Companies in Spain are being targeted by a ransomware group that uses phishing emails to distribute LockBit Locker ransomware. According to a recent warning issued by the Central Cybercrime Unit of the Policía Nacional, the campaign has a very high level of sophistication and has so far targeted architecture companies; however, the campaign may be expanded to target other sectors.
LockBit is a ransomware-as-a-service (RaaS) operation where affiliates are recruited to conduct ransomware attacks in exchange for a cut of any ransoms they generate. LockBit is one of the most active ransomware groups and was the most deployed ransomware variant in 2022. The LockBit Locker group conducting this campaign claims to be affiliated with the notorious LockBit group; however, those claims have yet to be verified. What is known is that this is a highly capable group that conducts sophisticated attacks targeting specific industry sectors. The lures and communications used in these attacks are very difficult to distinguish from genuine communications from legitimate companies.
The group appears to have adopted tactics used by business email compromise (BEC) threat actors who build trust with the victim over several emails. An initial communication is sent to a company and the threat actor then engages in conversations over several emails to make it appear that the firm is engaging with a legitimate company that is seeking their services.
The Policía Nacional described one of the attacks, which saw the initial email sent from the non-existent domain, fotoprix.eu. The threat actor claimed to be a photography company looking for a quote from architecture firms for a renovation of their premises. The targeted company responded to the initial email, then the threat actor exchanged several more messages before proposing a date to hold a meeting to finalize the budget. As a prerequisite, documents were sent via email that contained specifications for the proposed renovation to allow the architecture form to provide an accurate quote. The archive file attached to the email contained a shortcut file that executes a malicious Python script, which establishes persistence and executes the LockBit Locker payload to encrypt files. A ransom demand is then dropped on the encrypted device, payment of which is required to recover files.
Ransomware groups are constantly changing their tactics, techniques, and procedures (TTPs) which is why it is so important to provide ongoing security awareness training to the workforce. This campaign is especially concerning because of the effort the threat actor is putting into the impersonation of a potential customer. Ransomware groups often copy each other’s tactics, and if this campaign proves to be successful, the same TTPs are likely to be used by other groups.
It is therefore recommended to incorporate these TTPs into your security awareness training and make sure that employees are made aware of this new method of attack. Companies that use TitanHQ’s SpamTitan solution can easily provide training to the workforce on specific tactics through short training modules and incorporate new tactics in their phishing simulations. Phishing simulations can be quickly and easily spun up through the platform in response to changing TTPs and administrators will be able to get instant feedback on the likelihood of employees falling for a campaign. A phishing simulation failure will immediately trigger a training module specific to the threat, ensuring employees are provided with the additional training they need to avoid similar threats in the future.
Call TitanHQ today for more information on the SafeTitan security awareness training and phishing simulation platform and find out how it can significantly improve your company’s security posture.
TitanHQ has made several enhancements to its suite of cybersecurity solutions this month, including an update to the SafeTitan security awareness training and phishing simulation platform to better meet the needs of Managed Service Providers (MSPs) and the release of a new version of the WebTitan DNS-based web filtering solution – Version 5.03, which is now being rolled out for all customers. SpamTitan spam-filter users are also due to get an upgrade, with version 9.01 of the platform due to be released.
The SafeTitan update added a new Auto Campaigns feature for MSPs to better meet the needs of their SMB clients and protect them against increasingly sophisticated phishing threats. While it is vital to have an email security solution such as SpamTitan in place to block email-based threats, workforces also need to be provided with security awareness training to ensure they have the skills to recognize and avoid the full range of cyber threats.
The SafeTitan platform can be used by SMBs for training their workforces and giving them practice at identifying threats and also by MSPs to meet the training needs of their clients. The new Auto Campaigns feature is an automation tool that allows MSPs to reduce the time spent planning and managing security awareness and phishing simulation campaigns for their SMB clients. The AI-driven feature helps MSPs streamline the security training process and improve efficiency while saving time and resources. The Auto Campaigns feature allows MSPs to create an annual set of phishing simulation campaigns for all clients within minutes.
WebTitan is an award-winning web filtering solution that is used by thousands of SMBs, enterprises, and MSPs for controlling access to the Internet and blocking web-based cyber threats. The latest version of the platform includes several new features and bug fixes.
Users now benefit from a new summary report page, the custom block page has a new layout, and several new features have been added. These include support for the customization of the global default policy on the MSP level, which allows the application of a custom default policy on the creation of a customer account. Support has been added for the customization of the default policy on the customer level, it is now possible to inherit the allowed & blocked domains from the customer default policy, and support has been added for allowing/blocking a top-level domain (TLD) on a customer policy and global domains.
SpamTitan is due for an imminent upgrade which will include several new, advanced MSP features. Version 9.01 will have a new history/quarantine feature for MSPs, that will allow them to quickly act on customer emails at the MSP level. Link Lock inheritance has been added at the MSP level to avoid having to drill down to individual domains to make changes, and a new pattern filtering feature has been added which simplifies SpamTitan administration for MSPs and allows them to secure all customers from one place. There is also a simplified mail view, which improves the user experience and makes email analysis simpler.
MSPs also have an Other Products option, which allows them to easily offer other products in the TitanSecure bundle to customers – ArcTitan email archiving, WebTitan web filtering, and SafeTitan security awareness training – and provide a comprehensive, multi-layered security defense system to customers.
A new information stealing malware variant called Mystic Stealer is proving extremely popular with hackers. The malware is currently being promoted on hacking forums and darknet marketplaces under the malware-as-a-service model, where hackers can rent access to the malware by paying a subscription fee, which ranges from $150 for a month to $390 for three months.
Adverts for the malware first started appearing on hacking sites in April 2023 and the combination of low pricing, advanced capabilities, and regular updates to the malware to incorporate requested features has seen it grow in popularity and become a firm favorite with cybercriminals. The team selling access to the malware operates a Telegram channel and seeks feedback from users on new features they would like to be added, shares development news, and discusses various related topics.
Mystic Stealer has many capabilities with more expected to be added. The first update to the malware occurred just a month after the initial release, demonstrating it is under active development and indicating the developers are trying to make Mystic Stealer the malware of choice for a wide range of malicious actors. Mystic Stealer targets 40 different web browsers, 70 browser extensions, 21 cryptocurrency applications, 9 MFA and password management applications (including LastPass Free, Dashlane, Roboform, and NortPass), and 55 cryptocurrency browser extensions. The malware can also inject ads into browser sessions, redirect searches to malicious websites, and steal Steam and Telegram credentials and other sensitive data. The most recent version is also able to download additional payloads from its command-and-control server. The malware targets all Windows versions, does not need any dependencies, and operates in the memory, allowing it to evade antivirus solutions. The malware is believed to be of Russian origin since it cannot be used in the Commonwealth of Independent States.
Mystic Stealer has recently been analyzed by researchers at InQuest, ZScaler, and Cyfirma, who report that the malware communicates with its C2 server via a custom binary protocol over TCP, and currently has at least 50 C2 servers. When the malware identifies data of interest, it compresses it, encrypts it, then transmits it to its C2 server, where users can access the data through their control panel.
The main methods of distribution have yet to be determined, but as more threat actors start using the malware, distribution methods are likely to become more diverse. The best protection is to follow cybersecurity best practices and adopt a defense-in-depth approach, with multiple overlapping layers of security to protect against all of the main attack vectors: email delivery (phishing), web delivery (pirated software, drive-by downloads, malvertising), and the exploitation of vulnerabilities.
Email security solutions should be used that have signature and behavioral-based detection capabilities and machine learning techniques for detecting phishing emails (SpamTitan). Antivirus software should be used, ideally, a solution that can scan the memory, along with advanced intrusion detection systems. To protect against web-based attacks, a web filter (WebTitan) should be used to block malicious file downloads and prevent access to the websites where malware is often downloaded (known malicious sites/warez/torrent). IT teams should ensure that software updates and patches are applied promptly, prioritizing critical vulnerabilities and known exploited vulnerabilities. In the event of infection, damage can be severely limited by having a tested incident response plan in place.
Finally, it is important to train the workforce on the most common threats and how to avoid them. Employees should be trained on how to identify phishing attempts, be told never to download unauthorized software from the Internet, and be taught security best practices. The SafeTitan security awareness training and phishing simulation platform provides comprehensive training and testing to improve human defenses against malware infections and other cyber threats.
TitanHQ has updated its SafeTitan security awareness training platform to better meet the needs of Managed Service Providers (MSPs) by adding a new feature – Automatic Security Campaigns. The new feature allows MSPs to create an annual set of phishing simulations for their clients to streamline security campaign planning.
All companies should be providing security awareness training to the workforce to improve awareness of the types of threats each employee is likely to face, and security awareness training programs should incorporate ongoing phishing simulations to give employees practice at identifying potential threats outside of a training setting. While the percentage of businesses providing security awareness training is increasing, many have yet to create a program, and those that have often find it is not as effective as they expected. This is an area where MSPs can help and ensure companies get the maximum return on their investment in training.
By signing up with TitanHQ, MSPs can provide security awareness training through the SafeTitan platform. SafeTitan includes an extensive library of training content that allows MSPs to create training programs to meet the needs of each company and tailor the training for different employee groups within the company to ensure it is relevant. The training content is proven to improve understanding of threats and reduce susceptibility to phishing and other social engineering attacks. Training courses can be created quickly and the provision of training automated, with employee progress tracked and client reports scheduled to keep them up to date on how training is progressing.
Conducting phishing simulations is also straightforward, but thanks to the new Automatic Security Campaigns feature, MSPs can create and run phishing simulations more efficiently, spend less time managing the campaigns, and boost the profitability of their security awareness and phishing simulation service. MSPs can use this feature to schedule phishing simulations using messages of varying types, at the desired required frequency, over the course of the year – a process that takes just a few minutes.
