Fighting Phishing E-Book

Table of Contents

Cover

Table of Contents

Title Page

Introduction

Who This Book Is For

What Is Covered in This Book

How to Contact Wiley or the Author

PART I: Introduction to Social Engineering Security

CHAPTER 1: Introduction to Social Engineering and Phishing

What Are Social Engineering and Phishing?

How Prevalent Are Social Engineering and Phishing?

Summary

CHAPTER 2: Phishing Terminology and Examples

Social Engineering

Phish

Well-Known Brands

Top Phishing Subjects

Stressor Statements

Malicious Downloads

Malware

Bots

Downloader

Account Takeover

Spam

Spear Phishing

Whaling

Page Hijacking

SEO Pharming

Calendar Phishing

Social Media Phishing

Romance Scams

Vishing

Pretexting

Open-Source Intelligence

Callback Phishing

Smishing

Business Email Compromise

Sextortion

Browser Attacks

Baiting

QR Phishing

Phishing Tools and Kits

Summary

CHAPTER 3: 3x3 Cybersecurity Control Pillars

The Challenge of Cybersecurity

Compliance

Risk Management

Defense-In-Depth

3x3 Cybersecurity Control Pillars

Summary

PART II: Policies

CHAPTER 4: Acceptable Use and General Cybersecurity Policies

Acceptable Use Policy (AUP)

General Cybersecurity Policy

Summary

CHAPTER 5: Anti-Phishing Policies

The Importance of Anti-Phishing Policies

What to Include

Summary

CHAPTER 6: Creating a Corporate SAT Policy

Getting Started with Your SAT Policy

Necessary SAT Policy Components

Example of Security Awareness Training Corporate Policy

Acme Security Awareness Training Policy: Version 2.1

Summary

PART III: Technical Defenses

CHAPTER 7: DMARC, SPF, and DKIM

The Core Concepts

A US and Global Standard

Email Addresses

Sender Policy Framework (SPF)

Domain Keys Identified Mail (DKIM)

Domain-based Message Authentication, Reporting, and Conformance (DMARC)

Configuring DMARC, SPF, and DKIM

Putting It All Together

DMARC Configuration Checking

How to Verify DMARC Checks

How to Use DMARC

What DMARC Doesn't Do

Other DMARC Resources

Summary

CHAPTER 8: Network and Server Defenses

Defining Network

Network Isolation

Network-Level Phishing Attacks

Network- and Server-Level Defenses

Summary

CHAPTER 9: Endpoint Defenses

Focusing on Endpoints

Anti-Spam and Anti-Phishing Filters

Anti-Malware

Patch Management

Browser Settings

Browser Notifications

Email Client Settings

Firewalls

Phishing-Resistant MFA

Password Managers

VPNs

Prevent Unauthorized External Domain Collaboration

DMARC

End Users Should Not Be Logged on as Admin

Change and Configuration Management

Mobile Device Management

Summary

CHAPTER 10: Advanced Defenses

AI-Based Content Filters

Single-Sign-Ons

Application Control Programs

Red/Green Defenses

Email Server Checks

Proactive Doppelganger Searches

Honeypots and Canaries

Highlight New Email Addresses

Fighting USB Attacks

Phone-Based Testing

Physical Penetration Testing

Summary

PART IV: Creating a Great Security Awareness Program

CHAPTER 11: Security Awareness Training Overview

What Is Security Awareness Training?

Goals of SAT

Senior Management Sponsorship

Absolutely Use Simulated Phishing Tests

Different Types of Training

Compliance

Localization

SAT Rhythm of the Business

Reporting/Results

Checklist

Summary

CHAPTER 12: How to Do Training Right

Designing an Effective Security Awareness Training Program

Building/Selecting and Reviewing Training Content

Additional References

Summary

CHAPTER 13: Recognizing Rogue URLs

How to Read a URL

Most Important URL Information

Rogue URL Tricks

Summary

CHAPTER 14: Fighting Spear Phishing

Background

Spear Phishing Examples

How to Defend Against Spear Phishing

Summary

CHAPTER 15: Forensically Examining Emails

Why Investigate?

Why You Should Not Investigate

How to Investigate

Examining Emails

Clicking on Links and Running Malware

Submit Links and File Attachments to AV

The Preponderance of Evidence

A Real-World Forensic Investigation Example

Summary

CHAPTER 16: Miscellaneous Hints and Tricks

First-Time Firing Offense

Text-Only Email

Memory Issues

SAT Counselor

Annual SAT User Conference

Voice-Call Tests

Credential Searches

Dark Web Searches

Social Engineering Penetration Tests

Ransomware Recovery

Patch, Patch, Patch

CISA Cybersecurity Awareness Program

Passkeys

Avoid Controversial Simulated Phishing Subjects

Practice and Teach Mindfulness

Must Have Mindfulness Reading

Summary

CHAPTER 17: Improving Your Security Culture

What Is a Security Culture?

Seven Dimensions of a Security Culture

Improving Security Culture

Other Resources

Summary

Conclusion

Acknowledgments

About the Author

Index

Copyright

Dedication

End User License Agreement

List of Tables

Chapter 5

Table 5.1 Phishing Failure Consequences

Chapter 11

Table 11-1 SAT Program Components

List of Illustrations

Chapter 1

FIGURE 1-1 Common type of phishing email.

FIGURE 1-2 List of root causes of ransomware from KnowBe4's “The Root Causes...

FIGURE 1-3 Three-action check to help prevent social engineering and phishin...

Chapter 2

FIGURE 2-1 Example of a common type of phishing email.

FIGURE 2-2 Example of a phishing email with a sophisticated stressor stateme...

FIGURE 2-3 Example of a simulated calendar phishing invite being created.

FIGURE 2-4 An example of a LinkedIn romance scam attempt.

FIGURE 2-5 An example of a fake local electricity billing call.

FIGURE 2-6 An example of a callback phishing.

FIGURE 2-7 A common example of a smishing message.

FIGURE 2-8 A common smishing example using a short code.

FIGURE 2-9 Examples of various websites asking for permission to send notifi...

FIGURE 2-10 An example of a malicious website asking for notification permis...

FIGURE 2-11 An example of a legitimate QR code.

Chapter 3

FIGURE 3-1 Some of the PCI-DSS's requirements to mitigate the impact of soci...

FIGURE 3-2 Risk management “heat map”.

FIGURE 3-3 A graphical representation of how to do a defense-in-depth gap an...

