19,99 €
Keep valuable data safe from even the most sophisticated social engineering and phishing attacks Fighting Phishing: Everything You Can Do To Fight Social Engineering and Phishing serves as the ideal defense against phishing for any reader, from large organizations to individuals. Unlike most anti-phishing books, which focus only on one or two strategies, this book discusses all the policies, education, and technical strategies that are essential to a complete phishing defense. This book gives clear instructions for deploying a great defense-in-depth strategy to defeat hackers and malware. Written by the lead data-driven defense evangelist at the world's number one anti-phishing company, KnowBe4, Inc., this guide shows you how to create an enduring, integrated cybersecurity culture. * Learn what social engineering and phishing are, why they are so dangerous to your cybersecurity, and how to defend against them * Educate yourself and other users on how to identify and avoid phishing scams, to stop attacks before they begin * Discover the latest tools and strategies for locking down data when phishing has taken place, and stop breaches from spreading * Develop technology and security policies that protect your organization against the most common types of social engineering and phishing Anyone looking to defend themselves or their organization from phishing will appreciate the uncommonly comprehensive approach in Fighting Phishing.
Sie lesen das E-Book in den Legimi-Apps auf:
Seitenzahl: 514
Cover
Table of Contents
Title Page
Introduction
Who This Book Is For
What Is Covered in This Book
How to Contact Wiley or the Author
PART I: Introduction to Social Engineering Security
CHAPTER 1: Introduction to Social Engineering and Phishing
What Are Social Engineering and Phishing?
How Prevalent Are Social Engineering and Phishing?
Summary
CHAPTER 2: Phishing Terminology and Examples
Social Engineering
Phish
Well-Known Brands
Top Phishing Subjects
Stressor Statements
Malicious Downloads
Malware
Bots
Downloader
Account Takeover
Spam
Spear Phishing
Whaling
Page Hijacking
SEO Pharming
Calendar Phishing
Social Media Phishing
Romance Scams
Vishing
Pretexting
Open-Source Intelligence
Callback Phishing
Smishing
Business Email Compromise
Sextortion
Browser Attacks
Baiting
QR Phishing
Phishing Tools and Kits
Summary
CHAPTER 3: 3x3 Cybersecurity Control Pillars
The Challenge of Cybersecurity
Compliance
Risk Management
Defense-In-Depth
3x3 Cybersecurity Control Pillars
Summary
PART II: Policies
CHAPTER 4: Acceptable Use and General Cybersecurity Policies
Acceptable Use Policy (AUP)
General Cybersecurity Policy
Summary
CHAPTER 5: Anti-Phishing Policies
The Importance of Anti-Phishing Policies
What to Include
Summary
CHAPTER 6: Creating a Corporate SAT Policy
Getting Started with Your SAT Policy
Necessary SAT Policy Components
Example of Security Awareness Training Corporate Policy
Acme Security Awareness Training Policy: Version 2.1
Summary
PART III: Technical Defenses
CHAPTER 7: DMARC, SPF, and DKIM
The Core Concepts
A US and Global Standard
Email Addresses
Sender Policy Framework (SPF)
Domain Keys Identified Mail (DKIM)
Domain-based Message Authentication, Reporting, and Conformance (DMARC)
Configuring DMARC, SPF, and DKIM
Putting It All Together
DMARC Configuration Checking
How to Verify DMARC Checks
How to Use DMARC
What DMARC Doesn't Do
Other DMARC Resources
Summary
CHAPTER 8: Network and Server Defenses
Defining Network
Network Isolation
Network-Level Phishing Attacks
Network- and Server-Level Defenses
Summary
CHAPTER 9: Endpoint Defenses
Focusing on Endpoints
Anti-Spam and Anti-Phishing Filters
Anti-Malware
Patch Management
Browser Settings
Browser Notifications
Email Client Settings
Firewalls
Phishing-Resistant MFA
Password Managers
VPNs
Prevent Unauthorized External Domain Collaboration
DMARC
End Users Should Not Be Logged on as Admin
Change and Configuration Management
Mobile Device Management
Summary
CHAPTER 10: Advanced Defenses
AI-Based Content Filters
Single-Sign-Ons
Application Control Programs
Red/Green Defenses
Email Server Checks
Proactive Doppelganger Searches
Honeypots and Canaries
Highlight New Email Addresses
Fighting USB Attacks
Phone-Based Testing
Physical Penetration Testing
Summary
PART IV: Creating a Great Security Awareness Program
CHAPTER 11: Security Awareness Training Overview
What Is Security Awareness Training?
Goals of SAT
Senior Management Sponsorship
Absolutely Use Simulated Phishing Tests
Different Types of Training
Compliance
Localization
SAT Rhythm of the Business
Reporting/Results
Checklist
Summary
CHAPTER 12: How to Do Training Right
Designing an Effective Security Awareness Training Program
Building/Selecting and Reviewing Training Content
Additional References
Summary
CHAPTER 13: Recognizing Rogue URLs
How to Read a URL
Most Important URL Information
Rogue URL Tricks
Summary
CHAPTER 14: Fighting Spear Phishing
Background
Spear Phishing Examples
How to Defend Against Spear Phishing
Summary
CHAPTER 15: Forensically Examining Emails
Why Investigate?
Why You Should Not Investigate
How to Investigate
Examining Emails
Clicking on Links and Running Malware
Submit Links and File Attachments to AV
The Preponderance of Evidence
A Real-World Forensic Investigation Example
Summary
CHAPTER 16: Miscellaneous Hints and Tricks
First-Time Firing Offense
Text-Only Email
Memory Issues
SAT Counselor
Annual SAT User Conference
Voice-Call Tests
Credential Searches
Dark Web Searches
Social Engineering Penetration Tests
Ransomware Recovery
Patch, Patch, Patch
CISA Cybersecurity Awareness Program
Passkeys
Avoid Controversial Simulated Phishing Subjects
Practice and Teach Mindfulness
Must Have Mindfulness Reading
Summary
CHAPTER 17: Improving Your Security Culture
What Is a Security Culture?
Seven Dimensions of a Security Culture
Improving Security Culture
Other Resources
Summary
Conclusion
Acknowledgments
About the Author
Index
Copyright
Dedication
End User License Agreement
Chapter 5
Table 5.1 Phishing Failure Consequences
Chapter 11
Table 11-1 SAT Program Components
Chapter 1
FIGURE 1-1 Common type of phishing email.