“By introducing automated campaign scheduling to SafeTitan, we are empowering our MSP partners to optimize their security training efforts, boost productivity, and deliver exceptional results to their clients,” said Ronan Kavanagh, CEO, TitanHQ. “This new feature aligns perfectly with our MSP First Strategy and provides innovative solutions that simplify the complexities of managing a client’s security awareness training.”
Phishing is still the most common method used by cybercriminals in attacks on businesses, as has been confirmed by a new survey of IT security and identity professionals. The Identity Defined Security Alliance recently conducted a survey on 529 IT security professionals and identity professionals at organizations with more than 1,000 employees and found 62% had experienced an identity-related incident in 2022, and out of those, 93% said they had experienced an email phishing incident.
Phishing is popular with cybercriminals as it is easy to conduct campaigns, which can be largely automated and require little skill. These campaigns are low cost and they are effective, as people can easily be fooled into disclosing their credentials or downloading malicious files. Email remains the most common vector used for phishing, with emails usually including a web-based component. Users are directed to malicious websites where malware is downloaded, or their credentials are harvested.
Phishing campaigns can be made even more effective if the emails are targeted. General phishing emails that are sent in massive spamming campaigns will attract a low number of responses but certainly enough to make these campaigns worthwhile; however, by targeting small numbers of individuals the response rate increases dramatically. Spear phishing involves tailoring emails for a specific group of people or researching individuals and sending personalized phishing emails. The survey revealed 49% of respondents had experienced spear phishing attacks in the past year.
Phishing is no longer solely conducted via email, and attacks involving other attack vectors have been steadily increasing. SMS and instant messaging platforms are commonly used for phishing. These phishing attacks are referred to as smishing attacks and phishing can occur over the phone – termed vishing. 27% of respondents said they experienced smishing or vishing attacks in the past year.
Phishing attacks can be extremely costly for businesses. These attacks are conducted to gain initial access to business networks to steal sensitive data, which can be used in a wide variety of ways. Once access to networks is gained and all valuable data has been stolen, access to those networks is often sold to other threat actors such as ransomware gangs for follow-on attacks. Businesses are also increasingly being sued for data breaches by employees and customers, the attacks take time to remediate causing business disruption and often result in significant reputational damage.
Phishing attacks are increasing in sophistication as well as number. While it was once sufficient to implement a spam filtering solution and antivirus software to block attacks, defenses have had to become more comprehensive and sophisticated and provide multiple layers of protection.
TitanHQ solutions can form the basis of a robust defense against phishing. TitanHQ offers three cybersecurity solutions that work seamlessly together that can be used by businesses to mount a formidable defense against phishing attacks, with each solution tackling the threat of phishing from a different angle.
The first layer of defense comes from SpamTitan Email Security – An advanced email security solution for blocking phishing and spam emails, including attacks seeking credentials and those delivering malware. SpamTitan incorporates anti-virus software (dual AV engines) for detecting known malware variants, and behavioral analysis through email sandboxing for detecting zero-day (unknown) malware threats.
Protection against the web-based element of phishing comes from the WebTitan DNS filter, which is used to prevent employees from visiting malicious websites and for controlling access to the Internet through category and keyboard-based web filtering. WebTitan blocks downloads of malicious files and risky file types, and secures the DNS to block command-control callbacks. WebTitan not only blocks phishing attacks via email but also phishing and other malicious websites encountered through web browsing, such as via redirects to malicious websites from online adverts (malvertising).
The third layer of protection is concerned with improving human defenses, which is vital considering that more than 80% of data breaches involve the human element (Verizon Data Breach Investigations Report). SafeTitan is used to create effective security awareness training, tailored to meet the needs of each business and individual. The platform includes a huge library of training content that can be tailored for user groups and individuals which covers all aspects of security. Through SafeTitan training, businesses can raise awareness of threats and eradicate bad security practices. The solution also includes a phishing simulator for testing employees, which delivers on-the-spot training in real-time in response to security mistakes.
Cybercriminals are unlikely to stop conducting attacks and they are only likely to increase in number and sophistication. Businesses therefore need to make sure their defenses are up to scratch. For more information on these TitanHQ solutions, contact the sales team today. You can also take advantage of free trials of these solutions to test them before deciding on a purchase.
Business email compromise (BEC) is big business. For several years, BEC attacks have been the leading cause of losses to cybercrime according to the Federal Bureau of Investigation (FBI). Over the past 5 years, BEC incidents have resulted in more than $43 billion in losses globally, with $83,883,493 in reported losses to BEC scams in 2022.
BEC, also known as email account compromise (EAC), is a sophisticated scamming technique that targets employees and the businesses they work for. These attacks can be conducted to obtain sensitive information such as W-2 forms, which can be used for large-scale tax fraud, but most commonly attempt fraudulent payments, where an employee is tricked into changing payment details for an upcoming payment.
BEC attacks usually start with phishing emails. These can be general phishing emails to gain access to any employee email account, which is then used to send further phishing emails within a company and to vendors to get the high-value email credentials that the attackers seek. Alternatively, spear phishing emails are crafted on well-researched targets, such as employees in the finance department of a company who are likely to have responsibility for making wire transfers or employees at vendors who handle customer accounts. Social engineering techniques are used in the phishing emails to trick the targets into disclosing their credentials.
When access is gained to a targeted email account, the attacker can learn a great deal about the company and can identify vendors/clients, view invoices, and learn about upcoming payments. The style of the target’s emails can be identified, so emails can be carefully crafted using a similar writing style and language to prevent the scam from being detected. A request is then made via email to change banking details for an upcoming payment to attacker-controlled accounts. These accounts are commonly created at overseas banks in Thailand, Hong Kong, China, Mexico, and Singapore.
When the payment is made, funds are rapidly transferred to other accounts or are withdrawn, often before the fraudulent payment is detected. The payments are often large – tens of thousands, hundreds of thousands, or millions of dollars. One common tactic used in BEC attacks is to impersonate construction companies. Research is conducted online to identify a company’s current work projects, and company email accounts are targeted. When access to accounts is gained, the scammers identify contact information, bid information, and project costs.
Construction projects often involve regular payments during construction, so the attackers change bank account information for an upcoming sizable payment. The client of the construction company expects to make a payment, so a simple change of bank account information is unlikely to arouse suspicion, especially since the request comes from a genuine company domain and email account with the correct logos and footers. Oftentimes, the victim has been communicating with the construction company through the same email account. Email communications between the victim and the scammer can span several emails, with the attackers taking their time before making the request. Reports of losses to the FBI between 2018 and 2020 show the fraudulent payments range from around $10,000 to $4 million.
Defending against BEC attacks requires a combination of measures that aim to block the initial account compromise, detect any compromises, identify suspicious requests, and monitor accounts for any irregularities. Advanced phishing defenses are required to block the initial phishing attacks where account credentials are obtained. SpamTitan performs a barrage of tests to identify and block phishing and spear phishing emails. These attacks can involve spoofing rather than email account compromise, and SpamTitan solutions can detect and block emails from fake accounts as well as malware, which is often used to gain initial access to networks before pivoting to email accounts.
SpamTitan also incorporates machine-learning detection mechanisms to identify deviations from the standard emails that a business usually receives, which can identify and block the initial phishing emails and fraudulent emails sent from compromised accounts, since checks are performed on inbound and outbound emails. 2-factor or multi-factor authentication should also be enabled for all company email accounts.
2-factor authentication processes should also be established for any changes to account information. Any request to change account information or change upcoming payments should be verified using a second authentication mechanism such as a telephone call to a verified contact number. Staff should also be provided with security awareness training to alert them to phishing and BEC attacks. SafeTitan security awareness training has extensive training content on phishing and BEC attacks and allows training courses to be easily developed and automated for the specific employees who are likely to be targeted in these scams to provide them with advanced training on how to detect BEC attacks.
For more information on improving email security and security awareness training, contact TitanHQ. TitanHQ solutions are available on a free trial, with full access to customer support for the duration of the trial to help you get the most out of the products.
On March 30, 2022, the U.S. Senate Homeland Security Committee cleared the Healthcare Cybersecurity Act – new legislation that promises to strengthen the cybersecurity posture of the U.S. healthcare and public health sectors. The U.S. healthcare sector has taken a battering in recent years as cybercriminals have stepped up attacks on the sector. Healthcare organizations are an attractive target due to the vast quantities of sensitive data they store. The data can easily be monetized and used for identity theft and medical fraud, and preventing access to that data puts patients at risk, which increases the probability that extortion attempts will be successful. Cyberattacks on the healthcare sector have proven to be lucrative, with healthcare providers often forced into paying huge ransom demands to decrypt their files, prevent the exposure of stolen data, and get critical systems back up and running quickly to improve patient safety.
In 2020, healthcare cyberattacks increased by 55% breaking the record set the previous year. More than 26 million medical records were compromised that year, which increased to over 40 million records in 2021 and 2022. 2023 looks like it will see similar numbers of records compromised. Healthcare is a critical industry and healthcare cybersecurity is a patient safety issue. Action is desperately at the federal level to improve resilience to cyberattacks and the Healthcare Cybersecurity Act is a step in the right direction. The Healthcare Cybersecurity Act calls for the U.S. Cybersecurity and Infrastructure Security Agency and the Department of Health and Human Services to collaborate and come up with a plan for improving the security posture of the sector. Within a year of the legislation being passed, CISA is required to complete a detailed analysis of the risks to healthcare assets and data, identify the information security challenges faced by organizations in the sector and come up with a plan to address the shortage of cybersecurity staff, including making recommendations for cybersecurity training for the workforce and enhancing incident response. The legislation also calls for the creation of a Cyber Security Operations Center specifically for the healthcare sector to share real-time threat intelligence to help defend against and respond to cyberattacks.
In the meantime, the cyberattacks continue. While hospitals and health systems are investing heavily in cybersecurity and are improving their technical defenses, hackers are developing new methods to attack the sector, often by exploiting human weaknesses. The Health Insurance Portability and Accountability Act (HIPAA) requires healthcare providers, health plans, and other covered entities to develop a security awareness training program for employees, but the legislation was signed into law two decades ago and provides little in the way of detail as to what such a program should include or how often training should be conducted. Follow the letter of the law and you will be compliant but will do little to improve your security posture. What is required is a comprehensive training program that can be easily tailored to all members of the workforce and training them on how to recognize the specific threats they are likely to encounter.
