PE Tech Report

NEWSLETTER

Like this article?

Sign up to our free newsletter

Cyber safety best practices: How to avoid phishing scams

Social engineering schemes continue to grow in their sophistication, and phishing campaigns, in particular, are causing concern as they make their way to employee inboxes. These fraudulent email campaigns appear legitimate and take advantage of employees who are often too busy or simply unprepared to identify a scam (disclaimer: phishing is not specific to email; scams occur via phone & other communication methods also). 

In either case, if the employee clicks a link, downloads an attachment or provides credentials or financial information to a hacker behind the scenes, it presents a gateway to potentially compromising and very serious scenarios.

And these scams are working. A 2016 study by Verizon found that 30 percent of phishing emails are opened by the recipient – and in 2016, there were more than 1.2 million phishing attacks reported to the Anti-Phishing Working Group (AWPG), a 65 percent increase over 2015.

Furthermore, according to the FBI, spear-phishing campaigns between 2013 and 2015 cost companies more than USD2 billion.

And while there are a number of technologies and security features firms can employ to act as security barriers to targeted attack emails – including next-generation firewall protections and enhanced email security features – unfortunately, some of these emails will get through and pose a threat to your firm’s security posture.

Employee awareness, education and training are going to act as your firm’s best line of defense against these types of cybersecurity scams. Generally, phishing emails share a set of common characteristics employees should beware of:

• Sense of urgency! Beware of any email saying something must be done NOW ‘or else’, particularly if there is a request for personal information 

• Poor grammar or misspelled words or typos

• Generic sender information, such as from ‘payment processor’

• Domain is not legitimate; for example, a subdomain may be used or the spelling is incorrect (contains an extra letter than could be overlooked)

• Unexpected or unwarranted links or attachments 

• Multiple recipients included in the ‘to’ or ‘cc’ field

There are a number of ways to educate and train your firm’s employees on the dangers of phishing scams and how best to sniff out fraudulent emails. Annual information security awareness trainings typically cover phishing scams and can provide high-level information and tips for users to keep in mind. Many firms also hire cybersecurity consultants or experts to provide in-person trainings that help legitimize the seriousness of these issues.

The most effective way to train employees on phishing dangers, however, is through the act of actually phishing them. Managed phishing services are rising in popularity, as they effectively use phishing email simulations to test existing knowledge and also provide in-the-moment education to ensure users are best equipped to thwart cyber-attacks.

Here is an example of how a managed phishing campaign works. On a regular basis (typically quarterly), the managed service provider delivers controlled, mock phishing campaigns against a firm’s employees. When a user clicks a faux-fraudulent email in a campaign, he or she is taken to in-the-moment training to reinforce key concepts and provide tips on avoiding real phishing threats. Regardless of the type of phishing simulation delivered (attachment downloads and login credential techniques are also used), all results are captured and provided to the firm in a full report. Click-rates, locations and endpoint analysis are some of the summary-level metrics provided. Employee training completion is also reported to ensure employee accountability.

Using phishing simulation exercises is both an effective and cost-effective method for training users on the dangers of social engineering schemes and demonstrating the importance of safe cyber and email practices. And with phishing and spear-phishing scams more prevalent than ever, it’s critical for hedge funds and private equity firms to implement advanced tools to stay ahead of mounting cyber threats. 

Like this article? Sign up to our free newsletter

MOST POPULAR

FURTHER READING

Featured