FIGURE 1-2 List of root causes of ransomware from KnowBe4's “The Root Causes...
FIGURE 1-3 Three-action check to help prevent social engineering and phishin...
Chapter 2
FIGURE 2-1 Example of a common type of phishing email.
FIGURE 2-2 Example of a phishing email with a sophisticated stressor stateme...
FIGURE 2-3 Example of a simulated calendar phishing invite being created.
FIGURE 2-4 An example of a LinkedIn romance scam attempt.
FIGURE 2-5 An example of a fake local electricity billing call.
FIGURE 2-6 An example of a callback phishing.
FIGURE 2-7 A common example of a smishing message.
FIGURE 2-8 A common smishing example using a short code.
FIGURE 2-9 Examples of various websites asking for permission to send notifi...
FIGURE 2-10 An example of a malicious website asking for notification permis...
FIGURE 2-11 An example of a legitimate QR code.
Chapter 3
FIGURE 3-1 Some of the PCI-DSS's requirements to mitigate the impact of soci...
FIGURE 3-2 Risk management “heat map”.
FIGURE 3-3 A graphical representation of how to do a defense-in-depth gap an...
FIGURE 3-4 The 3x3 cybersecurity control pillars.
Chapter 4
FIGURE 4-1 A partial excerpt from the University of Pennsylvania's Acceptabl...
FIGURE 4-2 A partial excerpt from the University of Pennsylvania's Security ...
Chapter 5
FIGURE 5-1 A real-world phishing email posing as being from KnowBe4.
FIGURE 5-2 The basic logic for spotting phishing and social engineering.
FIGURE 5-3 KnowBe4's “Social Engineering Red Flags” PDF poster.
FIGURE 5-4 KnowBe4's “The Red Flags of Rogue URLs” PDF poster.
FIGURE 5-5 KnowBe4's easy way to report phishing emails.
Chapter 6
FIGURE 6-1 NIST document excerpt requiring an SAT program.
FIGURE 6-2 PCI DSS requirement to have an SAT program, data taken from www.p...
FIGURE 6-3 Excerpt from HIPAA requiring an SAT program.
FIGURE 6-4 The KnowBe4 Phish Alert Button (PAB).
Chapter 7
FIGURE 7-1 Excerpt from the 2021 National Defense Authorization Act discussi...
FIGURE 7-2 Email excerpt showing sender's email addresses.
FIGURE 7-3 An example of a real-world phishing email with Friendly From name...
FIGURE 7-4 An example of a phishing email showing the stark difference betwe...
FIGURE 7-5 An example of a legitimate marketing email with disjointed email ...
FIGURE 7-6 Real-world phishing email claiming to be from Netfix, but with a ...
FIGURE 7-7 Legitimate mass marketing email showing aligned 5321 and 5322 ema...
FIGURE 7-8 An example of an SPF pass.
FIGURE 7-9 An SPF check failure on a real-world phishing email.
FIGURE 7-10 An SPF pass on a real-world phishing email.
FIGURE 7-11 An example of a DKIM DNS record showing a DKIM public key.
FIGURE 7-12 DKIM digital signature examples.
FIGURE 7-13 Email header excerpt showing a verified DKIM signature (i.e., dk...
FIGURE 7-14 Email header excerpt showing a DKIM failure (i.e., dkim=fail).
FIGURE 7-15 KnowBe4's DMARC DNS record as shown by an online DMARC lookup to...
FIGURE 7-16 Real-world phishing email showing failed DMARC validation check....
FIGURE 7-17 EasyDMARC's summary of DMARC options, including reporting option...
FIGURE 7-18 How DMARC, SPF, and DKIM validation checks flow.
FIGURE 7-19 Results of running the DMARC checking tool against
knowbe4.com
....
FIGURE 7-20 An example of DMARC outcomes displayed by Gmail.
Chapter 8
FIGURE 8-1 Man-in-the-Middle (MitM) MFA phishing attack represented graphica...
FIGURE 8-2 An example of a push-based logon prompt.
FIGURE 8-3 Percentage of phishing attacks hosted on valid HTTPS-enabled webs...
FIGURE 8-4 An example of a KnowBe4 PhishRIP phish hunting query.
FIGURE 8-5 An example of sandboxing being performed by Microsoft O365.
FIGURE 8-6 An example of Reputation-based service options configurable in Mi...
FIGURE 8-7 An example of a domain WHOIS query showing the domain's Creation ...
Chapter 9
FIGURE 9-1 An example of a browser window on one website opening up another ...
FIGURE 9-2 An example of a full-screen scareware warning.
FIGURE 9-3 An example of a browser notification instance asking for permissi...
FIGURE 9-4 Settings area where browser notifications can be allowed or block...
FIGURE 9-5 An example of email security settings in Microsoft Outlook.
FIGURE 9-6 Summary of the author's recommended authentication/password polic...
FIGURE 9-7 Excerpt of DMARC results from an example email header.
Chapter 10
FIGURE 10-1 An example of hypervisor technology being enabled in a computer ...
FIGURE 10-2 An example of KnowBe4's Domain Doppelgänger tool being run...
Chapter 11
FIGURE 11-1 A real-world example of a smishing message pretending to be from...
FIGURE 11-2 A real-world example of a smishing message pretending to be from...
FIGURE 11-3 An example of Kevin Mitnick's training video.
FIGURE 11-4 An example of immediate automated feedback upon failing a simula...
FIGURE 11-5 An example of SAT Program components over time.
Chapter 13
FIGURE 13-1 An example of a URL and its components.
FIGURE 13-2 Two examples of URLs with the DNS domain portion highlighted bet...
FIGURE 13-3 An example of a URL with a resource path followed by the resourc...
FIGURE 13-4 An example of a URL ending with a resource name.
FIGURE 13-5 An example format of a URL variable.
FIGURE 13-6 An example of a URL containing multiple variables separated by t...
FIGURE 13-7 An example of a URL with the DNS domain highlighting between bra...
FIGURE 13-8 Examples of completely different domains that look similar.
FIGURE 13-9 A real-world URL example.
FIGURE 13-10 A real-world example of a phishing URL pretending to be from Ba...
FIGURE 13-11 A real-world phishing URL pretending to be from PayPal.
FIGURE 13-12 An example of a rogue Microsoft look-alike domain.
