber guru, he helps catch cheating spouses by hacking their communications like call, Facebook, text, emails, Skype, whats-app and many more. I have used this service before and he did a very good job, he gave me every proof I needed to know that my fiancee was cheating. You can contact him on his email to help you catch your cheating spouse, or for any other hacking related problems, like hacking websites, bank statement, grades and many more. he will definitely help you, he has helped a lot of people, contact him on,…
A great hacker is really worthy of good recommendation , Henry really help to get all the evidence i needed against my husband and and i was able to confront him with this details from this great hacker to get an amazing service done with the help ,he is good with what he does and the charges are affordable, I think all I owe him is publicity for a great work done via, Henryclarkethicalhacker@gmail.com, and you can text, call him on whatsapp him on +12014305865, or +12197960574,