Phishing continues to dominate security discussions as 2021 unfolds. According to Security Boulevard:
“By mid-2020, SlashNext Threat Labs saw the number of daily phishing threats top 25,000 a day, a 30 percent increase over 2019 figures. By fall, the number had grown to 35,000/day and grew to 50,000/day by December and continues to rise in 2021.”
This explosion in phishing has been fed by the pandemic, remote workers, and increasingly sophisticated work by hackers. Still, even the most skilled hackers can be thwarted by basic awareness, and that is where MSPs can be a front-line defense for companies. But sometimes, even MSPs themselves need a refresher about awareness.
Cybersecurity dangers of familiarity blindness
MSPs are tasked with many duties, one of them being to educate users about phishing attempts. But merely saying to enterprise employees, “don’t open suspicious attachments,” isn’t enough. You need to highlight the granular details of warning signs.
Technicians and MSP managers know what to look for in a phishing attempt, but most others still don’t. IT people eat, sleep, and breathe cybersecurity, so what is second nature to them often isn’t to everyone else. That can create what we sometimes call “familiarity blindness,” says San Francisco-based cybersecurity consultant David Meadows.
Even skilled #hackers can be thwarted by basic awareness. #MSPs can be a front-line defense for companies, but they must beware of familiarity blindness to properly educate clients on #CyberSecurity
“Familiarity blindness is when something is so much a part of your knowledge base, that it is second nature. You forget to point it out to others because it is so obvious to you,” details Meadow. With so many moving parts in cybersecurity, it can be easy to overlook the smallest vulnerability and that can lead to big trouble.
When training non-IT people about phishing attempts, don’t fall victim to familiarity blindness. Just because something is second-nature for you, don’t assume it is for others.
Warning signs for clients to monitor
Look at the “from” address: Sometimes hackers are lazy and don’t do a good job spoofing where the email is coming from. Other hackers try to come up with something that looks plausibly legitimate, like “firstname.lastname@example.org” as a return address. A 2-second Google search reveals that is not an authentic Amazon address (Fun fact: Amazon owns over 40,000 domains). In most cases, a quick Google search will be able to tell a person whether the address is legitimate or not.
“This is something most IT people do in their sleep, but can forget to point it out to others,” notes Meadows. “The consequences can be disastrous if someone gets duped by an email that should have never gotten through.” Some hackers are getting so sophisticated in coming up with fake emails that they are getting through even the most aggressive filters.
Big brands: It seems counterintuitive, but it’s not just Amazon emails to keep on peoples’ radar. Emails purporting to be from large brands with many public interfaces, such as UPS, USPS, retailers, and hospitality brands, should receive particular scrutiny. Hackers know these brands are trusted and count on someone to register them as legit quickly. An email that comes to you from your corner dry-cleaner is going to stand out much more. Make sure your clients are not duped by the familiarity of an email that purports to be from a big brand. Emails purporting to be from large brands should receive particular scrutiny. Hackers know these brands are trusted and count on someone to register them as legit quickly. Make sure your clients are not duped by the familiarity of an email that purports to be from a big brand.
Time: What time did the email come in? “This one is trickier because sometimes an email can get held up in transit. Also, in today’s 24/7 work world where people are getting up in the middle of the night and checking their work email, you can’t always rely on the time as a red flag,” admits Meadows. “Still, if you don’t typically get emails at 2 a.m. from an otherwise trusted contact, you might want to slow down a bit and do more digging.”
Typos: Typos are universal. In journalism parlance, they are often known as “speed errors.” We all make typos, and that makes them an unreliable indicator of phishing. That said, if typos appear in combination with other warning signs, that should set off alarm bells. “Please send money to designed account.” The person was trying to say “designated,” but made an error. Combine that with the request for money, and you have a red flag with blinking lights.
Gut feeling: “I always tell people to listen to themselves; they’re usually correct,” states Meadows. If your gut feeling tells you that your favorite online retailer wouldn’t typically be emailing you to follow-up on an order, then disengage right there. Pick up the phone to call them or email them at their legitimate email address.
This is all basic ‘MSP101’ stuff, but if you forget to impart it to the people who are opening the emails and being targeted by phishers, then all the knowledge is for naught.
“Make sure what is familiar to you, is familiar to all of your clients,” emphasizes Meadows.
Photo: Cookie Studio / Shutterstock