FIGURE 13-13 A real-world example of a phishing URL claiming to belong to Pa...
FIGURE 13-14 An example of a phishing URL pretending to be from Google.
FIGURE 13-15 An example of a phishing website pretending to be PayPal.
FIGURE 13-16 A real-world example of a phishing message pretending to be ass...
FIGURE 13-17 An example of a real-world phishing URL pretending to be from M...
FIGURE 13-18 An example of a real-world phishing email address.
FIGURE 13-19 A real-world example of a smishing message pretending to be fro...
FIGURE 13-20 Partial Rendition of ASCII Chart.
FIGURE 13-21 Partial Base64 encoding chart.
FIGURE 13-22 An example of a QR code, created on
bit.ly
, representing a URL ...
FIGURE 13-23 An example of a malicious open redirect attack affiliated with ...
FIGURE 13-24 An example of a real-world phishing using the RLO trick.
Chapter 14
FIGURE 14-1 Two common traits of suspicious phishing messages.
Chapter 15
FIGURE 15-1 Real-world examples of disjointed email addresses.
FIGURE 15-2 A real-world phishing example of an email DNS domain not matchin...
FIGURE 15-3 A real-world example of a phishing message with a three-part dis...
FIGURE 15-4 A real-world example of a phishing email with what looks like a ...
FIGURE 15-5 A real-world phishing example giving the user “instructions” on ...
FIGURE 15-6 A real-world example of a phishing email with a file attachment ...
FIGURE 15-7 Email header in Microsoft Outlook.
FIGURE 15-8 Good representative email header example with multiple instances...
FIGURE 15-9 An Nslookup DNS query.
FIGURE 15-10 An example of using an IP address location service.
FIGURE 15-11 Header information from the second phishing email claiming to b...
FIGURE 15-12 IP address information returned for the second Bank of America ...
FIGURE 15-13 An example of an “x-originating-ip” label in an email header.
FIGURE 15-14 Summary representation of foreign phishers using another countr...
FIGURE 15-15 An example of a Whois query run on a domain related to the real...
FIGURE 15-16 An example of a blocklist check of a suspected phishing domain....
FIGURE 15-17 An example of an X-header.
FIGURE 15-18 An example of malware submitted to VirusTotal.
FIGURE 15-19 Suspected phishing email.
Cover
Table of Contents
Title Page
Fighting Phishing
Dedication
Introduction
Begin Reading
Conclusion
Acknowledgments
About the Author
Index
End User License Agreement
i
xiii
xiv
xv
xvi
xvii
xviii
xix
xx
xxi
xxii
1
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
145
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
ii
iii
426
Roger A. Grimes with Dr. John N. Just
Social engineering has been around since the beginning of humanity, and phishing has been around at least since the beginning of networked computers. I can remember my first brush with social engineering via computers in 1987. This was before most people had even heard of something called the Internet and before most people had personal computers. Many of us early adopters were on a precursor of the Internet called the FIDONet. Back in those days, you would use a 300 or 1200 BAUD or BPS (Bits Per Second) dial-up analog modem to call your local BBS (Bulletin Board System). This system would use a crude “store-and-forward” technology that would transmit and receive messages and files around the world in a day or so. We thought it all was pretty cutting-edge.
On one of the BBSs, I came across a downloadable text file named “How to Get a Free HST Modem.” HST modems, made by US Robotics, were the fastest and best modems available at the time. They ran at an incredible 9600 BPS. They were expensive enough that only a few lucky, monied, people had them. They were mostly only used by Fortune 500 companies and well-funded universities. This file promised to tell anyone who read it how to obtain a free one. It was too enticing to pass up.
I opened up the file and inside it contained only text that said, “Steal One!” “Well, that was disappointing!,” I thought. Then the very next keyboard key I pressed formatted (i.e., permanently erased) my hard drive and rendered my computer useless. Well, at least until I reinstalled the operating system and redid everything all over again. I lost all files.
It turns out the file was something called an “ansi-bomb.” It was a malicious file that took advantage of a feature of a legitimate operating system file called ansi.sys. Ansi.sys was a part of Microsoft's DOS operating system, which most of us ran at the time. Ansi.sys was an optional file that allowed users to have extended, “cool,” features for their screen and keyboard, such as displaying special graphics and characters on your screen. It also allowed savvy users to map sequences of commands to a single key on their keyboard. It was meant to allow people to create “macros”—an automated shortcut that triggered a longer sequence of key presses. You could hit one or two keys and automate what would otherwise be a bunch of other key presses. Some malicious jerk had created a malicious file that instructed ansi.sys to map all the keys on the user's keyboard to format the user's hard drive when the next key was pressed.
It was a lesson learned.
There are malicious people in the world who want to harm other innocent people for no other reason than they can. Not everyone in the world is friendly and helpful, especially to strangers.
Now, the impact of social engineering and phishing on cybercrime has been driven home to me tens of thousands of times during my career. Today, nearly everyone understands that social engineering and phishing are responsible for more cybercrime than any other single initial root cause method. No other root cause of hacking is even close. But just a decade ago, even though it was true then, it wasn't as well known by all cybersecurity defenders. I think everyone knew social engineering and phishing was a problem, but few knew exactly how big of a problem it was. Few defenders knew it was the number one problem by far. Even I didn't.
I worked as a Principal Security Architect for Microsoft Corporation for nearly 11 years, from 2007 to 2018. For much of that time, I did security reviews for customers and installed Public Key Infrastructures (PKI) and advanced security defense systems. I was promoted, usually well-liked by clients, and always installed systems on time and on budget, which isn't so normal in the computer industry. For years I felt like I was greatly helping to protect my customers.
Then I realized that every single customer I had, no matter what defenses we installed, was still falling prey to hackers and malware. This was despite installing the best computer security defense systems possible. Why? It was almost always due to social engineering (and, secondarily, unpatched software). Even though all my customers were spending hundreds of thousands to millions of dollars to protect themselves using the most advanced systems the industry could imagine and deliver, what was taking them down was the same things that were most often taking down companies since the beginning of computers—social engineering. And usually, phishing.
That realization occurred to me in about 2016. It made me depressed. Instead of seeing myself as part of the solution, I realized I wasn't really helping my clients to avoid hackers and malware. What I was doing was more smoke and mirrors. I was wasting their time and money. But it wasn't like I was alone. Most computer security companies and consultants did what I did, which was concentrating on everything but defeating social engineering and phishing, even though they were clearly the biggest problem by far. Still, it bothered me tremendously.