FIGURE 3-4 The 3x3 cybersecurity control pillars.

Chapter 4

FIGURE 4-1 A partial excerpt from the University of Pennsylvania's Acceptabl...

FIGURE 4-2 A partial excerpt from the University of Pennsylvania's Security ...

Chapter 5

FIGURE 5-1 A real-world phishing email posing as being from KnowBe4.

FIGURE 5-2 The basic logic for spotting phishing and social engineering.

FIGURE 5-3 KnowBe4's “Social Engineering Red Flags” PDF poster.

FIGURE 5-4 KnowBe4's “The Red Flags of Rogue URLs” PDF poster.

FIGURE 5-5 KnowBe4's easy way to report phishing emails.

Chapter 6

FIGURE 6-1 NIST document excerpt requiring an SAT program.

FIGURE 6-2 PCI DSS requirement to have an SAT program, data taken from www.p...

FIGURE 6-3 Excerpt from HIPAA requiring an SAT program.

FIGURE 6-4 The KnowBe4 Phish Alert Button (PAB).

Chapter 7

FIGURE 7-1 Excerpt from the 2021 National Defense Authorization Act discussi...

FIGURE 7-2 Email excerpt showing sender's email addresses.

FIGURE 7-3 An example of a real-world phishing email with Friendly From name...

FIGURE 7-4 An example of a phishing email showing the stark difference betwe...

FIGURE 7-5 An example of a legitimate marketing email with disjointed email ...

FIGURE 7-6 Real-world phishing email claiming to be from Netfix, but with a ...

FIGURE 7-7 Legitimate mass marketing email showing aligned 5321 and 5322 ema...

FIGURE 7-8 An example of an SPF pass.

FIGURE 7-9 An SPF check failure on a real-world phishing email.

FIGURE 7-10 An SPF pass on a real-world phishing email.

FIGURE 7-11 An example of a DKIM DNS record showing a DKIM public key.

FIGURE 7-12 DKIM digital signature examples.

FIGURE 7-13 Email header excerpt showing a verified DKIM signature (i.e., dk...

FIGURE 7-14 Email header excerpt showing a DKIM failure (i.e., dkim=fail).

FIGURE 7-15 KnowBe4's DMARC DNS record as shown by an online DMARC lookup to...

FIGURE 7-16 Real-world phishing email showing failed DMARC validation check....

FIGURE 7-17 EasyDMARC's summary of DMARC options, including reporting option...

FIGURE 7-18 How DMARC, SPF, and DKIM validation checks flow.

FIGURE 7-19 Results of running the DMARC checking tool against

knowbe4.com

....

FIGURE 7-20 An example of DMARC outcomes displayed by Gmail.

Chapter 8

FIGURE 8-1 Man-in-the-Middle (MitM) MFA phishing attack represented graphica...

FIGURE 8-2 An example of a push-based logon prompt.

FIGURE 8-3 Percentage of phishing attacks hosted on valid HTTPS-enabled webs...

FIGURE 8-4 An example of a KnowBe4 PhishRIP phish hunting query.

FIGURE 8-5 An example of sandboxing being performed by Microsoft O365.

FIGURE 8-6 An example of Reputation-based service options configurable in Mi...

FIGURE 8-7 An example of a domain WHOIS query showing the domain's Creation ...

Chapter 9

FIGURE 9-1 An example of a browser window on one website opening up another ...

FIGURE 9-2 An example of a full-screen scareware warning.

FIGURE 9-3 An example of a browser notification instance asking for permissi...

FIGURE 9-4 Settings area where browser notifications can be allowed or block...

FIGURE 9-5 An example of email security settings in Microsoft Outlook.

FIGURE 9-6 Summary of the author's recommended authentication/password polic...

FIGURE 9-7 Excerpt of DMARC results from an example email header.

Chapter 10

FIGURE 10-1 An example of hypervisor technology being enabled in a computer ...

FIGURE 10-2 An example of KnowBe4's Domain Doppelgänger tool being run...

Chapter 11

FIGURE 11-1 A real-world example of a smishing message pretending to be from...

FIGURE 11-2 A real-world example of a smishing message pretending to be from...

FIGURE 11-3 An example of Kevin Mitnick's training video.

FIGURE 11-4 An example of immediate automated feedback upon failing a simula...

FIGURE 11-5 An example of SAT Program components over time.

Chapter 13

FIGURE 13-1 An example of a URL and its components.

FIGURE 13-2 Two examples of URLs with the DNS domain portion highlighted bet...

FIGURE 13-3 An example of a URL with a resource path followed by the resourc...

FIGURE 13-4 An example of a URL ending with a resource name.

FIGURE 13-5 An example format of a URL variable.

FIGURE 13-6 An example of a URL containing multiple variables separated by t...

FIGURE 13-7 An example of a URL with the DNS domain highlighting between bra...

FIGURE 13-8 Examples of completely different domains that look similar.

FIGURE 13-9 A real-world URL example.

FIGURE 13-10 A real-world example of a phishing URL pretending to be from Ba...

FIGURE 13-11 A real-world phishing URL pretending to be from PayPal.

FIGURE 13-12 An example of a rogue Microsoft look-alike domain.

FIGURE 13-13 A real-world example of a phishing URL claiming to belong to Pa...

FIGURE 13-14 An example of a phishing URL pretending to be from Google.

FIGURE 13-15 An example of a phishing website pretending to be PayPal.

FIGURE 13-16 A real-world example of a phishing message pretending to be ass...

FIGURE 13-17 An example of a real-world phishing URL pretending to be from M...

FIGURE 13-18 An example of a real-world phishing email address.

FIGURE 13-19 A real-world example of a smishing message pretending to be fro...

FIGURE 13-20 Partial Rendition of ASCII Chart.

FIGURE 13-21 Partial Base64 encoding chart.

FIGURE 13-22 An example of a QR code, created on

bit.ly

, representing a URL ...

FIGURE 13-23 An example of a malicious open redirect attack affiliated with ...

FIGURE 13-24 An example of a real-world phishing using the RLO trick.

Chapter 14

FIGURE 14-1 Two common traits of suspicious phishing messages.

Chapter 15

FIGURE 15-1 Real-world examples of disjointed email addresses.

FIGURE 15-2 A real-world phishing example of an email DNS domain not matchin...

FIGURE 15-3 A real-world example of a phishing message with a three-part dis...

FIGURE 15-4 A real-world example of a phishing email with what looks like a ...

FIGURE 15-5 A real-world phishing example giving the user “instructions” on ...