The ultimate goal of security awareness training is to develop a security culture, and that simply isn’t possible with an annual training session. Security awareness training needs to be ongoing, with employees up to date on the latest threats, and training needs to be reinforced. This is an area where TitanHQ can help. TitanHQ offers healthcare organizations an easy-to-use platform for developing healthcare-specific training courses covering a broad range of security topics. The platform includes training content on hundreds of topics, delivered through computer-based training courses, videos, and quizzes. The content is engaging and gamified and has been developed to be easy to fit into busy healthcare workflows, with the training content taking no more than 10 minutes per module.
Administrators can easily develop training courses for individual employees, roles, and departments to ensure it is relevant, and the platform is behavior-driven, with training content automatically generated based on specific employee behaviors such as failed phishing simulations and security errors, such as saving sensitive data in an insecure location. Since the training is generated instantly, it ensures employees receive the training when it is likely to have the maximum impact – immediately after a security mistake is made.
The platform also has enterprise-level reporting, which provides executives with a 360 view of the entire organization and the return on investment, with the data provided in an easily digestible format for management, and detailed reports for the compliance team to demonstrate full compliance with the training requirements of the HIPAA Security Rule.
If you want to improve your organization’s security posture, training the workforce to be more security aware is a great place to start. For more information on SafeTitan, to sign up for a free trial, get in touch with the TitanHQ U.S. team today.
Business email compromise tactics commonly change, so businesses need to ensure that they provide regular security awareness training to their workforce. Businesses that implement an ongoing security awareness training program can ensure that all employees are made aware of the emerging tactics so that when a threat is received, they will be able to identify it as such and report it to their security team.
BEC attacks typically involve spoofing an individual or company to get an individual to make a fraudulent wire transfer to an attacker-controlled account. The FBI has recently reported that tactics are becoming more sophisticated, and telephone numbers are also being spoofed. When the targeted individual calls to verify the authenticity of the emailed request, they speak with the scammer. It is vital to ensure that employees are told to verify the authenticity of any out-of-band requests for payments, changes to account details, requests for gift cards, and other common scam tactics but to ensure that verified contact information is used, and never the contact information supplied in the email.
Another BEC tactic that is becoming increasingly common attempts to obtain goods under false pretenses, instead of tricking people into making wire transfers. This tactic is often adopted by less advanced threat actors, as they do not have to recruit the money mules to accept the payments. According to the FBI, scammers are impersonating the email domains of U.S. companies and are spoofing emails with the real names of company employees, so if checks are performed, they will be passed.
The scammers trick vendors into believing they are conducting legitimate business transactions and fulfilling purchase orders for distribution to new customers. Scams identified by the FBI include the targeting of vendors of agricultural equipment, construction materials, computer hardware, solar energy products, and more. The goods are distributed and by the time the scam is identified, they have been moved on and cannot be traced or recovered. Since these purchase orders are often for bulk goods, thousands or hundreds of thousands of dollars can be lost.
Businesses often provide new customers with credit repayment terms such as net-30 or net-60, where they are not required to pay for the goods for 30 or 60 days. That means by the time the scam is identified the goods have long since been moved and sold. Businesses naturally conduct credit checks before offering those terms, but the attackers are supplying fake credit references and fraudulent W-9 forms to vendors to get the payment terms to allow them to purchase goods without any upfront payment.
The best way to protect against these scams is to ensure that you have an advanced email security solution in place – Such as SpamTitan – to block the initial contact via email. However, it is also important to provide security awareness training to the workforce.
SafeTitan is a modular training platform that allows businesses to develop custom training courses for different individuals, roles, and departments, and to ensure that the training provided is relevant. The platform includes hundreds of training modules and can be tailored to meet the needs of all organizations. The training content is regularly updated to include the latest tactics that are being used, allowing businesses to keep all members of the workforce 100% up to date on the latest threats.
Administrators can trigger training modules for all members of the workforce when new threats are identified. The modules are easy to fit into busy workflows and take no longer than 10 minutes. Through SafeTitan security awareness training, businesses can develop a security culture and greatly reduce susceptibility to phishing and BEC attacks. Data from the SafeTitan phishing simulation platform shows businesses can reduce susceptibility to email scams by up to 80% over time through email attack simulations.
For more information on SafeTitan Security awareness training and phishing simulations contact TitanHQ today.
Business email compromise (BEC) may not be the most prevalent form of cybercrime, but it is one of the costliest. Over the last few years, BEC attacks have seen the greatest losses out of any form of cybercrime, and BEC attacks have been increasing. According to the Federal Bureau of Investigation (FBI), between July 2019 and December 2021, losses to BEC attacks increased by 65%, and between June 2016 and July 2019 there were 241,206 complaints about BEC attacks and $43,312,749,946 was lost to the scams. In 2022, there were almost 22,000 victims of BEC attacks and adjusted losses to these scams were more than $2.7 billion.
In a typical BEC scam, a criminal sends an email message to a targeted individual that appears to have come from a known source making a legitimate request. Commonly, a company that the victim regularly deals with sends an invoice with an updated bank account or mailing address. A scam may be conducted where the victim is asked to purchase gift cards and email the serial numbers. Scams often target homebuyers, where the message appears to come from the title company with instructions on how to wire the payment. An executive may be impersonated and the tax information of all employees may be requested. There are many variations of these scams, and they often result in thousands, hundreds of thousands, or even millions of dollars in losses.
BEC scammers often spoof an email account or a website, or they may compromise a legitimate email account through a phishing or spear phishing email. With access to email accounts, a scammer can search the accounts to find out more about the company and gain the information they need to conduct realistic scams. Malware may be sent via email that gives the attacker access to email accounts, which allows them to hijack message threads.
One of the most common types of BEC attacks involves the impersonation of an individual or company and a request to send fraudulent wire payments to attacker-controlled bank accounts. Historically, these scams have involved compromised vendor email accounts and a request to change bank account information for upcoming payments for goods and services. In its latest Internet Crime Report, the FBI said BEC scammers are increasingly targeting investment accounts, and utilizing custodial accounts held at financial institutions for cryptocurrency exchanges or requesting victims send funds directly to cryptocurrency platforms.
In the past, scammers have relied on their spoofing tactics but the scam fails if the targeted individual verifies the legitimacy of the request by phone. However, it is now becoming increasingly common for scammers to spoof legitimate business phone numbers and use these to confirm fraudulent banking details with victims. There have been many cases where the victims report they have called a title company or realtor using a known phone number, only to find out later that the phone number has been spoofed.
Defending against BEC attacks requires a combination of measures. First, since these attacks often start with a phishing email, a spam filtering service is essential. A spam filter will block the emails that allow credentials to be stolen and email accounts compromised. Spam filters can also detect and block spoofing and are the primary defense against these attacks. TitanHQ has developed SpamTitan Email Security to help businesses defend against BEC attacks, phishing, and other email-based attacks.
Unfortunately, email filtering alone is not sufficient. A spam filter will block the majority of email threats but additional measures need to be implemented. The key to defending against BEC attacks is defense-in-depth. These attacks target human weaknesses, so it is important to train the workforce to be aware of these scams and the changing tactics of BEC scammers. Employees need to be taught the red flags they need to look for in emails and the security best practices that can thwart these scams.
TitanHQ offers the SafeTitan security awareness platform to businesses which can be used to train employees to be more vigilant and tell them what they need to look for. The platform can be used to teach security best practices, such as carefully examining the email address, URL, and spelling used in any correspondence, and the importance of not clicking on anything in an unsolicited email or text message that asks them to update or verify account information.
The increase in spoofing means it is now essential to implement two-factor or multi-factor authentication, to add an extra level of security to protect accounts from unauthorized access. It is also vital to implement policies that require requests to be independently verified using confirmed contact numbers, not those provided via email.
Adopting such a defense-in-depth approach will help you protect against these financially damaging scams. Contact TitanHQ today to find out more about how you can cost-effectively improve email security and train your workforce.
Cyberattacks on businesses increased during the pandemic and have continued at high levels since. Fortunately, businesses have responded and are taking cybersecurity seriously and have increased investment in cybersecurity. Data from ESG research suggests 65% of organizations are planning to increase investment in cybersecurity in 2023. While there is room for improving technical defenses to block more attacks and identify and address vulnerabilities faster before they can be exploited, it is important not to neglect the human element, which according to Verizon’s 2022 Data Breach Investigations Report, is a factor in 82% of data breaches.
While simple errors can easily lead to data breaches, many are the result of a lack of understanding of security. There is also a common view among employees that cybersecurity is the sole responsibility of the IT department. It is true that one of the roles of the IT department is to ensure that technical measures are implemented to block cyber threats and that vulnerabilities are identified and addressed promptly, but even companies that invest heavily in IT security still suffer data breaches, and that is because even sophisticated defenses can be bypassed.
Technology and hardware will block the majority of threats, but employees are still likely to encounter phishing, social engineering scams, business email compromise, and malware, and need to be provided with proper education to improve awareness of those threats and be taught the skills to allow them to identify and avoid cyber threats. The workforce needs to be educated on all aspects of security, not just how to identify a phishing email. Take password security for example. Password policies can be implemented, and employees provided with password managers, but as the recent credential stuffing attack on NortonLifeLock users revealed, many users of that password manager set a master password for their password vault that had been used elsewhere on the internet, which allowed the hackers to access their accounts.
By providing security awareness training, businesses can improve the baseline knowledge of the workforce, make sure everyone is aware of the threats they are likely to encounter, and security best practices can be taught, along with the importance of always following those best practices. The ultimate aim of security awareness training is to develop a security culture, where everyone in the organization understands that they have a role to play in the cybersecurity of the organization and that cybersecurity is not just a matter for the IT department.