I eventually wrote the first edition of a book about my realization, A Data-Driven Defense: A Way to Improve Any Computer Defense (www.amazon.com/Data-Driven-Computer-Defense-Should-Using/dp/B0BR9KS3ZF) in 2018. The book sold over 50,000 copies (over three editions), and its premise—social engineering is most companies’ biggest cybersecurity threat—led me to work for my current employer, KnowBe4.
The CEO of KnowBe4, Stu Sjouwerman, was one of the first people to read my book and understood its value in not only recognizing the importance of fighting phishing and social engineering but also in creating an effective cybersecurity defense using data. In April 2018, Stu offered me a job and I accepted. I was delighted. Not only was I going to start working for a leading firm in security awareness training, which is one of the best ways to fight social engineering and phishing, but I was also going to be able to concentrate on helping customers fight the biggest weakness in their cybersecurity defense as my primary job. I was pretty elated and remain so to this day.
In the over five years since, as KnowBe4's Data-Driven Defense Evangelist, I have taught hundreds of in-person presentations and online webinars. You can see many of my webinars here: www.knowbe4.com/webinar-library. You can download and read many of my whitepapers here: www.knowbe4.com/security-awareness-whitepapers. And you can request that I do a presentation to your company here: www.knowbe4.com/security-awareness-training-advocates. You can see dozens of my presentations for free on YouTube. I speak about a lot of topics beyond social engineering, including multifactor authentication, quantum, ransomware, passwords, password managers, nation-state hacking, and cryptocurrencies, but most of my presentations include something about fighting social engineering and phishing even if that isn't the primary topic. I never miss a chance to educate listeners about the importance of focusing on preventing social engineering and phishing.
There is nothing else most organizations could do better to reduce their existing cybersecurity risk than to reduce social engineering and phishing threats. This book is the best advice for today's world to help you fight social engineering and phishing. I don't know of another source that has more coverage and suggestions. Not humbly, I think I can best teach anyone how to reduce their social engineering and social engineering risk. I break down many of the necessary critical lessons and processes into the simplest recommendations and charts you'll see anywhere. I cover every policy, technical defense, and best practice education practice you should be doing to best stop social engineering and phishing.
Do you want to know how to best reduce cybersecurity risk from social engineering and phishing? Read this book.
This book is for anyone interested in fighting social engineering and phishing attacks—from entire organizations to single individuals, from dedicated anti-phishing employees to IT managers, and for any IT security practitioner. Because the book contains large, distinct, sections dedicated to policy and formal security awareness training programs, it can be argued that it is more appropriately focused on organizations, ranging in size from small businesses to the Fortune 500. But individuals and organizations of any size will benefit from learning the recommendations and best practices contained in this book. Many of the lessons in this book should be shared with friends and family, and many of them are universal. This is the book I wish I read when I first got into the industry.
Fighting Phishing: Everything You Need to Know to Fight Social Engineering and Phishing contains 17 chapters separated into 4 parts.
Part I
: “Introduction to Social Engineering Security.”
Part I will begin by introducing all the data and terminology associated with social engineering and phishing. There are dozens of distinct definitions that will help you better understand and talk about social engineering and phishing. Part I ends with a discussion about the three necessary components needed in any computer security defense, including one that fights social engineering and phishing.
Chapter 1
: “Introduction to Social Engineering and Phishing.”
Chapter 1
discusses the data and facts around social engineering and phishing and why it is so important to defeat if you want to defeat hackers and malware. If you need to prove to management the importance of fighting social engineering and phishing in your organization, this chapter will help you deliver that argument.
Chapter 2
: “Phishing Terminology and Examples.”
Chapter 2
describes the dozens of definitions related to social engineering and phishing. There are many different types of social engineering and phishing, and understanding the differences will help you better understand the threat and how to best fight it. Different types of social engineering and phishing require different types of defenses. Many different examples of phishing attacks will be presented.
Chapter 3
: “3x3 Cybersecurity Control Pillars.”
All security defenses require a best risk-managed, defense-in-depth, combination of policies, technical defenses, and education to best fight cyber threats.
Chapter 3
covers compliance, risk management, defense-in-depth, and the three defensive pillars all defenders must know and deploy to fight hackers and malware, not just against social engineering, but any cyber threat.
Part II
: Policies.
“Part II discusses all the general and specific policies that any organization should create and deploy to help fight social engineering and phishing.
Chapter 4
: “Acceptable Use and General Cybersecurity Policies.”
Chapter 4
covers general Acceptable Use Policies and general cybersecurity policies that every organization should create and deploy to minimize cybersecurity risk. As part of the cybersecurity policy section, many general best practice security recommendations will be covered. Cybersecurity education begins with good policies and this chapter begins that educational process.
Chapter 5
: “Anti-Phishing Policies.”
Chapter 5
covers all the specific policies that every organization needs to create and deploy to minimize social engineering and phishing.
Chapter 6
: “Creating a Corporate SAT Policy.”
Chapter 6
is for larger organizations that require an official security awareness training program policy. It covers all the components a security awareness training policy should contain and finishes with an example policy that can be used by readers to create their own.
Part III
: “Technical Defenses.”
Part III covers all the software and hardware tools that someone can utilize to minimize social engineering and phishing attacks.
Chapter 7
: “DMARC, SPF, and DKIM.”
Chapter 7
covers the Domain-Based Message Authentication, Reporting and Conformance (DMARC), Sender Policy Framework (SPF), and Domain Keys Identified Mail (DKIM) anti-phishing standards and how to deploy them within your environment.
Chapter 8
: “Network and Server Defenses.”
Chapter 8
covers the most common types of network-deployed and server-level cyber defenses used to fight social engineering and malware threats. It includes content-filtering firewalls and gateways, anti-phishing filters, and network connection mapping.
Chapter 9
: “Endpoint Defenses.”
Chapter 9
covers the most common endpoint-deployed cyber defenses used to fight social engineering and malware. It includes anti-malware scanners, endpoint detection and response software, content filters, browser defenses, and email protections.
Chapter 10
: “Advance Defenses.”
Chapter 10
covers advanced defenses like using separate “red/green” systems, hypervisor-hardware-enforced isolation systems, DNS defenses, and sophisticated malware detection defenses.