FIGURE 15-6 A real-world example of a phishing email with a file attachment ...

FIGURE 15-7 Email header in Microsoft Outlook.

FIGURE 15-8 Good representative email header example with multiple instances...

FIGURE 15-9 An Nslookup DNS query.

FIGURE 15-10 An example of using an IP address location service.

FIGURE 15-11 Header information from the second phishing email claiming to b...

FIGURE 15-12 IP address information returned for the second Bank of America ...

FIGURE 15-13 An example of an “x-originating-ip” label in an email header.

FIGURE 15-14 Summary representation of foreign phishers using another countr...

FIGURE 15-15 An example of a Whois query run on a domain related to the real...

FIGURE 15-16 An example of a blocklist check of a suspected phishing domain....

FIGURE 15-17 An example of an X-header.

FIGURE 15-18 An example of malware submitted to VirusTotal.

FIGURE 15-19 Suspected phishing email.

Guide

Cover

Table of Contents

Title Page

Fighting Phishing

Dedication

Introduction

Begin Reading

Conclusion

Acknowledgments

About the Author

Index

End User License Agreement

Pages

i

xiii

xiv

xv

xvi

xvii

xviii

xix

xx

xxi

xxii

1

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

44

45

46

47

48

49

50

51

52

53

54

55

56

57

58

59

60

61

62

63

64

65

66

67

68

69

70

71

72

73

75

76

77

78

79

80

81

82

83

84

85

86

87

88

89

90

91

92

93

94

95

96

97

98

99

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

145

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

173

174

175

176

177

178

179

180

181

182

183

185

186

187

188

189

190

191

192

193

194

195

196

197

198

199

200

201

202

203

204

205

206

207

208

209

210

211

212

213

214

215

217

218

219

220

221

222

223

224

225

226

227

228

229

230

231

232

233

235

236

237

238

239

240

241

242

243

244

245

246

247

248

249

250

251

252

253

254

255

256

257

258

259

260

261

262

263

264

265

266

267

268

269

270

271

272

273

274

275

276

277

278

279

280

281

282

283

284

285

286

287

288

289

290

291

292

293

294

295

296

297

298

299

300

301

302

303

304

305

306

307

308

309

310

311

312

313

314

315

316

317

318

319

320

321

322

323

324

325

326

327

328

329

330

331

332

333

334

335

336

337

338

339

340

341

342

343

344

345

346

347

349

350

351

352

353

354

355

356

357

358

359

360

361

362

363

364

365

366

367

368

369

370

371

372

373

374

375

376

377

378

379

380

381

382

383

384

385

386

387

388

389

390

391

392

393

395

396

397

398

399

400

401

402

403

404

405

406

407

408

409

411

412

413

414

415

416

417

418

419

420

421

422

423

424

425

ii

iii

426

Fighting Phishing

Everything You Can Do to Fight Social Engineering and Phishing

Introduction

Social engineering has been around since the beginning of humanity, and phishing has been around at least since the beginning of networked computers. I can remember my first brush with social engineering via computers in 1987. This was before most people had even heard of something called the Internet and before most people had personal computers. Many of us early adopters were on a precursor of the Internet called the FIDONet. Back in those days, you would use a 300 or 1200 BAUD or BPS (Bits Per Second) dial-up analog modem to call your local BBS (Bulletin Board System). This system would use a crude “store-and-forward” technology that would transmit and receive messages and files around the world in a day or so. We thought it all was pretty cutting-edge.

On one of the BBSs, I came across a downloadable text file named “How to Get a Free HST Modem.” HST modems, made by US Robotics, were the fastest and best modems available at the time. They ran at an incredible 9600 BPS. They were expensive enough that only a few lucky, monied, people had them. They were mostly only used by Fortune 500 companies and well-funded universities. This file promised to tell anyone who read it how to obtain a free one. It was too enticing to pass up.

I opened up the file and inside it contained only text that said, “Steal One!” “Well, that was disappointing!,” I thought. Then the very next keyboard key I pressed formatted (i.e., permanently erased) my hard drive and rendered my computer useless. Well, at least until I reinstalled the operating system and redid everything all over again. I lost all files.

It turns out the file was something called an “ansi-bomb.” It was a malicious file that took advantage of a feature of a legitimate operating system file called ansi.sys. Ansi.sys was a part of Microsoft's DOS operating system, which most of us ran at the time. Ansi.sys was an optional file that allowed users to have extended, “cool,” features for their screen and keyboard, such as displaying special graphics and characters on your screen. It also allowed savvy users to map sequences of commands to a single key on their keyboard. It was meant to allow people to create “macros”—an automated shortcut that triggered a longer sequence of key presses. You could hit one or two keys and automate what would otherwise be a bunch of other key presses. Some malicious jerk had created a malicious file that instructed ansi.sys to map all the keys on the user's keyboard to format the user's hard drive when the next key was pressed.

It was a lesson learned.

There are malicious people in the world who want to harm other innocent people for no other reason than they can. Not everyone in the world is friendly and helpful, especially to strangers.

Now, the impact of social engineering and phishing on cybercrime has been driven home to me tens of thousands of times during my career. Today, nearly everyone understands that social engineering and phishing are responsible for more cybercrime than any other single initial root cause method. No other root cause of hacking is even close. But just a decade ago, even though it was true then, it wasn't as well known by all cybersecurity defenders. I think everyone knew social engineering and phishing was a problem, but few knew exactly how big of a problem it was. Few defenders knew it was the number one problem by far. Even I didn't.

I worked as a Principal Security Architect for Microsoft Corporation for nearly 11 years, from 2007 to 2018. For much of that time, I did security reviews for customers and installed Public Key Infrastructures (PKI) and advanced security defense systems. I was promoted, usually well-liked by clients, and always installed systems on time and on budget, which isn't so normal in the computer industry. For years I felt like I was greatly helping to protect my customers.

Then I realized that every single customer I had, no matter what defenses we installed, was still falling prey to hackers and malware. This was despite installing the best computer security defense systems possible. Why? It was almost always due to social engineering (and, secondarily, unpatched software). Even though all my customers were spending hundreds of thousands to millions of dollars to protect themselves using the most advanced systems the industry could imagine and deliver, what was taking them down was the same things that were most often taking down companies since the beginning of computers—social engineering. And usually, phishing.

