My firm has a comprehensive Security Awareness Program in place and requires all employees, no exceptions, to participate. I have conducted numerous security awareness sessions in all of my offices and have placed special emphasis on the dangers of clicking links in emails. I hired a security firm to conduct a phishing campaign and while the results were better than I expected, there was room for improvement. The phishing campaign was a great tool for measuring where we were on this issue and where we needed to place additional emphasis. I really thought I had gotten through to people based on the number of “suspect” emails forwarded to me each day to verify if they were legit or not. Some of those, quite frankly, make me shake my head. You know what I mean.
A while ago my SPAM and virus scanning vendor began offering a phishing threat protection service. The URL in any inbound internet email is rewritten and when the user clicks on the link it routes back through the vendor and a security check of the destination site is performed. Access to the destination is either allowed or blocked. If blocked, the user receives notification as to why they are being blocked and an IT administrative group is notified the access was attempted. Fearing false positives, I have pretty much stayed logged into the service’s administrative portal so I can react quickly to false positives and perhaps “allow” the destination before the user calls the help desk. Because, you know, sometimes the user has to try the link two or three times before they are convinced they cannot reach the destination – kind of like printing when there is a printer issue. I must say, I was disappointed on the number of alerts I was receiving on a daily basis. Still some educating to do. By the way, false positives has not been much of an issue.
One day a couple of weeks ago I received a phishing threat protection notification so I took a quick glance and I found nothing suspicious about the email. The sender appeared valid, it appeared to be business related and the URL wasn’t all “jacked up” like you would expect in a phishing email. Thinking it was a false positive, I was just about to click "Allow" when I received a call from my user. She stated she received an email and thought it was legit and clicked on the link but was blocked by the phishing threat protection system. She then proceeded to tell me she contacted the apparent sender and the sender informed her they did not send the email and had received a few calls inquiring about the same email. This is when I realized the necessity of a security measure such as phishing threat protection. You can educate all you want but you can’t expect your user to identify issues in emails when there doesn’t appear to be any.
Phishing threat protection is a no-brainer must-have in my opinion. It’s something you simply must add to your security arsenal just like firewalls, complex passwords, antivirus, etc. Contact your vendor today and find out if they offer such a service.