Part IV
: “Creating a Great Security Awareness Training Program.”
One of the most neglected parts of fighting social engineering and phishing is creating a GREAT security awareness training program. The last part of this book is dedicated to telling anyone how they can create a GREAT security awareness training program. If you follow what this section contains, you can help significantly reduce cybersecurity risk in your organization.
Chapter 11
: “Security Awareness Training Overview.”
Chapter 11
gives a broad overview of how to create a sophisticated security awareness training program, including what it should contain, who should be involved, and what tools and methods should be used. If you want to know how to set up a
great
security training program, begin here.
Chapter 12
: “How to Do Training Right.”
Great training doesn't just happen. It takes planning, preparation, logistics, and cooperation. Written by Dr. John Just,
Chapter 12
covers the types and quality of training that all
great
security awareness training programs should have including quizzing, next steps, and quality feedback loops.
Chapter 13
: “Recognizing Rogue URLs.”
One of the best skills you can give anyone is how to recognize a phishing URL.
Chapter 13
covers, in detail, how anyone can tell the difference between legitimate and rogue URLs. It includes dozens of examples of rogue URLs and how anyone can detect the fraudulent aspects.
Chapter 14
: “Fighting Spear Phishing.”
Spear phishing is responsible for more successful data breaches than any other single threat and takes specific training to defeat.
Chapter 14
discusses how you need to modify your “regular” security awareness training program to address the very real risk of spear phishing.
Chapter 15
: “Forensically Examining Emails.”
Chapter 15
covers how to forensically examine any email to better determine if what you are looking at is a phishing email or not. It covers dozens of methods, including DMARC, reverse DNS lookups, domain name investigating, blocklisting, and physical address locating. If you have ever been stumped on whether an email you are looking at is a phishing email or not, this chapter is for you.
Chapter 16
: “Miscellaneous Hints and Tricks.”
Chapter 16
covers suggestions and hints that didn't fit in other chapters, like strict anti-phishing policies, text-only emails, SAT counseling, and more.
Chapter 17
: “Improving Your Security Culture.”
The Holy Grail in the computer security defense community is to create a lasting culture of pervasive cybersecurity in the organization so that everyone practices excellent cyber hygiene resulting in a significant reduction in organizational cybersecurity risk.
Chapter 17
will define the components of a security culture and discuss how you can get your organization there.
All together, these 17 chapters and the lessons and best practice recommendations they contain should allow anyone to craft their best, most efficient plan in fighting social engineering and phishing. I've tried to put the best possible defenses and best practice recommendations about fighting social engineering and phishing into this book. This should give you the techniques and tools to make your security stronger than ever. With that in mind, continue to fight the good fight!
Wiley strives to keep you supplied with the latest tools and information you need for your work. Please check the website at www.wiley.com/go/anti-phishing, where I'll post additional content and updates that supplement this book should the need arise. If you have any questions, suggestions, or corrections, feel free to email me at [email protected].
Part I includes three chapters that set a basic understanding of social engineering and phishing threats and finishes with the beginnings of what it takes to create a great defense-in-depth defense. Chapter 1 discusses social engineering and phishing and why you need to defeat them if you are to have a successful defense. Chapter 2 covers phishing terminology along with many real-world examples. Chapter 3 discusses the 3x3 Cybersecurity Control Pillars and how every security defense must have policies, technical components, and education to be successful.
Chapter 1 is going to discuss the importance of fighting social engineering and phishing. If you have to persuade your boss or colleagues why fighting against these threats matters, this chapter is for you.
I think everyone knows what phishing is. It's hard to go an entire day without being exposed to it in some way. It's everywhere! We know it when we see it. Most of us are exposed to it daily, or nearly daily, usually through scam emails, text messages, or calls to our cell phones. Figure 1-1 shows a representative common example of a phishing email.
FIGURE 1-1 Common type of phishing email.
Figure 1-1 is an example of a very common type of phishing email, likely the most common, where the phisher is attempting to make it look like an official email from Microsoft asking for an account password. If a victim were to click on the ”Keep same Password” button, they would be directed to a fake, look-alike website asking for the victim to input their real account password. There are many classic signs of this being a phishing email, which we will be discussing in more detail in future chapters, but the most obvious is that the originating email address comes from some random email address from Japan (as indicated by the domain suffix of .jp) and is not microsoft.com as would be a real email from Microsoft.
Some people might wonder what's the difference between social engineering and phishing and why I call them out separately. Social engineering is a malicious fraud scam, where a perpetrator often pretending to be someone else, a group, or a brand that a potential victim might implicitly trust more (than an unknown person) attempts to get the victim to perform an action that is contrary to the victim's self-interests. The perpetrator doesn't always have to be unknown. The scammer could be someone the victim knows or even knows well (like a best friend or family member). But in today's digital world, most online digital scams are committed by people we don't know.
Social engineering is as old as humanity. There are many ancient, early written examples of people complaining of scams and being taken advantage of. You can find an example of an early financial scam documented back in 300 B.C. at www.investopedia.com/articles/financial-theory/09/history-of-fraud.asp.
Social engineering is exploiting the inherent trust one human gives another. We are built to trust each other by default. In general, this default trust serves us well. Most of what we do every day only works because our default assumptions and inherent trust in other human beings work most of the time without harming our interests. Most of our civilization only works because that trust is usually well-founded most of the time. But scammers take advantage of this default trust.
Commonly, scams are done for monetary advantage, but they can be done for many other reasons, such as romance, revenge, jealousy, physical harm, and really in response to any emotion, even happiness. People often socially engineer friends and loved ones into situations that will benefit all those involved (for example, a surprise birthday party or giving rewards for a desired behavior). In the context of this book, however, we are talking about malicious social engineering scams that involve one party intentionally harming another.
There are a lot of ways for someone to be socially engineered and scammed. Basically, any communication method between two parties can be used for a scam, including in-person, physical mail, phone calls, text messages, email, websites, instant messaging, collaboration apps, and social media. If there is a will there is a way to scam someone. It wouldn't surprise me to learn that various cultures throughout history scammed each other using carrier pigeons, semaphores, signal fires, or some other communication method.