That realization occurred to me in about 2016. It made me depressed. Instead of seeing myself as part of the solution, I realized I wasn't really helping my clients to avoid hackers and malware. What I was doing was more smoke and mirrors. I was wasting their time and money. But it wasn't like I was alone. Most computer security companies and consultants did what I did, which was concentrating on everything but defeating social engineering and phishing, even though they were clearly the biggest problem by far. Still, it bothered me tremendously.

I eventually wrote the first edition of a book about my realization, A Data-Driven Defense: A Way to Improve Any Computer Defense (www.amazon.com/Data-Driven-Computer-Defense-Should-Using/dp/B0BR9KS3ZF) in 2018. The book sold over 50,000 copies (over three editions), and its premise—social engineering is most companies’ biggest cybersecurity threat—led me to work for my current employer, KnowBe4.

The CEO of KnowBe4, Stu Sjouwerman, was one of the first people to read my book and understood its value in not only recognizing the importance of fighting phishing and social engineering but also in creating an effective cybersecurity defense using data. In April 2018, Stu offered me a job and I accepted. I was delighted. Not only was I going to start working for a leading firm in security awareness training, which is one of the best ways to fight social engineering and phishing, but I was also going to be able to concentrate on helping customers fight the biggest weakness in their cybersecurity defense as my primary job. I was pretty elated and remain so to this day.

In the over five years since, as KnowBe4's Data-Driven Defense Evangelist, I have taught hundreds of in-person presentations and online webinars. You can see many of my webinars here: www.knowbe4.com/webinar-library. You can download and read many of my whitepapers here: www.knowbe4.com/security-awareness-whitepapers. And you can request that I do a presentation to your company here: www.knowbe4.com/security-awareness-training-advocates. You can see dozens of my presentations for free on YouTube. I speak about a lot of topics beyond social engineering, including multifactor authentication, quantum, ransomware, passwords, password managers, nation-state hacking, and cryptocurrencies, but most of my presentations include something about fighting social engineering and phishing even if that isn't the primary topic. I never miss a chance to educate listeners about the importance of focusing on preventing social engineering and phishing.

There is nothing else most organizations could do better to reduce their existing cybersecurity risk than to reduce social engineering and phishing threats. This book is the best advice for today's world to help you fight social engineering and phishing. I don't know of another source that has more coverage and suggestions. Not humbly, I think I can best teach anyone how to reduce their social engineering and social engineering risk. I break down many of the necessary critical lessons and processes into the simplest recommendations and charts you'll see anywhere. I cover every policy, technical defense, and best practice education practice you should be doing to best stop social engineering and phishing.

Do you want to know how to best reduce cybersecurity risk from social engineering and phishing? Read this book.

Who This Book Is For

This book is for anyone interested in fighting social engineering and phishing attacks—from entire organizations to single individuals, from dedicated anti-phishing employees to IT managers, and for any IT security practitioner. Because the book contains large, distinct, sections dedicated to policy and formal security awareness training programs, it can be argued that it is more appropriately focused on organizations, ranging in size from small businesses to the Fortune 500. But individuals and organizations of any size will benefit from learning the recommendations and best practices contained in this book. Many of the lessons in this book should be shared with friends and family, and many of them are universal. This is the book I wish I read when I first got into the industry.

What Is Covered in This Book

Fighting Phishing: Everything You Need to Know to Fight Social Engineering and Phishing contains 17 chapters separated into 4 parts.

Part I

: “Introduction to Social Engineering Security.”

Part I will begin by introducing all the data and terminology associated with social engineering and phishing. There are dozens of distinct definitions that will help you better understand and talk about social engineering and phishing. Part I ends with a discussion about the three necessary components needed in any computer security defense, including one that fights social engineering and phishing.

Chapter 1

: “Introduction to Social Engineering and Phishing.”

Chapter 1

discusses the data and facts around social engineering and phishing and why it is so important to defeat if you want to defeat hackers and malware. If you need to prove to management the importance of fighting social engineering and phishing in your organization, this chapter will help you deliver that argument.

Chapter 2

: “Phishing Terminology and Examples.”

Chapter 2

describes the dozens of definitions related to social engineering and phishing. There are many different types of social engineering and phishing, and understanding the differences will help you better understand the threat and how to best fight it. Different types of social engineering and phishing require different types of defenses. Many different examples of phishing attacks will be presented.

Chapter 3

: “3x3 Cybersecurity Control Pillars.”

All security defenses require a best risk-managed, defense-in-depth, combination of policies, technical defenses, and education to best fight cyber threats.

Chapter 3

covers compliance, risk management, defense-in-depth, and the three defensive pillars all defenders must know and deploy to fight hackers and malware, not just against social engineering, but any cyber threat.

Part II

: Policies.

“Part II discusses all the general and specific policies that any organization should create and deploy to help fight social engineering and phishing.

Chapter 4

: “Acceptable Use and General Cybersecurity Policies.”

Chapter 4

covers general Acceptable Use Policies and general cybersecurity policies that every organization should create and deploy to minimize cybersecurity risk. As part of the cybersecurity policy section, many general best practice security recommendations will be covered. Cybersecurity education begins with good policies and this chapter begins that educational process.

Chapter 5

: “Anti-Phishing Policies.”

Chapter 5

covers all the specific policies that every organization needs to create and deploy to minimize social engineering and phishing.

Chapter 6

: “Creating a Corporate SAT Policy.”

Chapter 6

is for larger organizations that require an official security awareness training program policy. It covers all the components a security awareness training policy should contain and finishes with an example policy that can be used by readers to create their own.

Part III

: “Technical Defenses.”

Part III covers all the software and hardware tools that someone can utilize to minimize social engineering and phishing attacks.

Chapter 7

: “DMARC, SPF, and DKIM.”

Chapter 7

covers the Domain-Based Message Authentication, Reporting and Conformance (DMARC), Sender Policy Framework (SPF), and Domain Keys Identified Mail (DKIM) anti-phishing standards and how to deploy them within your environment.

Chapter 8

: “Network and Server Defenses.”

Chapter 8

covers the most common types of network-deployed and server-level cyber defenses used to fight social engineering and malware threats. It includes content-filtering firewalls and gateways, anti-phishing filters, and network connection mapping.

Chapter 9

: “Endpoint Defenses.”

Chapter 9

covers the most common endpoint-deployed cyber defenses used to fight social engineering and malware. It includes anti-malware scanners, endpoint detection and response software, content filters, browser defenses, and email protections.

Chapter 10

: “Advance Defenses.”

Chapter 10

covers advanced defenses like using separate “red/green” systems, hypervisor-hardware-enforced isolation systems, DNS defenses, and sophisticated malware detection defenses.