Unfortunately, it is not possible to get to that point overnight. Providing a one-time security awareness training session is not enough and even conducting annual training sessions is unlikely to result in behavioral change. For training to be effective and to change employee behavior, training needs to be provided continuously, with short training sessions conducted regularly throughout the year. Training also needs to be individualized. There is no point in providing a single training course to every employee, as training needs to be role-specific and cover the specific threats each employee is likely to encounter.
The training also needs to be engaging to get employees to take the information on board, and training needs to be regularly reinforced. One of the best ways to do this is through phishing simulations, which test whether employees have understood the training and if they are applying that training day in, day out. Employees should also be empowered to help with cybersecurity by providing a phishing reporting button as an email client add-on, so they can alert the IT department when a suspicious email is encountered. Organizations that provide their workforce with training using the SafeTitan platform and conduct regular phishing simulations through the platform report significant improvements in security. Phishing simulation data also shows improvements in employee susceptibility to phishing attacks, with organizations seeing reductions of up to 92% in click rates by employees.
With 2023 looking like it will be another year with high levels of cyberattacks, January is the ideal time to review your security awareness training programs, make improvements, and implement a training program if you are not yet providing training to your employees. TitanHQ is here to help. Give the team a call today to find out more about how SafeTitan can benefit your business.
Phishing is one of the most common ways that cybercriminals attack businesses. Phishing is used to install malware and steal credentials, both of which will provide them with initial access to the network. Since phishing targets individuals, one of the most important steps to take to prevent phishing attacks is to provide security awareness training to the workforce.
Employees should be warned about the risk of phishing attacks and taught what to look for to help them identify, avoid, and report phishing threats. Training alone is not the answer though, as employees need practice at identifying phishing. Phishing simulations should therefore be conducted. These are realistic but fake phishing emails that are sent to all members of the workforce, the responses to which are tracked. When a user fails a phishing simulation, they can be provided with relevant training to help them identify similar threats in the future and to correct any risky behaviors. The combination of security awareness training and phishing simulations – both of which are provided through SafeTitan – can reduce susceptibility to phishing attacks by up to 80%.
Security awareness training should teach employees the red flags that indicate a phishing attempt. Employees should also be encouraged to report phishing attempts to their security team, as there is a good chance that the phishing email will not be the only such threat in the email system. When these threats are reported, security teams can remove all other copies of that message from the email system, thus preventing other users from being exposed to the threat. It is also important to encourage users to report phishing threats that they have responded to, as the faster the security team is made aware of a clicked link or file download, the faster mitigations can be implemented to reduce the harm that can be caused.
One problem for businesses is employees are often fearful of reporting responses to phishing emails due to the potential for negative repercussions, such as disciplinary action. If reporting is delayed, then mitigations are also delayed, which can potentially have serious consequences. The UK’s National Cyber Security Centre (NCSC) has recently suggested that in order to address this issue, businesses need to change their mindset. At many businesses, employees are made to feel that it is their responsibility to identify and avoid phishing attempts when the reality is it is the responsibility of the employer to block threats by implementing a range of technical controls. Employees should be trained on how to identify phishing attempts of course, but in order to develop a strong reporting culture, employees must not be made to think that a failure to avoid a phishing threat is their fault. The NCSC also takes issue with the commonly provided advice that employees should not click hyperlinks in unsolicited emails as, in many cases, that is actually a requirement of their job.
Technical Recommendations for Protecting Against Phishing Attacks
So how should businesses combat phishing? What technical measures should be implemented to improve defenses and make it much harder for phishing attacks to succeed? TitanHQ has long recommended what the NCSC suggests, and that is phishing prevention requires a defense-in-depth approach, where multiple overlapping layers of protection are implemented. This is vital, as no single anti-phishing measure will be 100% effective, 100% of the time.
The NCSC recommends multiple technical measures, the most important of which are a spam filtering solution that scans all inbound emails for phishing signatures and the setting of DMARC and SPF policies, as these are effective at blocking the majority of phishing threats. TitanHQ’s SpamTitan solution incorporates DMARC, DKIM, and SPF for blocking phishing threats, machine learning for identifying zero-day threats, as has constantly updated blacklists of malicious IP addresses and domains. SpamTitan also has a sandbox for deep behavioral inspection of attachments, in addition to dual anti-virus engines.
The NCSC also recommends implementing web proxies or web filters to prevent employees from accessing malicious websites linked in phishing emails. SpamTitan Plus rewrites URLs in phishing emails and follows them, providing protection against these malicious links. The WebTitan DNS filter will block access to known malicious websites and will also prevent downloads of malicious or risky files from the Internet, such as executable files – another recommendation of NCSC.
While not often considered by businesses as a phishing prevention measure, a password manager does provide a degree of protection against phishing attacks that harvest credentials, so businesses should provide one for their employees to use and they should encourage employees to use it. Password managers suggest strong passwords and then autofill them when they are required. Since the password is tied to a specific URL or domain, if a user lands on a phishing site that spoofs a brand, the password manager will not auto-fill the password, since the URL/domain is not associated with that password. It is also important to ensure that multi-factor authentication is enabled. Ideally, businesses should opt for passwordless authentication with a FIDO token.
Additional safeguards that should be considered include allow-listing to prevent executable files from running from any directories that users can write them and configuring the Registry to ensure that dangerous scripting or file types are opened in Notepad and are not executed. NCSC also recommends using PowerShell in constrained mode, script signing, disabling the mounting of .iso files on endpoints, locking down the macro settings, and only allowing users to enable macros if they need to do so for their job. Businesses should also stay up to date on the latest threats and ensure that mitigations are implemented against those threats and that they are incorporated into security awareness training programs, as TitanHQ does with SafeTitan.
By implementing all of these mitigations and adopting a defense-in-depth approach it becomes less important that employees can recognize and avoid threats, although training is still important because one or more of the above measures may fail. Businesses should also avoid punishing employees for failing to identify phishing attempts, as that is likely to create a culture of fear rather than a culture of reporting threats.
TitanHQ can help businesses significantly improve their defenses and implement many of the NCSC recommendations for combatting phishing. For more information on TitanHQ solutions, give the team a call today, or take advantage of the free trials on all TitanHQ products.
Today is International Computer Security Day – A day when the focus is on improving cybersecurity and ensuring all computers and electronic devices are appropriately secured against the increasing number of cyber threats. It has only been 30 days since the end of Cybersecurity Awareness Month, but International Computer Security Day serves as a reminder of the importance of cybersecurity.
International Computer Security Day was the brainchild of the Association for Computer Machinery (ACM), which created this national day of recognition to raise public awareness of the importance of computer security. The first International Computer Security Day was in 1988 when computers were first starting to become widely used by businesses and governments, although were yet to become popular in homes, and a year before the world wide web came into existence. Fast forward 45 years, and not only are computers used extensively in homes, but devices are also now carried in pockets that are around 1,000 times faster than the Cray-2 supercomputer of the mid-80s!
The purpose of International Computer Security Day is to raise awareness of the need to secure all computers, whether they are PCs, laptops, smartphones, or IoT devices, and to empower users of these devices to secure their digital presence. International Computer Security Day is also an ideal time for businesses to take stock of their cybersecurity defenses and assess areas where improvements can be made, and to take the day to improve the awareness of employees and reemphasize the importance of cybersecurity in the workplace.
International Computer Security Day and Cybersecurity Awareness Month are concerned with raising awareness of cybersecurity and its importance for all individuals whenever they use their computer or access the Internet, not just during these national days and months of recognition, but throughout the year. Businesses can raise awareness at these times, but cybersecurity needs to be an ongoing conversation. Security awareness training programs should be running continuously throughout the year if they are to be truly effective.
Running a once-a-year training session for the workforce on computer security is useful, but these classroom-based training sessions have their limitations. A more effective strategy for security awareness training is to run computer-based training courses continuously, with training modules completed regularly throughout the year. If you choose a training platform that delivers training in short modules lasting no more than 10 minutes, these can easily be completed by employees without disrupting workflows. 2-3 three modules completed by each employee every month will only take up 20-30 minutes of their time, but this is likely to be far more effective than a 2-hour training session once a year at helping you to develop a security culture in the workplace, where employees stop and think about security before taking any action on a computer.
An even more effective way of training is to use a training platform that provides intervention training. The most effective training is provided instantly when a mistake is made, such as when an employee responds to a phishing email, saves sensitive data in an insecure location, or engages in any other risky cyber behavior. With the right training platform in place, when employees engage in these behaviors, the platform instantly sends them the relevant snippet of the company policy, along with a short training module relevant to that behavior or threat. This is important for correcting that behavior, as in many cases, the employee in question will not be aware that they have made a mistake. Don’t provide intervention training and that risky behavior is likely to be repeated.
SafeTitan from TitanHQ is a comprehensive security awareness training platform for businesses that has been proven to improve the security awareness of employees and reduce risky cyber behaviors and susceptibility to all common cyber threats. The platform is the only behavior-driven training platform to provide intervention training to employees in real time in response to risky behaviors and security mistakes. The platform automates the provision of that training to reduce admin time and ensures consistent and repeatable training is delivered.
The SafeTitan platform also includes a phishing simulator, for sending realistic dummy phishing emails to the workforce. These are proven to reinforce training by giving employees experience at recognizing and responding correctly to phishing threats. Through SafeTitan security awareness training, intervention training, and phishing simulations, staff susceptibility to phishing threats, ransomware, malware, BEC attacks, CEO spoofing is reduced by up to 92%.
If you want to make a real difference and greatly improve your human defenses, this International Computer Security Day take advantage of the free trial of SafeTitan and sample the training content and see for yourself how easy the platform is to use. Start using SafeTitan and Next International Computer Security Day your company will have a much stronger security posture and will be significantly more resilient to cyber threats.