Phishing is a type of criminal social engineering that involves online digital media. The most common form of phishing is done using email, but it can be done using any electronic communication channel, including websites, instant messaging, phone text messages, and even voice calls. I'll cover the different types of phishing in more detail in Chapter 2, “Phishing Terminology and Examples.” You will hear some people calling all forms of social engineering phishing, and that's OK because we all understand what the person is communicating in the entire context. It doesn't make sense to get caught up in an argument about whether an analog phone call is phishing or not. It's all bad. But you should understand that social engineering is broader than phishing no matter how you define either term. This book is designed to help people avoid all malicious social engineering, but it naturally has a strong focus on phishing given today's online digital world.
There is a lot of social engineering and phishing going on. Millions of people and companies lose billions of dollars each year to scammers. Phishing, because it is digital, easily scales. It is low cost and low risk (the vast majority of phishing scammers get away with their crime, at least for some years), and it can be performed on tens of millions of potential victims a day by a single perpetrator. All the phisher (i.e., a person who originates or spreads a phishing message) needs is a valid email address, account name, website address, or phone number, for themselves and the potential victims. Usually, they can easily get potential victim contact addresses in the many millions at one time.
A scammer doing an in-person scam can usually only attempt one scam at a time and is at far greater risk of being identified, detained, or arrested because of their physical presence. A phisher is almost more likely to be hit by lightning than to be identified or go to jail for phishing someone. Lifetime odds of being hit by lightning are about 1 in 15,300 (www.britannica.com/question/What-are-the-chances-of-being-struck-by-lightning).
But phishers who keep it up for long periods of time and cause substantial damage will usually come to the attention of defenders or law enforcement. They will eventually either be arrested or abandon the phishing scam they are perpetrating (to avoid being identified and caught). Most phishers, still remembering all the money they made from their earlier successes, keep going until they run out of luck (kind of like bank robbers). But not all phishers do this. Some retire from doing phishing scams with all their stolen loot and never having suffered negative consequences. But these are the rare ones. Most continue on until they suffer negative consequences. It can be difficult to remember that, especially when they seem so untouchable, and many are openly bragging about their ill-gotten gains and showing off their riches.
The problem is that most phishers will conduct tens to hundreds of millions of phishing scams before they end their participation, voluntarily or otherwise. And when they do, there is still the never-ending supply of other scammers willing to replace them. It is estimated that there are tens of thousands of phishing scammers pushing hundreds of millions of phishing scams on the Internet at any given moment. And it's not slowing down anytime soon.
The reason why there are so many phishing scams and perpetrators who want to risk jail time is that there's just so much money to be made (in fact, stolen). Scammers are making billions a year. Not only are employees of businesses being targeted so scammers can get to the huge gobs of money that can be stolen from businesses, but regular people themselves are putting more and more of their money online, too. Today, most people's bank, credit card, investment, and retirement accounts are online. Sadly, as long as scams are profitable, low cost, and low risk, they will continue unabetted.
A person, device, or network can be hacked in many ways. How prevalent are social engineering and hacking? First, you have to understand what other types of hacking social engineering and phishing are competing against. These methods include the following:
Programming bug (patch available or not available)
Authentication attack
Malicious instructions/scripting
Data malformation
Human error/misconfiguration
Eavesdropping/MitM
Side channel/information leak
Brute force/computational
Network traffic malformation
Insider attack
3rd-party reliance issue (supply chain/vendor/partner/etc.)
Physical attack
To the best of my knowledge, adding social engineering, this is an inclusive list of the methods used by hackers and malware to compromise people and devices. Every single compromise and exploit I have ever learned about started with an attack method that falls under one of these categories.
What most people don't know is how often each attack type (also known as initial root access exploit) occurs in frequency relative to each other. There are sources that track and research the relative occurrence of each attack method. It turns out that social engineering is the number one most popular attack method by a big margin. Exploited unpatched software and firmware is the second most common attack type, and those two attack methods (i.e., social engineering and exploiting unpatched software and firmware) together account for 90% to 99% of cyberattacks. All the other attack types added up together don't equate to more than 10% of attacks. Social engineering, by itself, is involved in 40% to 90% of all successful attacks, depending on which source you read and believe.
This section of the chapter will share my research and the findings of others in rendering how big of a percentage social engineering and phishing play in today's digital world.
My Research I've been tracking the prevalence of social engineering and phishing as an initial root access cause as compared to the other 12 attack types for over 20 years. My data is based upon years of research, where I compared thousands of breaches listed in the Privacy Rights Clearinghouse Database (https://privacyrights.org) and tied them to their initial root causes. I was mostly interested in, “Why did the victim get hacked?”
The not-for-profit Privacy Rights Clearinghouse organization began tracking breaches in 2005. Today, its database contains information on over 20,000 different breaches. It is the largest public database tracking database of its kind. It used to be free to download, but it currently costs $250. That's not bad for the aggregate information it contains.
Even with the database as a starting point, it wasn't always easy to determine the initial root cause for a variety of reasons. First, not all breaches included a root cause in the database or related public reports. Only in about a third to half of the publicly reported cases did a public source list the root cause of the hack. Most of the time, I had to do more digging. In those cases, I first tried to use my best Google and Bing skills to find official documents or interviews where the root cause was discussed. This allowed me to find the initial root cause for another third of the cases. Lastly, I tried to email or call people involved in the case to get the root causes.
Other times, the root causes were incorrectly described in the database or related public sources. For example, many breaches were incorrectly tied to hacking or ransomware. Hacking doesn't tell me what occurred. It's all hacking. And ransomware is a potential outcome of an initial root cause, not a root cause itself. I would have to ask people, “How did the hacker or ransomware get into your company?” Sometimes they knew, and sometimes they didn't. But in the cases where I could determine an initial root cause exploit, social engineering was involved in at least 70% of the cases.
Over the decades, I've tracked unpatched software and firmware as being involved in 20% to 40% of the cases, depending on the year. Recently, in 2023, the computer security firm Mandiant said unpatched software and firmware were involved in 33% of successful breaches, so the percentages seem to be holding.
Also, in my career, I was given access to huge proprietary databases of multiple companies that were involved in investigating hundreds to thousands or more customer data breaches. Those databases also backed the high prevalence of social engineering in most attacks. So, my 70% claim isn't made lightly. It isn't just a gut feeling.