Part IV

: “Creating a Great Security Awareness Training Program.”

One of the most neglected parts of fighting social engineering and phishing is creating a GREAT security awareness training program. The last part of this book is dedicated to telling anyone how they can create a GREAT security awareness training program. If you follow what this section contains, you can help significantly reduce cybersecurity risk in your organization.

Chapter 11

: “Security Awareness Training Overview.”

Chapter 11

gives a broad overview of how to create a sophisticated security awareness training program, including what it should contain, who should be involved, and what tools and methods should be used. If you want to know how to set up a

great

security training program, begin here.

Chapter 12

: “How to Do Training Right.”

Great training doesn't just happen. It takes planning, preparation, logistics, and cooperation. Written by Dr. John Just,

Chapter 12

covers the types and quality of training that all

great

security awareness training programs should have including quizzing, next steps, and quality feedback loops.

Chapter 13

: “Recognizing Rogue URLs.”

One of the best skills you can give anyone is how to recognize a phishing URL.

Chapter 13

covers, in detail, how anyone can tell the difference between legitimate and rogue URLs. It includes dozens of examples of rogue URLs and how anyone can detect the fraudulent aspects.

Chapter 14

: “Fighting Spear Phishing.”

Spear phishing is responsible for more successful data breaches than any other single threat and takes specific training to defeat.

Chapter 14

discusses how you need to modify your “regular” security awareness training program to address the very real risk of spear phishing.

Chapter 15

: “Forensically Examining Emails.”

Chapter 15

covers how to forensically examine any email to better determine if what you are looking at is a phishing email or not. It covers dozens of methods, including DMARC, reverse DNS lookups, domain name investigating, blocklisting, and physical address locating. If you have ever been stumped on whether an email you are looking at is a phishing email or not, this chapter is for you.

Chapter 16

: “Miscellaneous Hints and Tricks.”

Chapter 16

covers suggestions and hints that didn't fit in other chapters, like strict anti-phishing policies, text-only emails, SAT counseling, and more.

Chapter 17

: “Improving Your Security Culture.”

The Holy Grail in the computer security defense community is to create a lasting culture of pervasive cybersecurity in the organization so that everyone practices excellent cyber hygiene resulting in a significant reduction in organizational cybersecurity risk.

Chapter 17

will define the components of a security culture and discuss how you can get your organization there.

All together, these 17 chapters and the lessons and best practice recommendations they contain should allow anyone to craft their best, most efficient plan in fighting social engineering and phishing. I've tried to put the best possible defenses and best practice recommendations about fighting social engineering and phishing into this book. This should give you the techniques and tools to make your security stronger than ever. With that in mind, continue to fight the good fight!

How to Contact Wiley or the Author

Wiley strives to keep you supplied with the latest tools and information you need for your work. Please check the website at www.wiley.com/go/anti-phishing, where I'll post additional content and updates that supplement this book should the need arise. If you have any questions, suggestions, or corrections, feel free to email me at [email protected].

PART IIntroduction to Social Engineering Security

Part I includes three chapters that set a basic understanding of social engineering and phishing threats and finishes with the beginnings of what it takes to create a great defense-in-depth defense. Chapter 1 discusses social engineering and phishing and why you need to defeat them if you are to have a successful defense. Chapter 2 covers phishing terminology along with many real-world examples. Chapter 3 discusses the 3x3 Cybersecurity Control Pillars and how every security defense must have policies, technical components, and education to be successful.

CHAPTER 1Introduction to Social Engineering and Phishing

Chapter 1 is going to discuss the importance of fighting social engineering and phishing. If you have to persuade your boss or colleagues why fighting against these threats matters, this chapter is for you.

What Are Social Engineering and Phishing?

I think everyone knows what phishing is. It's hard to go an entire day without being exposed to it in some way. It's everywhere! We know it when we see it. Most of us are exposed to it daily, or nearly daily, usually through scam emails, text messages, or calls to our cell phones. Figure 1-1 shows a representative common example of a phishing email.

FIGURE 1-1 Common type of phishing email.

Figure 1-1 is an example of a very common type of phishing email, likely the most common, where the phisher is attempting to make it look like an official email from Microsoft asking for an account password. If a victim were to click on the ”Keep same Password” button, they would be directed to a fake, look-alike website asking for the victim to input their real account password. There are many classic signs of this being a phishing email, which we will be discussing in more detail in future chapters, but the most obvious is that the originating email address comes from some random email address from Japan (as indicated by the domain suffix of .jp) and is not microsoft.com as would be a real email from Microsoft.

Some people might wonder what's the difference between social engineering and phishing and why I call them out separately. Social engineering is a malicious fraud scam, where a perpetrator often pretending to be someone else, a group, or a brand that a potential victim might implicitly trust more (than an unknown person) attempts to get the victim to perform an action that is contrary to the victim's self-interests. The perpetrator doesn't always have to be unknown. The scammer could be someone the victim knows or even knows well (like a best friend or family member). But in today's digital world, most online digital scams are committed by people we don't know.

Social engineering is as old as humanity. There are many ancient, early written examples of people complaining of scams and being taken advantage of. You can find an example of an early financial scam documented back in 300 B.C. at www.investopedia.com/articles/financial-theory/09/history-of-fraud.asp.

Social engineering is exploiting the inherent trust one human gives another. We are built to trust each other by default. In general, this default trust serves us well. Most of what we do every day only works because our default assumptions and inherent trust in other human beings work most of the time without harming our interests. Most of our civilization only works because that trust is usually well-founded most of the time. But scammers take advantage of this default trust.

Commonly, scams are done for monetary advantage, but they can be done for many other reasons, such as romance, revenge, jealousy, physical harm, and really in response to any emotion, even happiness. People often socially engineer friends and loved ones into situations that will benefit all those involved (for example, a surprise birthday party or giving rewards for a desired behavior). In the context of this book, however, we are talking about malicious social engineering scams that involve one party intentionally harming another.

There are a lot of ways for someone to be socially engineered and scammed. Basically, any communication method between two parties can be used for a scam, including in-person, physical mail, phone calls, text messages, email, websites, instant messaging, collaboration apps, and social media. If there is a will there is a way to scam someone. It wouldn't surprise me to learn that various cultures throughout history scammed each other using carrier pigeons, semaphores, signal fires, or some other communication method.

