Here in Info Trek, we recently launched a product, what we call solution-based proposal. The purpose of this product is to help our customers to eliminate all the trouble when using or implementing tools or method.
During the period when I am preparing the solution-based proposal for cybersecurity, I came across something called, phishing tools. This tool is to help test a company’s vulnerability in terms of phishing.
Now, the reason for sharing this is because, I am amazed and at the same time, shocked by how real a phishing email can be. The possibility of the phishing email can be as real as a real email. And, if the sender has a lot of information regarding the target, it does no surprise someone will get tricked by such phishing email.
This again strengthens my thought of why we need to make sure the company’s culture on cybersecurity is being taken care of. I have been doing this long time ago, and that’s the reason why all my post is about how to strengthen the cybersecurity culture of a company. Let me share with you what I can do when creating that phishing campaign.
What can a Phishing email fake on?
There are tons of templates to choose from in the tools, which, all of it seems very real. For example, I can choose one with the Facebook theme and put in the content I want. There is even a theme on Game of Thrones. Yup, that’s how diverse it is.
This function allows one to customize the email shown on the mailbox. So, if the hacker knows who in the company usually send an important message, they will use that email address as a mask to trick the receiver.
Same as the email, a hacker can customize the name of the sender to one that the receiver will believe. Scary
Hacker can schedule the time to send the phishing to match the timing and frequency. Time zone, start date, how long will the campaign last are some of the aspect hackers can set.
Ways to prevent it
Scary isn’t it? How can one know which email is real and which is not if there are so many dangers out there? Well below are few ways to overcome this.
Never take action from the email
Let me give you an example. Let’s say you received an email saying that your Facebook account is being locked and need you to click on the link to retrieve your account. So what you need to do is go to your browser, type in www.facebook.com, and see if your account is really being locked. Regardless of what the email said, it is always wise to do things through the original source.
Reach out to that person, personally
Well, let’s say if there is an email from the HR manager asking you to feed him or her your bank account detail and credential. Well, the first thing to do is to reach out to the HR manager, in person or through the phone to confirm. This is the most direct way to know if the request is really from them.
Another wise way to keep yourself safe from phishing email will be to ignore it entirely. Think about it, if it is important enough, the person or company will call directly to get your immediate feedback. Anything that can wait is either fake or not urgent. So, ignore it, at least until the right person really called to get your input, and even that we need to be careful (another post of this).
That’s the unique of us human, we sense things. So, if an email makes you feel wrong, don’t act immediately. Instead, use those methods above to check before taking action. Chances are the email that makes you feel wrong is probably a phishing email. The best action will be to not click on anything from the email and instead, go through the genuine channel to get things done.
I can’t emphasize this enough. The culture, the people in a company will always be the key to the company’s cybersecurity strength. As mention at the previous article on cybersecurity, regardless of how strong your infrastructure, hardware can be, if one of the employees or even the boss him or herself unintentionally give the credential to the wrong people, every effort will be pointless. So it is crucial for C-level people and also every employee in a company to attend the cybersecurity awareness course to strengthen the knowledge of cybersecurity.