Empowering Leaders to Train Employees as Human Firewalls: Key Strategies for Cyber Resilience

Adversaries use 'Phishing Email' as an attack vector due to the high success rate resulting in significant losses. Here are a few cyber incidents where phishing emails are used as attack vector.

• Sony Pictures Attack - A series of spear-phishing emails sent to Sony employees led to a massive data breach. Hackers posed as company colleagues, sending malicious emails containing malware to unsuspecting employees. This attack resulted in the theft of over 100 terabytes of company data, including newly released files, financial records, and customer data. The total cost to Sony was more than $100 million.
• Google and Facebook Scam - A business email compromise (BEC) campaign that began with phishing emails turned into a long-running scheme. A hacker posed as a computer parts vendor and sent a series of fake invoices between 2013 and 2015. This resulted in Google and Facebook paying out more than $100 million before the fraud was discovered
• Ubiquiti Networks Attack - Using employee and CEO impersonation in phishing emails, hackers were able to steal $46.7 million from this tech company. The spear-phishing emails tricked employees into providing usernames, passwords, and account numbers necessary for the hackers to transfer funds out of a Ubiquiti subsidiary in Hong Kong
• Crelan Bank Attack - Belgium's Crelan Bank fell victim to a CEO fraud attack that began with a phishing email directed at the organization's finance department. Criminals posed as the CEO and directed the finance department to wire tens of millions of dollars overseas. The total loss amounted to $75.8 million
• Colonial Pipeline Attack: While the direct financial loss from the ransomware was $4.4 million, the attack, which is believed to have started with a phishing email, had far-reaching consequences. It led to the shutdown of nearly half of the U.S. East Coast oil supply for a week, causing a significant economic impact
• Levitas Capital Attack: A whaling attack (a type of phishing targeting high-level executives) against the co-founder of this Australian hedge fund led to $800,000 in direct losses. More significantly, the reputational damage caused the fund to lose its biggest client and ultimately shut down operations

?? Cyber Awareness Month Day 2: Spot the Phishing Email Red Flags! ??

Phishing emails can be caught if end-users are trained to identify the red flags of phishing emails

1. Action Required - phishing emails always ask for some actions, either fill out the forms, login, or click on the link.
2. Sense of Urgency - always ask for a timeline to take action such as login within 24 hours to protect your account.
3. Sense of Fear - there will be a sense of fear in the email such as your account will be blocked, your parcel will be returned, and so on.
4. Warning Banner for External Email - Many organizations have configured the email client in such a way that if there is a sender out of the organization, it will display a warning message for the external sender. It can be one of the most important red flags to catch phishing emails.

Stay alert by watching for these warning signs:

?? Suspicious Sender: The email is from an unknown or unusual sender. Double-check the sender's address for misspellings or strange domains.

?? Generic Greetings: Legitimate companies will usually address you by name. Be cautious of emails starting with "Dear Customer" or "Dear User."

?? Urgency & Fear Tactics: Watch for urgent language like “Act Now” or threats like “Your account will be suspended.” Scammers want you to panic.

?? Unexpected Attachments/Links: Be wary of unsolicited attachments or links. Hover over links to preview the URL before clicking.

?? Spelling & Grammar Errors: Professional emails are typically polished. If you spot spelling or grammatical mistakes, it could be a phishing attempt.

?? Too Good to Be True Offers: If an offer seems overly generous or too good to be true, it probably is.

?? Unusual Requests: Be cautious if asked to provide personal or financial information via email. Legitimate companies won’t request sensitive info this way.

Stay sharp, stay safe! ??? #CyberSecurity #PhishingAwareness #CyberAwarenessMonth #leadership, #ciso, #ceo, #opentowork #cybersecurity, #cyberawareness month, #October #endusers