Phishing is a type of criminal social engineering that involves online digital media. The most common form of phishing is done using email, but it can be done using any electronic communication channel, including websites, instant messaging, phone text messages, and even voice calls. I'll cover the different types of phishing in more detail in Chapter 2, “Phishing Terminology and Examples.” You will hear some people calling all forms of social engineering phishing, and that's OK because we all understand what the person is communicating in the entire context. It doesn't make sense to get caught up in an argument about whether an analog phone call is phishing or not. It's all bad. But you should understand that social engineering is broader than phishing no matter how you define either term. This book is designed to help people avoid all malicious social engineering, but it naturally has a strong focus on phishing given today's online digital world.

There is a lot of social engineering and phishing going on. Millions of people and companies lose billions of dollars each year to scammers. Phishing, because it is digital, easily scales. It is low cost and low risk (the vast majority of phishing scammers get away with their crime, at least for some years), and it can be performed on tens of millions of potential victims a day by a single perpetrator. All the phisher (i.e., a person who originates or spreads a phishing message) needs is a valid email address, account name, website address, or phone number, for themselves and the potential victims. Usually, they can easily get potential victim contact addresses in the many millions at one time.

A scammer doing an in-person scam can usually only attempt one scam at a time and is at far greater risk of being identified, detained, or arrested because of their physical presence. A phisher is almost more likely to be hit by lightning than to be identified or go to jail for phishing someone. Lifetime odds of being hit by lightning are about 1 in 15,300 (www.britannica.com/question/What-are-the-chances-of-being-struck-by-lightning).

But phishers who keep it up for long periods of time and cause substantial damage will usually come to the attention of defenders or law enforcement. They will eventually either be arrested or abandon the phishing scam they are perpetrating (to avoid being identified and caught). Most phishers, still remembering all the money they made from their earlier successes, keep going until they run out of luck (kind of like bank robbers). But not all phishers do this. Some retire from doing phishing scams with all their stolen loot and never having suffered negative consequences. But these are the rare ones. Most continue on until they suffer negative consequences. It can be difficult to remember that, especially when they seem so untouchable, and many are openly bragging about their ill-gotten gains and showing off their riches.

The problem is that most phishers will conduct tens to hundreds of millions of phishing scams before they end their participation, voluntarily or otherwise. And when they do, there is still the never-ending supply of other scammers willing to replace them. It is estimated that there are tens of thousands of phishing scammers pushing hundreds of millions of phishing scams on the Internet at any given moment. And it's not slowing down anytime soon.

The reason why there are so many phishing scams and perpetrators who want to risk jail time is that there's just so much money to be made (in fact, stolen). Scammers are making billions a year. Not only are employees of businesses being targeted so scammers can get to the huge gobs of money that can be stolen from businesses, but regular people themselves are putting more and more of their money online, too. Today, most people's bank, credit card, investment, and retirement accounts are online. Sadly, as long as scams are profitable, low cost, and low risk, they will continue unabetted.

How Prevalent Are Social Engineering and Phishing?

A person, device, or network can be hacked in many ways. How prevalent are social engineering and hacking? First, you have to understand what other types of hacking social engineering and phishing are competing against. These methods include the following:

Programming bug (patch available or not available)

Authentication attack

Malicious instructions/scripting

Data malformation

Human error/misconfiguration

Eavesdropping/MitM

Side channel/information leak

Brute force/computational

Network traffic malformation

Insider attack

3rd-party reliance issue (supply chain/vendor/partner/etc.)

Physical attack

To the best of my knowledge, adding social engineering, this is an inclusive list of the methods used by hackers and malware to compromise people and devices. Every single compromise and exploit I have ever learned about started with an attack method that falls under one of these categories.

What most people don't know is how often each attack type (also known as initial root access exploit) occurs in frequency relative to each other. There are sources that track and research the relative occurrence of each attack method. It turns out that social engineering is the number one most popular attack method by a big margin. Exploited unpatched software and firmware is the second most common attack type, and those two attack methods (i.e., social engineering and exploiting unpatched software and firmware) together account for 90% to 99% of cyberattacks. All the other attack types added up together don't equate to more than 10% of attacks. Social engineering, by itself, is involved in 40% to 90% of all successful attacks, depending on which source you read and believe.

Social Engineering Statistics

This section of the chapter will share my research and the findings of others in rendering how big of a percentage social engineering and phishing play in today's digital world.

My Research  I've been tracking the prevalence of social engineering and phishing as an initial root access cause as compared to the other 12 attack types for over 20 years. My data is based upon years of research, where I compared thousands of breaches listed in the Privacy Rights Clearinghouse Database (https://privacyrights.org) and tied them to their initial root causes. I was mostly interested in, “Why did the victim get hacked?”

The not-for-profit Privacy Rights Clearinghouse organization began tracking breaches in 2005. Today, its database contains information on over 20,000 different breaches. It is the largest public database tracking database of its kind. It used to be free to download, but it currently costs $250. That's not bad for the aggregate information it contains.

Even with the database as a starting point, it wasn't always easy to determine the initial root cause for a variety of reasons. First, not all breaches included a root cause in the database or related public reports. Only in about a third to half of the publicly reported cases did a public source list the root cause of the hack. Most of the time, I had to do more digging. In those cases, I first tried to use my best Google and Bing skills to find official documents or interviews where the root cause was discussed. This allowed me to find the initial root cause for another third of the cases. Lastly, I tried to email or call people involved in the case to get the root causes.

Other times, the root causes were incorrectly described in the database or related public sources. For example, many breaches were incorrectly tied to hacking or ransomware. Hacking doesn't tell me what occurred. It's all hacking. And ransomware is a potential outcome of an initial root cause, not a root cause itself. I would have to ask people, “How did the hacker or ransomware get into your company?” Sometimes they knew, and sometimes they didn't. But in the cases where I could determine an initial root cause exploit, social engineering was involved in at least 70% of the cases.

Over the decades, I've tracked unpatched software and firmware as being involved in 20% to 40% of the cases, depending on the year. Recently, in 2023, the computer security firm Mandiant said unpatched software and firmware were involved in 33% of successful breaches, so the percentages seem to be holding.

Also, in my career, I was given access to huge proprietary databases of multiple companies that were involved in investigating hundreds to thousands or more customer data breaches. Those databases also backed the high prevalence of social engineering in most attacks. So, my 70% claim isn't made lightly. It isn't just a gut feeling.

