No, this is not a political statement, this has very little to do with the actual forgiveness of student loans. Sorry for the clickbait, but it got your attention, right? You had an emotional or visceral reaction to the title. That’s exactly what good phishing and malware-laden emails do, they want you to click, and they want you to read more.
In the next few months, the security industry in the US expects a massive surge of malicious emails related to Student loan forgiveness, some of us are already seeing them. This isn’t new, as the groups that perpetrate many of these campaigns keep them relevant and follow the news cycle. How do you combat them, how do you train against them, and how do you make sure your employees aren’t clicking on them?
The first is through security culture, having users that are skeptical of every email, especially from people they don’t usually communicate with. It’s making sure they confirm the from address matches the sender’s name (see ex 1).
That email is clearly not from Mark Zuckerberg, and not clicking on links or attachments unless they are expecting them. Everyone should always hover over links to make sure the link goes to where its supposed to (see ex 2).
How do we all get our employees to this point? while I have been advised by our legal department that advocating in favor of corporal punishment may be frowned upon…. the truth is that employees want to be helpful and don’t want to click on malware. There are days when it may not seem like it, but most people on the planet cannot identify the difference between a malicious email and spam. I am not in favor of nor an opponent of phishing tests, but the associated training is important. Have your IT/Security team talk to users and explain to them how to identify and report suspicious emails.
The very last step is on security itself, there are tools! Yeah, I know but legal says I can’t throw a wrench at them. No, I mean tools such as human-driven and AI-backed software that can help minimize the amount of phishing that users receive and can analyze an email prior to the user receiving it. Now there are many forms this comes in, and there are many different things these tools can do such as:
- Verify the senders
- Test the links and files in a safe environment to make sure they aren’t malicious
- Use machine learning to see if the language in the email is similar to that of known phishing scams
- Check the signatures/hashes of the files to make sure they aren’t in known databases
- Minimize the amount of time the security team spends analyzing the email itself.
As much as I wish there was one pill to fix it all, the truth of the matter is that a combination of everything above is ideal, and we rely on our co-workers, employees, and employers to have a skeptical attitude about the data and communications we receive. There is a lot of money in the world of email scams, and we have to be cautious about who we are opening emails from. Remember….
Discover how Aqueity Shield can improve your cybersecurity posture.
Follow Max on LinkedIn