Other Social Engineering Studies The status of social engineering being the number one root exploit cause by far is backed by nearly every study any vendor reports. My KnowBe4 colleague and friend, Javvad Malik, did a meta-analysis study (https://info.knowbe4.com/threat-intelligence-to-build-your-data-driven-defense) of a hundred vendor reports (from 43 different vendors) he retrieved from AlienVault's Open Threat Exchange (otx.alienvault.com). The percentage of attacks attributed to social engineering varied by report and vendor, but for almost every report, social engineering was the top threat. I've seen some reports temporarily list some other hacking root cause as the top root cause (e.g., remote access, password hacking, etc.), but usually those other categories were only the top vote-getter for a temporary period of time. Usually, social engineering or phishing reshowed up as the top hacking cause in the next report and over the long term.
But most reports that track initial root causes list social engineering or phishing as their consistent top cause. This was the case 10 years ago and is still the case in nearly every vendor report I read today which discusses hacking root causes in aggregate. Most don't agree on the percentage of hacking attributed to social engineering or phishing, but they all agree that social engineering or phishing is the number one root hacking method. Recent years provide some noteworthy examples.
In August 2023, Comcast reported that 89.46% of attacks on their customers started with phishing (https://blog.knowbe4.com/customer-network-breaches-phishing). You can read the whole report here: https://business.comcast.com/community/docs/default-source/default-document-library/ccb_threatreport_071723_v2.pdf.
IBM's 2023 X-Force Threat Intelligence Index report (www.ibm.com/downloads/cas/DB4GL8YM) had phishing at a much lower percentage, but still the top cause, stating, “Phishing remains the leading infection vector, identified in 41% of incidents, followed by exploitation of public-facing applications in 26%.” Their 2022 report (https://securityintelligence.com/posts/expanding-ot-threat-landscape-2022) stated much of the same but had the percentage much higher, “Phishing continued to be the most prevalent initial access vector identified…” and “…phishing served as the initial infection vector in 78% of incidents X-Force responded to across these industries so far in 2022.”
Social engineering and phishing are a problem worldwide. The U.K.'s Official Government Statistics Cyber Security Breaches Survey 2022 (www.gov.uk/government/statistics/cyber-security-breaches-survey-2022/cyber-security-breaches-survey-2022) stated the following, “…the most common threat vector was phishing attempts (83%).”
In 2022, Kroll's Cyber Intelligence Report (www.kroll.com/en/insights/publications/cyber/threat-intelligence-reports/q1-2022-threat-landscape-threat-actors-target-email-access-extortion) stated that phishing was involved in 60% of all attacks.
InfoBlox's 2022 Global State of Security Report (https://files.scmagazine.com/wp-content/uploads/2022/05/Infoblox-Main-Report.pdf) states, “The most successful mode of attack was phishing (58%).”
In May 2023, Barracuda Networks reported (www.barracuda.com/reports/spear-phishing-trends-2023) that although spear phishing only accounted for 0.1% of all email-based attacks, it accounted for 66% of successful compromises. That's huge for a single root cause!
So, much like Javvad Malik's meta-study revealed, vendors may not agree on the exact percentages, but they agree phishing is the number one cyber threat and it's a big one.
Why Do Social Engineering Statistics Vary So Much? The main reasons different vendors report different social engineering statistics are the customers involved and the scope of the survey. Some vendors only include customers that they did direct business with. Some vendors work with mostly small businesses and others with large businesses. Some vendors specialize in particular industries, and others (like the UK report) are only surveying their country's organizations.
Another big reason is because, sadly, there is no agreed-upon standard set of initial root cause access categories. Many times, the vendors categorize a particular type of attack as a root access method when really it is the outcome of a root access method. For example, many vendors have a category called ransomware, remote access, or credential theft. All of those are outcomes of other root access methods. For example, if credential theft was involved, how did the credentials get stolen? I can tell you—probably through social engineering (although it can be other things too).
The Privacy Rights Clearinghouse database has a category called HACK, which it defines as “Hacked by an Outside Party or Infected by Malware.” This doesn't tell you almost anything about how that particular hack occurred. Was it due to social engineering, unpatched software, or something else? Many vendors have a category entitled “Malware” or “Ransomware.” Again, how did that ransomware or malware actually exploit that system to get on it? There is a good chance that if all vendors agreed to use the same category descriptions, their social engineering category percentages would be larger than they report today.
It's Likely Larger, Much Larger! It is likely that the social engineering stats that are reported, large as they already are, are drastically undercounting the true breadth of social engineering scams. One major reason for this is that most vendor reports only report on corporate or industry customers. Most reports do not survey people at home using their personal computers and phones. If they did, they would likely find that most have been targets of attempted social engineering, often through email, but also through SMS texting. Who among us hasn't been phished at home through our email, SMS messages, and even voice calls? Some days most of my text messages are scams. Most calls I get to my phone are scams. Has anyone been asked to extend their auto warranty lately? How many of us have had our parents and grandparents successfully scammed?
The US Federal Trade Commission (FTC) says US consumers lost $330M in 2022 alone (www.ftc.gov/news-events/news/press-releases/2023/06/new-ftc-data-analysis-shows-bank-impersonation-most-reported-text-message-scam). The FTC's stats undercount the true size of the losses because most people don't report their losses to law enforcement or the FTC.
If nearly everyone you know has been approached to be scammed via email and phone, how much larger should the social engineering stat be? Most people on social media (e.g., Facebook, Instagram, etc.) are routinely approached with scams on those services. I get an attempted scam on LinkedIn nearly every day. Have you ever tried to sell or buy something on Craigslist? The first contact you're likely to get is from a scammer. I've had a ton of friends who were either successfully scammed or almost scammed when trying to rent an apartment or vacation stay.
How about romance scams? The FTC reported (www.ftc.gov/news-events/data-visualizations/data-spotlight/2023/02/romance-scammers-favorite-lies-exposed) that over 70,000 people lost over $1.3B to romance scams in 2022. And these are just the people who reported it to the FTC, which has to be a tiny percentage of the total victims.
I think if any single source aggregated all types of initial root hacking methods across both personal and industry interests, the total percentage of people who have experienced social engineering and phishing attempts would be up in the high 90s. When nearly 100% of us have been potential victims of attempted scams each year, how could there be any other result?
Social engineering scams cost victims more than other types of hacking. According to IBM's 18th annual Cost of the Data Breach 2023 report (www.ibm.com/reports/data-breach), the average data breach cost from all causes is $4.45M, but is $4.76M for social engineering. Only malicious insider attacks were higher at $4.9M. The same report says that it takes an average of 234 days to detect a breach and 80 days to contain it.