Other Social Engineering Studies  The status of social engineering being the number one root exploit cause by far is backed by nearly every study any vendor reports. My KnowBe4 colleague and friend, Javvad Malik, did a meta-analysis study (https://info.knowbe4.com/threat-intelligence-to-build-your-data-driven-defense) of a hundred vendor reports (from 43 different vendors) he retrieved from AlienVault's Open Threat Exchange (otx.alienvault.com). The percentage of attacks attributed to social engineering varied by report and vendor, but for almost every report, social engineering was the top threat. I've seen some reports temporarily list some other hacking root cause as the top root cause (e.g., remote access, password hacking, etc.), but usually those other categories were only the top vote-getter for a temporary period of time. Usually, social engineering or phishing reshowed up as the top hacking cause in the next report and over the long term.

But most reports that track initial root causes list social engineering or phishing as their consistent top cause. This was the case 10 years ago and is still the case in nearly every vendor report I read today which discusses hacking root causes in aggregate. Most don't agree on the percentage of hacking attributed to social engineering or phishing, but they all agree that social engineering or phishing is the number one root hacking method. Recent years provide some noteworthy examples.

In August 2023, Comcast reported that 89.46% of attacks on their customers started with phishing (https://blog.knowbe4.com/customer-network-breaches-phishing). You can read the whole report here: https://business.comcast.com/community/docs/default-source/default-document-library/ccb_threatreport_071723_v2.pdf.

IBM's 2023 X-Force Threat Intelligence Index report (www.ibm.com/downloads/cas/DB4GL8YM) had phishing at a much lower percentage, but still the top cause, stating, “Phishing remains the leading infection vector, identified in 41% of incidents, followed by exploitation of public-facing applications in 26%.” Their 2022 report (https://securityintelligence.com/posts/expanding-ot-threat-landscape-2022) stated much of the same but had the percentage much higher, “Phishing continued to be the most prevalent initial access vector identified…” and “…phishing served as the initial infection vector in 78% of incidents X-Force responded to across these industries so far in 2022.”

Social engineering and phishing are a problem worldwide. The U.K.'s Official Government Statistics Cyber Security Breaches Survey 2022 (www.gov.uk/government/statistics/cyber-security-breaches-survey-2022/cyber-security-breaches-survey-2022) stated the following, “…the most common threat vector was phishing attempts (83%).”

In 2022, Kroll's Cyber Intelligence Report (www.kroll.com/en/insights/publications/cyber/threat-intelligence-reports/q1-2022-threat-landscape-threat-actors-target-email-access-extortion) stated that phishing was involved in 60% of all attacks.

InfoBlox's 2022 Global State of Security Report (https://files.scmagazine.com/wp-content/uploads/2022/05/Infoblox-Main-Report.pdf) states, “The most successful mode of attack was phishing (58%).”

In May 2023, Barracuda Networks reported (www.barracuda.com/reports/spear-phishing-trends-2023) that although spear phishing only accounted for 0.1% of all email-based attacks, it accounted for 66% of successful compromises. That's huge for a single root cause!

So, much like Javvad Malik's meta-study revealed, vendors may not agree on the exact percentages, but they agree phishing is the number one cyber threat and it's a big one.

Why Do Social Engineering Statistics Vary So Much?  The main reasons different vendors report different social engineering statistics are the customers involved and the scope of the survey. Some vendors only include customers that they did direct business with. Some vendors work with mostly small businesses and others with large businesses. Some vendors specialize in particular industries, and others (like the UK report) are only surveying their country's organizations.

Another big reason is because, sadly, there is no agreed-upon standard set of initial root cause access categories. Many times, the vendors categorize a particular type of attack as a root access method when really it is the outcome of a root access method. For example, many vendors have a category called ransomware, remote access, or credential theft. All of those are outcomes of other root access methods. For example, if credential theft was involved, how did the credentials get stolen? I can tell you—probably through social engineering (although it can be other things too).

The Privacy Rights Clearinghouse database has a category called HACK, which it defines as “Hacked by an Outside Party or Infected by Malware.” This doesn't tell you almost anything about how that particular hack occurred. Was it due to social engineering, unpatched software, or something else? Many vendors have a category entitled “Malware” or “Ransomware.” Again, how did that ransomware or malware actually exploit that system to get on it? There is a good chance that if all vendors agreed to use the same category descriptions, their social engineering category percentages would be larger than they report today.

It's Likely Larger, Much Larger!  It is likely that the social engineering stats that are reported, large as they already are, are drastically undercounting the true breadth of social engineering scams. One major reason for this is that most vendor reports only report on corporate or industry customers. Most reports do not survey people at home using their personal computers and phones. If they did, they would likely find that most have been targets of attempted social engineering, often through email, but also through SMS texting. Who among us hasn't been phished at home through our email, SMS messages, and even voice calls? Some days most of my text messages are scams. Most calls I get to my phone are scams. Has anyone been asked to extend their auto warranty lately? How many of us have had our parents and grandparents successfully scammed?

The US Federal Trade Commission (FTC) says US consumers lost $330M in 2022 alone (www.ftc.gov/news-events/news/press-releases/2023/06/new-ftc-data-analysis-shows-bank-impersonation-most-reported-text-message-scam). The FTC's stats undercount the true size of the losses because most people don't report their losses to law enforcement or the FTC.

If nearly everyone you know has been approached to be scammed via email and phone, how much larger should the social engineering stat be? Most people on social media (e.g., Facebook, Instagram, etc.) are routinely approached with scams on those services. I get an attempted scam on LinkedIn nearly every day. Have you ever tried to sell or buy something on Craigslist? The first contact you're likely to get is from a scammer. I've had a ton of friends who were either successfully scammed or almost scammed when trying to rent an apartment or vacation stay.

How about romance scams? The FTC reported (www.ftc.gov/news-events/data-visualizations/data-spotlight/2023/02/romance-scammers-favorite-lies-exposed) that over 70,000 people lost over $1.3B to romance scams in 2022. And these are just the people who reported it to the FTC, which has to be a tiny percentage of the total victims.

I think if any single source aggregated all types of initial root hacking methods across both personal and industry interests, the total percentage of people who have experienced social engineering and phishing attempts would be up in the high 90s. When nearly 100% of us have been potential victims of attempted scams each year, how could there be any other result?

Social engineering scams cost victims more than other types of hacking. According to IBM's 18th annual Cost of the Data Breach 2023 report (www.ibm.com/reports/data-breach), the average data breach cost from all causes is $4.45M, but is $4.76M for social engineering. Only malicious insider attacks were higher at $4.9M. The same report says that it takes an average of 234 days to detect a breach and 80 days to contain it.