One of the fastest areas of growth for Managed Service Providers (MSPs) is managed security services. The number of cyberattacks on businesses continues to increase and there is a major shortage of skilled cybersecurity staff. Further, the cost of hiring new talent can be prohibitively expensive for many small- and medium-sized businesses, who are turning to their MSPs to provide those services. Many MSPs have developed a technology stack to meet the demand and are offering managed security services such as identity protection and access management, endpoint security, spam filtering/email security, web security, data protection, network security, and mobile security, but one area that is often lacking in managed services is security awareness training. Currently, only 60% of MSPs offer security awareness training as part of their managed security services.
Technological solutions are implemented by MSPs to protect against hackers, malware, ransomware, and phishing attacks, and these solutions will detect and block the majority of threats, but it is not possible to prevent employees from encountering all threats. The workforce, therefore, needs to be prepared and be taught how to recognize the signs of phishing and other types of attacks, so that when these threats are encountered, they can be identified as such and avoided.
Studies conducted on companies that have conducted benchmarking phishing tests on employees prior to commencing security awareness training have shown that susceptibility to phishing attacks can be reduced considerably. Across all industry sectors, the average click rate for phishing is 37.9%. TitanHQ’s data shows that with regular security awareness training through the SafeTitan platform, susceptibility reduces to under 3%. Such a major reduction will significantly improve an organization’s security posture, yet as important as security awareness training is, a recent survey has shown that 57% of SMBs provide no security awareness training to their workforce whatsoever.
MSPs that do not offer security awareness training are missing out on easy, regular recurring revenue, and their clients are likely to be at risk of falling victim to phishing and other attacks that target employees. It is also worth noting that 69% of SMBs say they would hold their MSP accountable for a phishing attack!
TitanHQ Launches Security Awareness Training & Phishing Simulation Platform for MSPs
It has been a few months now since TitanHQ launched its new security awareness training and phishing simulation platform – SafeTitan. The initial launch was aimed at SMBs and enterprises to help them create an effective, ongoing security awareness training program for the workforce, and conduct phishing simulations to reinforce training, identify weak links, and track improvements over time.
The platform includes an extensive library of training content on a wide range of topics including security best practices, cyber hygiene, phishing, vishing, and smishing, to allow businesses to easily create training programs to match their needs and risk profiles. The training is gamified, engaging, and delivered in short (max 10-minute) modules, which makes security awareness training enjoyable, while allowing it to be easily fit into busy workflows.
While the platform is well suited to businesses of all sizes, from the smallest of businesses to large enterprises, the platform had to be developed further to meet the needs of MSPs. To make a truly MSP-friendly solution, TitanHQ worked closely with the MSP advisory council and TitanHQ’s extensive MSP customer base to discover exactly what MSPs need to be able to start delivering security awareness training and phishing simulations as a managed service, which lead to the addition of several important new features.
TitanHQ is now happy to announce that SafeTitan for MSPs has now officially been launched. The new product incorporates an intuitive MSP dashboard, through which campaigns can be easily managed. The dashboard gives MSPs real-time live analytics and allows quick actions to be performed.
The phishing simulation platform includes more than 1.8K phishing templates, taken from real-world phishing attempts, with the campaigns easy to schedule for a group of customers, to be run at set intervals every week, month, or year. The platform allows mass training campaigns to be developed, along with mass phishing simulations. The addition of the direct email injection (Graph API) feature allows MSPs to deliver their phishing simulations directly to user inboxes, without having to spend time and effort configuring allowed lists and firewalls.
MSPs also benefit from dynamic user management, so changes can be made quickly and easily to existing campaigns if new users need to be added. If any user fails a phishing simulation, they can be automatically enrolled in relevant training content to provide targeted training on the aspect of security relevant to the failure.
MSP clients will want to be provided with feedback on how their campaigns are progressing and the impact the training is having on phishing susceptibility, and to make this as easy as possible, the platform now includes scheduled reporting. Reports are automated and are sent to clients at regular intervals with no MSP interaction once configured.
Contact TitanHQ Today
If you have yet to add security awareness training and phishing simulations to your managed security services, contact TitanHQ today to find out more about SafeTitan for MSPs on +1 813 519 4430 (US) or +353 91 545555 (IRL).
TitanHQ has collected 5 awards for its cybersecurity solutions in the Expert Insights Fall 2022 ‘Best-Of’ Awards across 5 product categories.
Expert Insights is an online platform for businesses that provides independent advice on business software solutions to help businesses make informed purchasing decisions about software solutions. The advice provided on the website is honest and objective, and the site features helpful guides to help businesses purchase with confidence. The site is used by more than 85,000 businesses each month, with the website helping more than 1 million readers each year.
Twice yearly, Best-of awards are given to the top ten solutions in each of the 41 product categories. The awards showcase the best quality solutions that are helping businesses to achieve their goals and defend against the barrage of increasingly sophisticated cyberattacks. The awards are based on several factors, such as the features of products, market presence, ease of use, and customer satisfaction scores, with the award winners chosen by the in-house team of editors. The editorial team conducts research into each solution to assess its performance, functionality, and usability, and assesses the reviews from genuine business users of the solutions.
TitanHQ collected five awards for its products in the Spring 2022 Best-of awards, and this has been followed up with another 5 Fall 2022 Best-of awards. TitanHQ was given a Best-of award for SafeTitan in the Phishing Simulation and Security Awareness Training categories, SpamTitan Cloud received an award in the Email Security category, WebTitan Cloud got an award in the Web Security category, and ArcTitan won in the Email Archiving category. Further, ArcTitan Email Archiving was rated the top solution in the Email Archiving category and SpamTitan was rated the top solution in the Email Security category.
There were several big winners at the Fall 2022 Expert Insights Best-of awards, with TitanHQ joining companies such as ESET, CrowdStrike, and Connectwise in winning big.
“We are honored that TitanHQ was named as a Fall 2022 winner of Expert Insights Best-Of award for phishing simulation, email security, security awareness training, web security and email archiving” said TitanHQ CEO, Ronan Kavanagh. “Our cloud-based platform allows partners and MSPs to take advantage of TitanHQ’s proven technology so they can sell, implement and deliver our advanced network security solutions directly to their client base”.
Technology is vital for defending against cyberattacks, but it is important not to neglect employee training. Training the workforce on how to recognize and avoid threats should be a key part of your security strategy, but if you want to get the best return on your investment it is important to avoid these common security awareness training mistakes.
Why Security Awareness Training is Essential
Data from the ransomware remediation firm, Coveware, shows phishing is the main way that ransomware gangs gain initial access to business networks, and IBM reports that phishing is the main way that data breaches occur. In 2021, 40% of all data breaches started with a phishing email. Businesses should implement technologies to block these attacks, such as a spam filter, antivirus software, and a web filter; however, even with these defenses in place, threats will arrive in inboxes, they can be encountered over the Internet, or via instant messaging services, SMS, or over the phone. Unless you totally isolate your business from the outside world, employees will encounter threats.
It is therefore important to provide security awareness training to teach employees how to recognize and avoid threats and to educate them on cybersecurity best practices that they should always follow. Security awareness training is concerned with equipping employees with the skills they need to play their part in the overall security of the organization, to give them practice at detecting threats, and build confidence. Through training, you can create a human firewall to add an extra layer to your cybersecurity defenses.
Security Awareness Training Mistakes to Avoid
It is important to avoid these common security awareness training mistakes, as they can seriously reduce the effectiveness of your training.
Creating a training course that covers all security best practices and threats to educate the workforce is important, but if you want to change employee behavior and get the best return on your investment, it is important to ensure that your training is effective. If you provide a once-a-year training session, after a few weeks the training may be forgotten. One of the most common mistakes with security awareness training is not providing training often enough. Training should be an ongoing process, provided regularly. You should therefore be providing training regularly in small chunks. A 10-minute training session once a month is much more likely to change behavior than a once-a-year training session.
Not making training fun and engaging
Cybersecurity is a serious subject, but that does not mean that training cannot be enjoyable. If your training course is dull and boring, your employees are likely to switch off, and if they are not paying attention, they will not take the training on board. Use a third-party security awareness training course that includes interactive, gamified, and fun content that will engage employees, and use a variety of training materials, as not everyone learns in the same way.
Using the same training course for all employees
Don’t develop a training course and give the same course to everyone. Use a modular training course that teaches the important aspects of security, but tailor it to user groups, departments, and roles. Training should be relevant. There is no point in training everyone how to recognize specific threats that they will never encounter.
Not conducting phishing simulations
Training and then testing is important to make sure that the training content has been understood, but that is unlikely to change employee behavior sufficiently. The best way to reinforce training and change employee behavior is by conducting phishing simulations. These simulations should be relevant, reflect real-world threats, and should be conducted regularly. Phishing simulations will show you how employees respond to threats when they are completing their work duties and are not in a training setting. If a phishing simulation is failed, it is a training opportunity. Provide targeted training to employees who fail, specific to the mistake they made.
Not providing training in real-time
Intervention training is the most effective. When an employee makes a security mistake, training should be automatically triggered, such as when an employee fails a phishing simulation or takes a security shortcut. If the employee is immediately notified of the error and is told where they went wrong, that will be much more effective at changing behavior than waiting until the next scheduled training session.
Speak with TitanHQ About Security Awareness Training
TitanHQ offers a security awareness training and phishing simulation platform for businesses – SafeTitan – that makes workforce training simple. The platform includes an extensive library of gamified, fun, and engaging content on all aspects of security to allow businesses to create customized training for all members of the workforce and automate phishing simulations.
The platform is easy to set up, use, and customize, and the platform is the only security awareness training solution that provides intervention training in real-time in response to employees’ security errors. For more information contact TitanHQ and take the first step toward creating a human firewall.
Business Email Compromise (BEC), also known as Email Account Compromise (EAC), is one of the most financially damaging types of cyberattacks, and attacks have been increasing. These attacks involve gaining access to business email accounts, often the email account of the CEO or CFO, and using those accounts to send emails to staff that has responsibility for making payments and tricking them into wiring funds to an attacker-controlled account. The attacks can also be conducted to make changes to payroll information to get employees’ salaries deposited to attacker-controlled accounts.
