Even savvy tech users can get nailed by someone actively trying to trick them via a phishing email. What can you do to keep your association’s employees—and your organization’s data—safe?
Whether a fluke or by skill, I pulled off a pretty impressive trick last week. As of this writing, I am one of two people, out of hundreds, to have beaten an incredibly challenging game with flying colors.
That game is the Phish Quiz Challenge, offered by the security awareness service PhishGoggles as a part of National Cybersecurity Awareness Month. It goes like this: You’re asked to check out a bunch of emails, each for 30 seconds at a time, and then to determine whether each is real or a phishing scam. Some are harder to figure out than others.
So, how did I get 100 percent? I won’t reveal my exact secrets (you owe it to yourself to take the quiz), but I will say that the tells aren’t always obvious. It’s a hard test, as it should be, because the reality is that phishing attempts are getting harder and harder to detect.
And that’s a scary problem, according to Gary Grabowski, vice president of Summit Business Technologies, the firm that operates PhishGoggles. He says that, for the average user, there’s a clear lesson hiding in those messages that tripped up so many during the quiz.
“You should be suspicious of every email; that’s the overarching message in that quiz,” he said in an interview. “Even messages that appear to come from very legitimate vendors should be viewed as suspicious.”
You might be better off not clicking on links in emails at all, he said, even in cases where you think you know the source.
“If your friend sends you a link [and says], ‘Hey, you really have to check out this video,’ unless you’ve just had a conversation with them, I wouldn’t click any of those links,” Grabowski said, noting that the sophistication of phishing attacks has come a long way from the Nigerian email scams of yore.
Such attacks have gained significant notice in recent months—and not just on email, either. The University of Toronto’s Citizen Lab, a research organization focused on human-rights issues, recently noted that the Pegasus spyware, which targets a vulnerability in older versions of iOS, has remained a prominent attack vector against nonprofits, government bodies, and journalists around the world, despite the fact that Apple removed the exploit in an iOS update more than two years ago. As a result of the report, the Committee to Protect Journalists, an advocacy group, put out an alert warning reporters of coordinated attacks based on Pegasus, using techniques such as spear phishing, which targets emails, text messages, and other forms of communication.
While odds are low that Pegasus is a threat to associations specifically, especially if they update their software, you need to be on the lookout for phishing scams. As my colleague Tim Ebner noted earlier this year, the Association of Certified Fraud Examiners somewhat ironically fell victim to a phishing scam that targeted members. The scammers may have taken advantage of ACFE’s online directory of certified fraud examiners.
Grabowski strongly discourages associations from relying on such publicly accessible lists. But if an organization believes it has to make such lists available to members, journalists, or the general public, he recommends working with web developers to make sure email addresses and other sensitive information is “human-readable, but not bot-readable.”
Of course, employees might also contribute to security problems by reusing and sharing account passwords. Grabowski noted that your IT department should consistently reinforce commonsense data security practices.
His advice? Launch a training program for employees to ensure that there’s a clear baseline of what good security actually is. “Focus on educating your users about commonsense security by making them aware of what the commonsense elements are,” he said.
It could be just the thing that prevents your organization from facing the financial and organizational pain that comes from a phishing attack.