Ransomware and BEC  In most recent years, ransomware and business email compromise (BEC) scams have been the top threat to most organizations. Ransomware is an attack where the perpetrators encrypt the victim's computers or data and ask for an extortion payment to decrypt. Ransomware gangs also often steal logon credentials (of businesses, employees, and customers), exfiltrate data, and publicly embarrass their victims (the combination of which is known in the media as double extortion).

Since at least 2018, ransomware has been a (or often the) top worry of business professionals. And businesses do have a reason to fear ransomware. Many different reports show that over 60% of all businesses suffer a ransomware attack each year. Ransomware usually causes significant operational disruption and a high financial damage. Coveware states that the average ransom payment made in the first quarter of 2023 was $740,144 (the median was $190,424) (www.coveware.com/blog/2023/7/21/ransom-monetization-rates-fall-to-record-low-despite-jump-in-average-ransom-payments). Even the lower median amount is a lot of money. Sophos puts the average ransomware payment at $1.5M and the average cost of remediation at $1.4M (https://assets.sophos.com/X24WTUEQ/at/4zpw59pnkpxxnhfhgj9bxgj9/sophos-state-of-ransomware-2022-wp.pdf). Most reports claim that the costs of remediation usually exceed the cost of the ransom. Sophos says the average downtime due to ransomware is a month, but most ransomware victims report continuing operational issues due to the ransomware even 6 months to a year later. Some victims are put out of business forever.

Adrian Sanabria keeps an informal list of businesses shut down by cyberattacks, and it contains many ransomware incidents. See https://docs.google.com/spreadsheets/d/15CTPcgZQenWKDLDTQ2ibveUM4i7Of_n20TzdTi23xcg/edit#gid=0, but since this is a personal spreadsheet, open at your own risk.

It's clear that ransomware is a serious risk and can cause significant monetary damages and operational downtime. It will probably not surprise you to learn that most ransomware attacks begin with social engineering. In July 2021, I looked for every ransomware report I could find that listed the initial root access methods of how the ransomware exploited the victim. I found over 100 reports but unfortunately only six reports (shown in Figure 1-2) discussed root access methods. I created a whitepaper called “The Root Causes of Ransomware” (https://info.knowbe4.com/wp-root-causes-ransomware). Figure 1-2 is from that whitepaper.

As you can see, social engineering is the top initial root access method used by ransomware gangs by a large margin. Only the Coveware report listed social engineering in 2nd place, but that was only then. Today, Coveware lists social engineering as the top root cause of ransomware (www.coveware.com/blog/2023/7/21/ransom-monetization-rates-fall-to-record-low-despite-jump-in-average-ransom-payments).

FIGURE 1-2 List of root causes of ransomware from KnowBe4's “The Root Causes of Ransomware” whitepaper.

After ransomware, BEC scams are the second most damaging type of cyberattack. BEC scams are when a malicious social engineering perpetrator tries to trick someone or a business into making a payment they should not otherwise make. It's got a few other names such as CEO fraud and funds transfer fraud. A common type of BEC scam is when a scammer sends someone responsible for accounts payable a fake invoice and tells them it's overdue and needs to be paid now. Or a scammer convinces someone to make an otherwise legitimate payment to a new (unauthorized) bank account. Phishers often gain access to a business's email accounts, locate accounts payable invoices, and then use the newly gained information to trick the payer into paying the amount due to a new unauthorized bank account.

A BEC scam is a very common type of phishing scam. Great Horn reported in their 2021 Business Email Compromise Report (https://info.greathorn.com/hubfs/Reports/2021-Business-Email-Compromise-Report-GreatHorn.pdf) that 20% of all phishing attempts were BEC scams. Abnormal Security's H1 2023 Email Threat Report (https://abnormalsecurity.com/resources/h1-2023-report-employee-open-rates) stated that 28% of BEC emails are opened by employees and 15% get a response by employees. Even worse is that only 2.1% of the attacks are reported by employees.

A 2022 SecureWorks report (https://blog.knowbe4.com/business-email-compromise-phishing-attacks-increase) reported that the number of incident response cases they were involved in doubled between 2021 and 2022, mostly because of BEC scams, and 85% of those scams were due to social engineering. The FBI says $2.4B was stolen in BEC scams in 2022 (www.fbi.gov/file-repository/fy-2022-fbi-congressional-report-business-email-compromise-and-real-estate-wire-fraud-111422.pdf/view), and the average cost of a BEC breach is $5.01M (www.linkedin.com/pulse/business-email-compromise-bec-26-billion-scam-criadvantage).

BEC scams can fool anyone, including those who you think would be more tech-savvy. Facebook and Google once lost $121M to a BEC scammer (www.bnnbloomberg.ca/facebook-google-scammer-pleads-guilty-in-us-121m-theft-1.1232217). Another BEC scam costs the victims $130M (www.friedfrank.com/uploads/siteFiles/Publications/FriedFrankM%26AQuarterlyApril2022.pdf) and the cancellation of a big merger.

Many BEC scams can be prevented by creating policies that insist that an employee confirm, using alternate, independent, trusted means, any unexpected payment request or a request to update payment instructions.

If you want more information on BEC scams and how to prevent them see: https://info.knowbe4.com/ceo-fraud-prevention-manualorwww.fbi.gov/how-we-can-help-you/safety-resources/scams-and-safety/common-scams-and-crimes/business-email-compromise.

It is clear that social engineering and phishing are the biggest cybersecurity threats that any individual or organization will face. It's been that way for a long time, and there is nothing on the immediate horizon that seems likely to change those facts. Every person and business should be trying as hard as they can to prevent social engineering and phishing.

The Solution

Chapters 3 through 17 are about how you and your organization can better protect yourself against social engineering and phishing threats. It will involve your best possible defense-in-depth combination plan of policies, technical defenses, and security awareness training. That is what this book is all about.

But if I were to give one best practice secret away now, one of the single best things you can do is to teach yourself, your coworkers, your family, and your friends how to detect, treat, and report social engineering and phishing scams. Education is a key element in defeating those threats.

Phishing messages are usually brand-new messages that the receiver was not expecting—not always, but usually. Teach everyone that when they get a new, unexpected message that asks them to do something potentially harmful to themselves or their organization, they should research it first in a more trustworthy way, before performing the requested action. These actions are summarized in Figure 1-3.

FIGURE 1-3 Three-action check to help prevent social engineering and phishing.