BEC scams have resulted in losses in excess of $43 billion over the past 5 years according to the Federal Bureau of Investigation (FBI), and that is just complaints submitted to its Internet Crime Complaint Center (IC3). In 2021 alone, almost $2.4 billion in losses to BEC attacks were reported to IC3.
Anatomy of a BEC Attack
BEC attacks require considerable effort by threat actors, but the rewards from a successful attack are high. BEC attacks often see fraudulent transfers made for hundreds of thousands of dollars and in some cases several million. Companies are researched, individuals to target are identified, and attempts are made to compromise their accounts. Accounts can be compromised through phishing or brute force attempts to guess weak passwords.
With access to the right email accounts, the attacker can study the emails in the account. The usual communication channels can be identified along with the style of emails that are usually sent. The attacker will identify contracts that are about to be renewed, invoices that will soon be due, and other regular payments to try to divert. Timely and convincing emails can then be sent to divert payments and give the attacker sufficient time to move the funds before the scam is uncovered.
A recent report from Accenture suggests the rise in ransomware attacks is helping to fuel the rise in BEC attacks. Ransomware gangs steal data before encrypting files and publish the data on their data leak sites. The stolen data can be used to identify businesses and employees that can be targeted, and often includes contract information, invoices, and other documents that can cut down on the time spent researching targets and identifying payments to divert. Some ransomware gangs are offering indexed, searchable data, which makes life even easier for BEC scammers.
How to Improve Your Defenses Against BEC Attacks
Defending against BEC attacks can be a challenge for businesses. Once an email account has been compromised, the emails sent from the account to the finance department to make wire transfers can be difficult to distinguish from genuine communications.
Use an Email Security Solution with Outbound Scanning
An email security solution such as SpamTitan can help in this regard, as all outbound emails are scanned in addition to inbound emails. However, the key to blocking attacks is to prevent the email accounts from being compromised in the first place, which is where SpamTitan will really help. SpamTitan protects against phishing emails using multiple layers of protection. Known malicious email accounts and IP addresses are blocked, other checks are performed on message headers looking for the signs of phishing, and the content of the emails is checked, including attachments and embedded hyperlinks. Emails are checked using heuristics and Bayesian analysis to identify irregularities, and machine learning helps to identify messages that deviate from the normal emails received by a business.
Implement Robust Password Policies and MFA
Unfortunately, it is not only phishing that is used to compromise email accounts. Brute force tactics are used to guess weak passwords or credentials stuffing attacks are performed to guess passwords that have been used to secure users’ other accounts. To block this attack vector, businesses need to implement robust password policies and enforce the use of strong passwords. Remembering complex passwords is difficult for employees, so a password manager solution should be used so they don’t need to. Password managers suggest complex, unique passwords, and store them securely in a vault. They autofill the passwords when they are needed so employees don’t need to remember them. If email account credentials are compromised, they can be used to remotely access accounts. Multifactor authentication can stop this, as in addition to a password, another form of authentication must be provided.
Provide Security Awareness Training to the Workforce
Providing security awareness training to the workforce is a must. Employees need to be taught how to recognize phishing emails and should be trained on cybersecurity best practices. If employees are unaware of the threats they are likely to encounter, when the threats land in their inboxes or are encountered on the web, they may not be able to recognize them as malicious. Training should be tailored for different users, and training on BEC attacks should be provided to the individuals who are likely to be targeted: the board, finance department, payroll, etc.
Security awareness should be accompanied by phishing simulations – fake, but realistic, phishing emails sent to the workforce to test how they respond. BEC attacks can be simulated to see whether the scams can be recognized. If a simulation is failed it can be turned into a training opportunity. These campaigns can be created, and automated, with the SafeTitan Security Awareness Training and Phishing Simulation Platform.
Set Up Communication Channels for Verifying Transfer Requests
Employees responsible for making wire transfers or changing payroll information should have a communication channel they can use to verify transfers and bank account changes. Providing them with a list of verified phone numbers will allow them to make a quick call to verify changes. A quick phone call to verify a request can be the difference between an avoided scam and a major financial loss.
Speak to TitanHQ about Improving Your Defenses Against BEC Attacks
TitanHQ offers a range of cybersecurity solutions for blocking email and web-based cyber threats. For more information on SpamTitan Email Security, WebTitan Web Filtering, and SafeTitan Security Awareness Training, give the TitanHQ team a call. All solutions are quick and easy to set up and use, and all have been developed to make it easy for MSPs to offer these cybersecurity solutions to their clients. With TitanHQ solutions in place, you will be well protected from phishing, malware, ransomware, botnets, social engineering, and BEC attacks.
Phishing is mostly conducted via email; however, a recent data breach at the cloud communication company Twilio demonstrates that phishing can be highly effective when conducted using other popular communication methods, such as SMS messages.
An SMS phishing attack – known as SMiShing – involves sending SMS messages with a link to a malicious website with some kind of lure to get people to click. Once a click occurs, the scam progresses as an email phishing attack does, with the user being prompted to disclose their credentials on a website that is usually a spoofed site to make it appear genuine. The credentials are then captured and used by the attacker to remotely access the victims’ accounts.
Twillio provides programmable voice, text, chat, video, and email APIs, which are used by more than 10 million developers and 150,000 businesses to create customer engagement platforms. In this smishing attack, Twilio employees were sent SMS messages that appeared to have been sent by the Twilio IT department that directed them to a cloned website that had the Twilio sign-in page. Due to the small screen size on mobile devices, the full URL is not displayed, but certain keywords are added to the URLs that will be displayed to add realism to the scam. The URLs in this campaign included keywords such as SSO, Okta, and Twilio.
According to Twilio EMEA Communications director, Katherine James, the company detected suspicious account activity on August 4, 2022, and the investigation confirmed that several employee accounts had been accessed by unauthorized individuals following responses to the SMS messages. The attackers were able to access certain customer data through the Twilio accounts, although James declined to say how many employees were tricked by the scam and how many customers had been affected.
Twilio was transparent about the data breach and shared the text of one of the phishing emails, which read:
Notice! [redacted] login has expired. Please tap twilio-sso-com to update your password!
The text messages were sent from U.S. carrier networks. Twilio contacted those companies and the hosting providers to shut down the operation and take down the malicious URLs. Twilio said they were not the only company to be targeted in this SMS phishing campaign, and the company worked in conjunction with those other companies to try to shut the operation down; however, as is common in these campaigns, the threat actors simply switch mobile carriers and hosting providers to continue their attacks.
The smishing attack and data breach should serve as a reminder to all businesses of the risk of smishing. Blocking these types of phishing attacks can be a challenge for businesses. The best starting point for improving your defenses is to provide security awareness training for the workforce. Security awareness training for employees usually has a strong emphasis on email phishing, since this type of phishing is far more common, but it is important to also ensure that employees are trained on how to recognize phishing in all its forms, including smishing, social media phishing, and voice phishing – vishing – which takes place over the telephone.
The easiest way to do this is to work with a security vendor such as TitanHQ. TitanHQ offers a comprehensive security awareness training platform – SafeTitan – with an extensive range of training content on all aspects of security, including smishing and voice phishing. The training content is engaging, interactive, and effective at improving cybersecurity understanding, and SafeTitan is the only security awareness training platform that delivers training in real-time in response to the behavior of employees. The platform also includes a phishing simulator for automating simulated phishing tests on employees.
For more information about improving security awareness in your organization, contact TitanHQ today.
A new phishing campaign is being conducted that abuses trust in cybersecurity companies. The campaign uses scare tactics to get company employers to pick up the phone and speak to the cybersecurity vendor about a recently detected data breach and potential workstation compromise.
It is becoming increasingly common for phishing scams to involve initial contact via email with requests to make a call. This tactic is often used in tech support scams, where victims are convinced they have a malware infection or another serious security issue on their device, and they are tricked into downloading malicious software such as Remote Access Trojans (RATs).
RATs give the attackers access to the user’s computer, and that access can be abused by the attacker or the access can be sold to other threat groups such as ransomware gangs. Affiliates of ransomware-as-a-service operations may use this technique to conduct attacks and are then paid a percentage of any ransom payments they generate.
In this campaign, the impersonated companies are very well-known providers of enterprise security solutions, such as CrowdStrike, and the emails are very well written and convincing. They claim that a data breach has been detected that affected the part of the cybersecurity provider’s network associated with the customer’s workstation and warns that all workstations on the network may have been compromised. As such, the cybersecurity company is conducting an audit.
The emails claim that the cybersecurity vendor has reached out to the IT department, which has instructed the vendor to contain individual users directly. The emails claim that the audit is necessary for compliance with the Consumer Privacy Act of 2018 (CCPA) and other regulations and that the agreement between the targeted individual’s company and the cybersecurity vendor allows it to conduct regular audits and security checks. A phone number is provided for the individual to make contact, and the email includes the correct corporate logo and genuine address of the cybersecurity vendor.
CrowdStrike reports that a similar scam has been conducted by the Wizard Spider threat group, which was responsible for Ryuk ransomware attacks. That campaign delivered BazarLoader malware, which was used to deliver the ransomware payload.
This type of phishing attempt is known as callback phishing. This technique can be effective at bypassing email security solutions since the emails contain no malicious content – There are no hyperlinks and no file attachments. This scam highlights the importance of conducting security awareness training on the workforce to help employees identify and avoid phishing scams.
How TitanHQ Can Help
TitanHQ provides a range of security solutions for blocking phishing attacks, including SpamTitan Email Security, WebTitan DNS Filtering, and the SafeTitan Security Awareness and Phishing Simulation Platform.
