Dec 02 2021

How Technology and Awareness Training Help Small Businesses Foil Phishers

E-mail based attacks remain the most common tactic of threat actors, but some companies are getting the upper hand.

The emails seemed suspicious from the moment they began arriving. A managing partner at Kerkering Barberio, a Sarasota, Fla.-based accounting firm., was asking for his paychecks to be deposited into a new bank account. When that didn’t happen, he followed up. By the third email, the partner had become angry, demanding to know why the money wasn’t being sent where he wanted.

The reality was that the emails weren’t coming from the partner at all. They’d been sent by a scammer as part of a phishing attack.

This particular attempt failed. However, it illustrates how easily scammers can impersonate executives and then use that air of authority to demand financial payments, request login credential changes or simply get employees to click on malicious links.

“The email looked quite authentic,” says Rob Lane, the partner who was impersonated. “But we’ve made it clear to our employees that we would never ask for payroll data or request a change via email.”

That sort of clear, direct communication is critical in warding off phishing attacks. Technology tools and proper employee training can also help. Kerkering Barberio uses security tools from KnowBe4, including the company’s Kevin Mitnick Security Awareness Training. The tool allows organizations to conduct baseline testing to assess how prone to phishing scams its users are, provides interactive training programs, sends simulated phishing emails to employees and then reports the results.

“Regardless of what industry you’re in, phishing attacks are on the rise,” says Shawn Drourr, IT manager at the firm. “Effective training and user awareness is as important as it’s ever been.”

Click the banner below to unlock exclusive security content.

Phishing Is a Stubborn Problem

Phishing attacks have been around for years, but they continue to hook employees for a variety of reasons, says Joseph Blankenship, vice president and research director for security and risk at Forrester Research.

“If you catch someone with the right message, or at the wrong time, or if they’re distracted, that has a role to play,” Blankenship says. “This is a very human problem. It’s not entirely a technology problem, and it’s not a user problem. It’s about giving the users enough training and awareness so they know what to do when they face the situation.”

The FBI’s Internet Crime Complaint Center received more than 240,000 phishing complaints in 2020, with losses totaling more than $54 million. Blankenship says that according to a 2019 Forrester global survey of security decision-makers, phishing attacks were involved in 23 percent of external data breaches.

The Forrester report outlines a representative phishing instance: A scammer, spoofing a CEO’s email address, asks a low-level employee to run an errand. Then, after the worker replies, the scammer clarifies that the employee needs to buy gift cards for a customer recognition program, using a company credit card or petty cash. By the time the “CEO” asks the employee to send photographs of the card activation codes, the employee’s guard is already down, and he or she may not even think to question the request.

The Forrester report recommends several tools and best practices, including email content filtering and authentication, threat intelligence, and security awareness training. Blankenship adds that any phishing simulations should mirror real-world scenarios as much as possible.

“When you do a simulation, you should do it in a way that takes into account the way that the firm is currently being targeted, using threat intelligence or relying on a vendor to let you know about changing approaches,” he says. “You want to get real-time feedback and then use the reporting to gauge risk and improve over time.”

Phishing Defense Balances Tech and Training

The Swig Company, a national commercial real estate firm based in San Francisco, relies on a mix of technology tools from Mimecast — including Mimecast Email Security, Web Security, Cloud Archive and Internal Email Protect — along with ongoing employee training to beat back phishing attacks.

“It’s a multilevel approach,” says Pavla Luckham, IT director for The Swig Company. “I don’t think any single solution can really stop phishing, but the more obstacles in place for attackers, the better the outcomes.”

Luckham notes that new employees are especially vulnerable to being targeted — and scammers discover the presence of a new employee quickly. “It takes less than a week,” she says, “and these are people in a vulnerable position. They don’t know the people around them yet, they’re overwhelmed, they’re the perfect target. I’m including some training in the onboarding process, but for them, the technology is really the most important part. For someone who’s been trained year after year, they may not need the help of the technology as much because they can more easily recognize communication that is out of character.”

Kerkering Barberio relies on a mix of cybersecurity technologies and user awareness tools to help mitigate the impact of phishing. “It’s a balance,” says Drourr. “You can’t have one ­without the other. Well, you can, but it won’t be very effective against the bad guys. All it takes is one email.”

Several years ago, the organization leaned toward making login procedures as convenient as possible for users. But since then, it has moved to adopt multifactor authentication across the firm. “Multifactor is the single simplest thing that can be turned on to prevent an account from becoming compromised,” Drourr says. “We don’t view it as an option anymore. If it’s available, it is turned on. If the user were to enter credentials on a spoof page, the bad guys might get hold of the username and password, but without another factor, they’re not getting into the account.”

MORE ON SECURITY: Learn how to bolster your organization's cloud security.

Phishing In an Ongoing Battle for Businesses

Luckham notes that companies must continuously train their users to keep phishing and other cyberthreats on the radar. “People get busy, and they forget about security,” she says.

As part of its security awareness training program with KnowBe4, Kerkering Barberio conducts monthly phishing simulations to keep employees sharp. A random sample will receive an email asking them to download an e-fax, for example, or seeking to gain their Office 365 login credentials.

“If someone does fall for the phishing simulation, they are enrolled automatically in a course that tells them why what they did was wrong, and it shows them some of the telltale signs,” Drourr says. “We also encourage all of our users to forward us any emails that they find to be suspicious.”

Over time, each user generates what KnowBe4 calls a “phish-prone percentage” and a risk score, and the company uses those indicators to determine if an employee’s email account should be locked down with tighter security filters. Administrators also provide additional training to users who repeatedly struggle to pass the simulations.

Rather than feeling ­burdened by the training exercises, employees have expressed satisfaction with the program, Drourr says. Even more important, “The longer we’re in the ­program, the more the curve of employees falling for the simulations bends downward.” 

Joey Guidone/Theispot

Become an Insider

Unlock white papers, personalized recommendations and other premium content for an in-depth look at evolving IT