This post is the third in a series of what I consider the top ten topics for any security awareness program. This series is not designed to tell you what your awareness program must have, instead these posts are designed to give you recommendations, a place to start. For the third topic I feel one of the most important behaviors we need to change are those in email and instant messaging. Email is one of the primary ways we communicate. In addition, email is one technology that is almost universal, making it a perfect method for attackers to reach their victims. I also often include instant messaging in this module as most attacks are the same, just over a different protocol. Below are the email/IM behaviors we want to change. Note how all of these attacks depend on social engineering, which we already covered in module 2.
- Attachment: Threats often send attachments that are infected. We need to make end users aware of these attacks, that attackers send emails that build trust with the victim, then fool them into clicking on the attachment. The behavior we need to change is to get people to think before opening attachments. Was the attachment expected? If not sure, contact the sender or forward the email to your security team.
- Links: These attacks work by fooling end users clicking on a link. The link then sends the user to a phishing site, a drive by attacking site, or has them download and open an infected file (such as .pdf ). The behavior we need to change is to get people to think before clicking on links. Was the link expected? If not sure, contact the sender or forward the email to your security team.
- Scams: These attacks fool people out of their information or money by simply asking for it (the classic lottery attack). The behavior we need to change is if something sounds too good to be true, it probably is.
- Spear Phishing: For many high value organizations, they can be targeted or singled out by specific attackers. End users need to understand that attacks can be customized specific to them and their organization.