SafeTitan has an extensive library of interactive, gamified, and engaging training content for improving security awareness of the workforce, including phishing and the full range of cyberattacks that employees are likely to encounter. The training is delivered in easily assimilated modules of no more than 8 to 10 minutes, and training can be delivered in real-time in response to risky user behaviors to nip bad security practices in the bud. The platform also includes hundreds of phishing templates for conducting and automating phishing simulations on the workforce, to gain insights into the individuals who are susceptible to phishing attacks and any knowledge gaps.
For more information on improving your defenses against phishing attacks, review our solutions in the links at the top of this page or give the team a call. Products are available on a free trial and demonstrations can be arranged on request.
Phishing can take many forms and while email is the most common vector used in these scams, other types of phishing such as voice phishing (vishing), SMS phishing (Smishing), and social media phishing increasing. In particular, there has been a recent spike in social media phishing attempts.
The threat from email phishing can be greatly reduced with an email security solution; however, these solutions will do nothing to block vishing, smishing, and social media phishing attempts. Businesses can improve their defenses by also using a DNS filtering solution. DNS filters block attempts to visit malicious websites and work in tandem with email security solutions to block email phishing and can also block the web-based component of smishing attacks and social media phishing to a certain extent. Unfortunately, since the social media networks where phishing takes place are not malicious websites, it will not prevent people from encountering phishing attempts.
This is why security awareness training is so important. Security awareness training gives employees the skills they need to recognize and avoid phishing attempts, no matter where the phishing attack is conducted. By training the workforce on security threats, risky behaviors can be eradicated, and employees can be taught the signs of phishing to look out for. The SafeTitan Security Awareness Training platform also delivers training in real-time, in response to risky behaviors by employees. This ensures training is delivered instantly when risky behavior is detected and training is likely to have the greatest benefit.
Social Media Phishing
Two social media phishing campaigns have recently been identified by researchers at Malwarebytes, the goal of which is to obtain the credentials for social media accounts. If the credentials are disclosed, the attacker can access the victim’s account and use it to conduct further attacks on the victim’s followers. If the credentials for a corporate social media account are stolen, attacks could be conducted on all the company’s followers. These attacks abuse the trust customers have in the company. The two campaigns have been conducted on Twitter and Discord users. Both use social engineering to trick people into disclosing their account credentials.
Twitter Phishing Campaign
In the Twitter campaign, the scammer sends a direct message to the user informing them that their account has been flagged for hate speech and threatens an immediate suspension of the account unless action is taken. The user is told that they must authenticate the account via the Twitter Help Center, a link for which is provided in the message. The link directs the user to a phishing page that spoofs Twitter where they are asked to log in. If they do, their credentials will be captured.
Discord Phishing Campaign
The Discord campaign sees a message sent from either a contact of the victim using a compromised Discord account or from strangers. The account owner is accused of disseminating explicit photographs and the sender says they are going to block the account until an explanation is provided. A link is provided to a server where the recipient has allegedly been named and shamed. If the message recipient tries to respond to the message, their message will not be sent as they will have been blocked, increasing the likelihood of their clicking the link to the server.
Victims are required to log in via a QR code and once they have attempted that they are locked out of their accounts, which are then under the full control of the scammer. The scammer is then free to use the legitimate account to continue their scam on all the victims’ contacts. Social media scams such as these try to scare or shame users into responding. This tactic can be very effective, even if the user has never said a bad word on Twitter or sent an explicit photograph to anyone on Discord.
Other Social Media Phishing Campaigns
Phishing can – and does – occur on all social media platforms. One scam that has proven successful targets Instagram users and offers them the verified Instagram badge. In order to receive the badge, they are required to log in to verify their identity, naturally via a malicious link. Doing so will allow the scammer to take full control of the user’s Instagram account.
It is a similar story on LinkedIn. One of the most common scams involves impersonating a company and sending a message to an individual about a job offer, or a message suggesting they have been headhunted. Fake connection requests are also common. In this scam, the user is provided with a link to a scam site that spoofs LinkedIn and again is conducted to harvest credentials.
On Facebook, phishing scams are rife but often they seem innocuous. If you use Facebook, you will no doubt have seen countless posts asking site users to determine their band name, porn star name, pirate name, etc., by providing information such as the month and year of birth. Posts asking what was your first car? Where did you grow up? What was your favorite teacher’s name? and many more do not seek credentials, but the information disclosed can be used to answer security questions that are asked in order to recover accounts. These scams also make brute force attacks to guess passwords so much easier.
Dangers of Social Media Phishing
The loss of access to a social media account may not be the end of the world and is likely far better than having a bank account emptied, but the damage caused can be considerable. Many small businesses rely on social media for publicity and generating sales, and the loss of an account or scamming of customers can be devastating. The passwords used for social media accounts are often reused across multiple platforms. Scammers often conduct credential stuffing attacks on other platforms and accounts using the same password. Fall victim to a social media phishing scam and many other accounts could be compromised.
Blocking social media phishing attacks can be a challenge. You should also ensure that two-factor authentication is enabled on social media accounts, consider restricting who can send direct messages to your account, and who can view your profiles. If you encounter a scam, be sure to report it.
For businesses, employees with access to corporate social media accounts should be given specific training on social media phishing to ensure they can recognize and avoid phishing scams. The SafeTitan Security Awareness Training platform makes this simple and helps businesses instantly correct risky behaviors through the automated delivery of a relevant training course in real-time. The platform has a wealth of engaging, gamified training content and a phishing simulation platform for testing resilience to phishing attacks.
For more information on SafeTitan and improving your phishing defenses through the use of an email security solution and DNS filtering, give the TitanHQ team a call today.
Cybercriminals are constantly changing tactics and lures in their phishing campaigns, so it is no surprise to see a new technique being used by affiliates of the Lockbit ransomware-as-a-service operation. A campaign has been identified by researchers at AhnLab in Korea that attempts to deliver a malware loader named Bumblebee, which in turn is used to deliver the LockBit 2.0 ransomware payload.
Various lures are used in phishing campaigns for delivering malware loaders, with this campaign using a warning about a copyright violation due to the unauthorized use of images on the company’s website. As is common in phishing emails, the emails contain a threat should no action be taken – legal action. Emails that deliver malware loaders either use attached files or contain links to files hosted online. The problem with attaching files to emails is they can be detected by email security solutions. To get around this, links are often included. In this case, the campaign uses the latter, and to further evade detection, the linked file is a password-protected archive. This is a common trick used in malware delivery via email to prevent the file from being detected as malicious by security solutions, which are unable to open the file and examine the contents. The recipient of the message is provided with the password to open the file in the message body.
The password-protected zip file contains a file that masquerades as a PDF file, which the user is required to open to obtain further information about the copyright violation. However, a double file extension is used, and the attached file is actually an executable file, which will deliver the Bumblebee loader, and thereafter, LockBit 2.0 ransomware.
These types of phishing attacks are all too common. Believable lures are used to trick people into taking the requested action, a threat is included should no action be taken, and multiple measures are used to evade security solutions. Any warning about a copyright violation must be taken seriously but as with most phishing emails, there are red flags in this email that suggest this is a scam. Security-aware employees should be able to recognize the red flags and while they may not be able to confirm the malicious nature of the email, they should report such messages to their IT department or security team for further investigation. However, in order to be able to identify those red flags, employees should be provided with security awareness training.
Through regular training employees will learn the signs of phishing emails, can be conditioned to always report the emails to their security team, and can be kept abreast of the latest tactics used in phishing emails for malware delivery. It is also recommended to conduct phishing simulations to test whether employees are being fooled by phishing attempts. If employees fail phishing simulations it could indicate issues with the training course that need to be addressed, or that certain employees need to be provided with additional training. Through regular security awareness training and phishing simulations, businesses can create a human firewall capable of detecting phishing attempts that bypass the organization’s email and web security defenses.
TitanHQ can provide assistance in this regard through the SafeTitan Security Awareness Training and Phishing Simulation Platform – Further information on the solution can be found here.
If you want to create a culture of security in your organization, you need to provide comprehensive security awareness training to teach employees the skills they will need to be able to identify and avoid cyber threats. It is also important to conduct phishing simulations on all members of the workforce.
Phishing simulations are realistic but fake phishing emails that are sent to employees to determine the level of security awareness of the organization, assess whether employee security awareness training has been effective, identify any gaps in knowledge that need to be addressed, and to identify any individuals who require further training.
If phishing simulations are not used, organizations will be unaware whether their training has worked and has reduced the susceptibility of the workforce to phishing attacks, and gaps in knowledge could exist that could easily be exploited in real world phishing attacks.
Sending phishing emails to employees to see if they click links or open potentially malicious attachments is important, but to get the full benefits of phishing simulation exercises you need to create a structured phishing simulation program. To help you get started we have provided some tips on how to run effective phishing simulations in the workplace, and highlight some areas where businesses go wrong.
How to Run Effective Phishing Simulations at Work
One of most common assumptions made about phishing simulations is that in order to determine whether employees will respond to genuine phishing emails, employees should not be aware that you will be conducting phishing simulations. That is a mistake. When employers conduct phishing simulations on an unsuspecting workforce, it has the potential to backfire.
Employees often feel like they are being targeted and it can create friction between employees and the IT department, and that is best avoided. You should warn employees when you provide training that part of the training process will involve phishing simulations and that the simulations are not being conducted to catch employees out but to assess how effective training has been. Do not provide specific notice when you are conducting campaigns, just make the workforce aware that you do periodically run phishing simulations.
When you conduct phishing simulations, the emails you send need to be realistic. You should use templates that are based on real-world phishing attacks, after all, the aim of the simulations is to determine if employees will fall for real phishing emails. You should use a variety of lures and send different types of phishing emails, including emails with links, attachments, and Word documents with macros. You should also vary the difficulty of the simulations and include targeted spear-phishing attacks.
Before sending simulated phishing emails to the workforce, test out the emails in small numbers, as this will allow you to correct any problems. Do not send the same email to everyone at the same time, as this often results in employees tipping each other off and will not give you accurate data. Vary the emails you send in any one campaign, and this can be avoided. Each email should include at least two red flags that will allow it to be identified as a phishing attempt. Be careful about the lures you choose. If you send an email offering a pay rise – there are genuine phishing campaigns that do this – be prepared for a backlash, as such a campaign is likely to cause upset. These types of phishing simulations are best avoided.