Ransomware and BEC In most recent years, ransomware and business email compromise (BEC) scams have been the top threat to most organizations. Ransomware is an attack where the perpetrators encrypt the victim's computers or data and ask for an extortion payment to decrypt. Ransomware gangs also often steal logon credentials (of businesses, employees, and customers), exfiltrate data, and publicly embarrass their victims (the combination of which is known in the media as double extortion).
Since at least 2018, ransomware has been a (or often the) top worry of business professionals. And businesses do have a reason to fear ransomware. Many different reports show that over 60% of all businesses suffer a ransomware attack each year. Ransomware usually causes significant operational disruption and a high financial damage. Coveware states that the average ransom payment made in the first quarter of 2023 was $740,144 (the median was $190,424) (www.coveware.com/blog/2023/7/21/ransom-monetization-rates-fall-to-record-low-despite-jump-in-average-ransom-payments). Even the lower median amount is a lot of money. Sophos puts the average ransomware payment at $1.5M and the average cost of remediation at $1.4M (https://assets.sophos.com/X24WTUEQ/at/4zpw59pnkpxxnhfhgj9bxgj9/sophos-state-of-ransomware-2022-wp.pdf). Most reports claim that the costs of remediation usually exceed the cost of the ransom. Sophos says the average downtime due to ransomware is a month, but most ransomware victims report continuing operational issues due to the ransomware even 6 months to a year later. Some victims are put out of business forever.
Adrian Sanabria keeps an informal list of businesses shut down by cyberattacks, and it contains many ransomware incidents. See https://docs.google.com/spreadsheets/d/15CTPcgZQenWKDLDTQ2ibveUM4i7Of_n20TzdTi23xcg/edit#gid=0, but since this is a personal spreadsheet, open at your own risk.
It's clear that ransomware is a serious risk and can cause significant monetary damages and operational downtime. It will probably not surprise you to learn that most ransomware attacks begin with social engineering. In July 2021, I looked for every ransomware report I could find that listed the initial root access methods of how the ransomware exploited the victim. I found over 100 reports but unfortunately only six reports (shown in Figure 1-2) discussed root access methods. I created a whitepaper called “The Root Causes of Ransomware” (https://info.knowbe4.com/wp-root-causes-ransomware). Figure 1-2 is from that whitepaper.
As you can see, social engineering is the top initial root access method used by ransomware gangs by a large margin. Only the Coveware report listed social engineering in 2nd place, but that was only then. Today, Coveware lists social engineering as the top root cause of ransomware (www.coveware.com/blog/2023/7/21/ransom-monetization-rates-fall-to-record-low-despite-jump-in-average-ransom-payments).
FIGURE 1-2 List of root causes of ransomware from KnowBe4's “The Root Causes of Ransomware” whitepaper.
After ransomware, BEC scams are the second most damaging type of cyberattack. BEC scams are when a malicious social engineering perpetrator tries to trick someone or a business into making a payment they should not otherwise make. It's got a few other names such as CEO fraud and funds transfer fraud. A common type of BEC scam is when a scammer sends someone responsible for accounts payable a fake invoice and tells them it's overdue and needs to be paid now. Or a scammer convinces someone to make an otherwise legitimate payment to a new (unauthorized) bank account. Phishers often gain access to a business's email accounts, locate accounts payable invoices, and then use the newly gained information to trick the payer into paying the amount due to a new unauthorized bank account.
A BEC scam is a very common type of phishing scam. Great Horn reported in their 2021 Business Email Compromise Report (https://info.greathorn.com/hubfs/Reports/2021-Business-Email-Compromise-Report-GreatHorn.pdf) that 20% of all phishing attempts were BEC scams. Abnormal Security's H1 2023 Email Threat Report (https://abnormalsecurity.com/resources/h1-2023-report-employee-open-rates) stated that 28% of BEC emails are opened by employees and 15% get a response by employees. Even worse is that only 2.1% of the attacks are reported by employees.
A 2022 SecureWorks report (https://blog.knowbe4.com/business-email-compromise-phishing-attacks-increase) reported that the number of incident response cases they were involved in doubled between 2021 and 2022, mostly because of BEC scams, and 85% of those scams were due to social engineering. The FBI says $2.4B was stolen in BEC scams in 2022 (www.fbi.gov/file-repository/fy-2022-fbi-congressional-report-business-email-compromise-and-real-estate-wire-fraud-111422.pdf/view), and the average cost of a BEC breach is $5.01M (www.linkedin.com/pulse/business-email-compromise-bec-26-billion-scam-criadvantage).
BEC scams can fool anyone, including those who you think would be more tech-savvy. Facebook and Google once lost $121M to a BEC scammer (www.bnnbloomberg.ca/facebook-google-scammer-pleads-guilty-in-us-121m-theft-1.1232217). Another BEC scam costs the victims $130M (www.friedfrank.com/uploads/siteFiles/Publications/FriedFrankM%26AQuarterlyApril2022.pdf) and the cancellation of a big merger.
Many BEC scams can be prevented by creating policies that insist that an employee confirm, using alternate, independent, trusted means, any unexpected payment request or a request to update payment instructions.
If you want more information on BEC scams and how to prevent them see: https://info.knowbe4.com/ceo-fraud-prevention-manualorwww.fbi.gov/how-we-can-help-you/safety-resources/scams-and-safety/common-scams-and-crimes/business-email-compromise.
It is clear that social engineering and phishing are the biggest cybersecurity threats that any individual or organization will face. It's been that way for a long time, and there is nothing on the immediate horizon that seems likely to change those facts. Every person and business should be trying as hard as they can to prevent social engineering and phishing.
Chapters 3 through 17 are about how you and your organization can better protect yourself against social engineering and phishing threats. It will involve your best possible defense-in-depth combination plan of policies, technical defenses, and security awareness training. That is what this book is all about.
But if I were to give one best practice secret away now, one of the single best things you can do is to teach yourself, your coworkers, your family, and your friends how to detect, treat, and report social engineering and phishing scams. Education is a key element in defeating those threats.
Phishing messages are usually brand-new messages that the receiver was not expecting—not always, but usually. Teach everyone that when they get a new, unexpected message that asks them to do something potentially harmful to themselves or their organization, they should research it first in a more trustworthy way, before performing the requested action. These actions are summarized in Figure 1-3.
FIGURE 1-3 Three-action check to help prevent social engineering and phishing.