The first phishing campaigns you send should serve as a baseline against which you can measure how awareness improves over time, so use a moderately difficult phishing attempt, not an incredibly difficult spear phishing email. Anyone can be fooled by a phishing email so ensure that everyone is part of the program, including board members. They too need to be taught how to recognize phishing emails and be tested to see how security aware they are. The C-suite is the top target for phishers.
It is important not to name and shame employees that fail phishing simulations. A failed phishing simulation should be seen as an opportunity for further training, not a reason for punishing an employee. If you opt for positive rather than negative reinforcement, you are likely to get much better results.
Security Awareness Training and Phishing Simulations from TitanHQ
SafeTitan from TitanHQ is a comprehensive security awareness training platform with an extensive library of training courses, videos & quizzes. The content is highly interactive and fun, with short and efficient testing and a phishing simulation platform with hundreds of real-world phishing templates to use. SafeTitan is also the only behavior-driven security awareness solution that delivers security training in real-time. Phishing simulations have shown that SafeTitan reduces staff susceptibility to phishing by up to 92%.
For more information and to arrange a product demonstration, give the TitanHQ team a call.
On June 7, TitanHQ, in partnership with the Oxford Cyber Academy, will be hosting a webinar to discuss employee cyber risks in growing organizations, and how to balance safety and agility.
Organizations are facing an increasing number of threats when trying to stay agile, competitive, and innovative in a digital world, and for small- and medium-sized businesses, those threats have significant potential to threaten growth. Businesses of all sizes are being targeted by cyber threat actors, and successful attacks can cause significant damage to a business’s hard-won market reputation and operations. Those threat actors target a common weak point in security defenses – employees. Digital security needs to be front and center of your continued innovation, but it can be a challenge to stay competitive whilst sustaining a cyber-savvy workforce. Help is at hand, however.
During this webinar, attendees will be provided with valuable information on the changing nature of the cyber threats facing small- and mid-sized businesses and will discover what they need to protect, what they have to lose if they fail to protect it, how to balance technology and human cyber risks, and how to improve employee security awareness and achieve measurable changes in employee behavior through easy, intuitive, personalized and targeted training that is delivered where it’s needed the most.
Join TitanHQ on June 7th where Nick Wilding, Neil Sinclair, Cyber Programme Lead, UK Police Crime Prevention Initiatives, and Richard Knowlton, Director of Security Studies at the Oxford Cyber Academy will discuss:
If you can’t make the event, register anyway and you will receive the webinar to watch on-demand at any time.
Phishing is commonly used to gain access to credentials to hijack email accounts for use in business email compromise (BEC) attacks. Once credentials have been obtained, the email account can be used to send phishing emails internally, with a view to obtaining the credentials of the main target. Alternatively, by spear phishing the target account, those steps can be eliminated.
If the credentials are obtained for the CEO or CFO, emails can be crafted and sent to individuals responsible for wire transfers, requesting payments be made to an attacker-controlled account. A common alternative is to target vendors, in an attack referred to as vendor email compromise (VEC). Once access is gained to a vendor’s account, the information contained in the email accounts provides detailed information on customers that can be targeted.
When a payment is due to be made, the vendor’s email account is used to request a change to the account for the upcoming payment. When the payment is made to the attacker-controlled account, it usually takes a few days before the non-payment is identified by the vendor, by which time it may be too late to recover the fraudulently transferred funds. While BEC and VEC attacks are nowhere near as common as phishing attacks, they are the leading cause of losses to cybercrime due to the large amounts of money obtained through fraudulent wire transfers. One attack in 2018 resulted in the theft of $23.5 million dollars from the U.S. Department of Defense.
In this case, two individuals involved in the scam were identified, including a Californian man who has just pleaded guilty to six counts related to the attack. He now faces up to 107 years in jail for the scam, although these scams are commonly conducted by threat actors in overseas countries, and the perpetrators often escape justice. The scam was conducted like many others. The BEC gang targeted DoD vendors between June 2018 and September 2018 and used phishing emails to obtain credentials for email accounts. An employee at a DoD vendor that had a contract to supply Aviation JA1 Turbine fuel to troops in southeast Asia for the DoD received an email that spoofed the U.S. government and included a hyperlink to a malicious website that had been created to support the scam.
The website used for the scam had the domain dia-mil.com, which mimicked the official dla.mil website, and email accounts were set up on that domain to closely resemble official email accounts. The phishing emails directed the employee to a cloned version of the government website, login.gov, which harvested the employee’s credentials. The credentials allowed the scammer to change bank account information in the SAM (System for Award Management) database to the account credentials of the shell company set up for the scam. When the payment of $23,453,350 for the jet fuel was made, it went to the scammers rather than the vendor.
Security systems were in place to identify fraudulent changes to bank account information, but despite those measures, the payment was made. The SAM database is scanned every 24 hours and any bank account changes are flagged and checked. The scammers learned of this and made calls to the Defense Logistics Agency and provided a reason why the change was made and succeeded in getting the change manually approved, although flags were still raised as the payment was made to a company that was not an official government contractor. That allowed the transfer to be reverted. Many similar scams are not detected in time and the recovery of funds is not possible. By the time the scam is identified, the scammers’ account has been emptied or closed.
The key to preventing BEC and VEC attacks is to deal with the issue at its source to prevent phishing emails from reaching inboxes and teach employees how to identify and avoid phishing scams. TitanHQ can help in both areas through SpamTitan Email Security and the SafeTitan security awareness training and phishing simulation platform. Businesses should also implement multifactor authentication to stop stolen credentials from being used to access accounts.
Providing security awareness training to the workforce is necessary for compliance and is often a requirement for getting cybersecurity insurance, but the real purpose of security awareness training is to reduce risk and avoid costly cyberattacks and data breaches.
To get the full benefits you need an effective security awareness training program, where susceptibility to phishing attacks is reduced and your resilience to cyberattacks targeting employees is significantly improved. To help you, we offer some top tips for creating an effective security awareness training program.
Security Awareness Training Must be a Continuous Process
Security awareness training should not be seen as a checkbox item for compliance. To be effective, training needs to be an ongoing process, where the training is reinforced over time. That if unlikely to happen with a once-a-year training session. Another reason for providing ongoing training is cyber threat actors are constantly changing their tactics and regularly come up with new scams. It would be unreasonable to expect employees to be able to recognize these new threats if they have not been covered in training sessions. Through regular training, provided in bite-sized chunks, you can make your employees are made aware of the latest threats which will help them to recognize them when they are encountered.
Make Sure Your Training Content is Interesting
Different employees will respond to different training methods. A classroom-based training session may be good for some employees, but others will respond better to computer-based training, infographics, videos, and quizzes. Keep your training varied to make sure it appeals to a wide audience and try to make the training interesting and engaging to improve knowledge retention, such as using storytelling to trigger emotions and the imagination, and don’t be afraid to use humor. Cybersecurity can be a pretty dry topic for many people and if they can enjoy it, they are more likely to retain the information and apply the training on a day-to-day basis.
Get Buy-in from the C-Suite
If you want to create a security culture in your organization, you will need to get buy in from the C-suite. Any change in culture in an organization needs to start at the top. The C-Suite must be made aware of the importance of security awareness training and cybersecurity, and using data is usually the best approach. Using a security awareness training company that can provide data on the effectiveness of training at reducing risk will help. You will be able to prove the return on investment you are likely to achieve.
Conduct Phishing Simulations After Providing Training
Providing security awareness training is only one step toward developing a security culture and reducing risk. You also need to conduct tests to determine whether your training is being applied on a day-to-day basis, and the best way to test that is with phishing simulations. Conduct realistic simulations to determine whether the training has been effective. If employees fail simulations, provide extra training.
Do Not Punish Employees for Failing Phishing Simulations
Many companies operate a three strikes and you’re out policy for failing phishing simulations or penalize employees in other ways for falling for phishing emails. Around 40% of organizations take disciplinary action against employees for cybersecurity errors such as phishing simulation failures. Punishing employees for failing to identify phishing simulations often does not have the desired effect.
If you want to encourage employees to be more security-aware and create a security culture, creating a culture of fear is unlikely to help. This approach is likely to cause stress and anxiety, which can lead to the creation of a hostile working environment, and that does not help employees become more security aware. Further, when mistakes are made, employees will be much less likely to report their mistakes to the security team out of fear of negative consequences.
Conduct Real-Time Security Awareness Training
Training is likely to be most effective immediately after employees have made a mistake. By using a security awareness training solution such as SafeTitan, the only behavior-driven security training solution that delivers contextual training in real-time, you can deliver relevant training immediately and explain how a mistake was made and how similar errors can be avoided in the future. For instance, if an employee is discovered to be downloading free software from the Internet, an immediate alert can be delivered explaining why it is not allowed and the risks of installing software without approval from the IT department. If a phishing simulation is failed, employees can be alerted immediately, and it can be turned into a relevant training session.
Benchmark to Learn the Effectiveness of Security Awareness Training
Businesses conduct security awareness training to reduce susceptibility to phishing attacks and other cyber threats, but to gauge the effectiveness of the training there must be a benchmark to measure against. Conducting phishing simulations prior to providing training will allow you to measure how effective the training has been. You can use pre-training simulations to determine how many employees are falling for scams and the percentage of simulated phishing emails that are being reported. You can then reassess after providing training and can determine exactly how effective the training has been.
Security Awareness Training and Phishing Simulations are Not Enough
Providing regular security awareness training and conducting phishing simulations are important for improving resilience to cyber threats and will allow you to prove training has been provided for compliance or insurance purposes, but you also need to make sure that training has been absorbed by employees. Don’t just provide training – use quizzes to assess whether the training has been absorbed. You should also analyze the results of phishing simulations to identify any knowledge gaps that need to be addressed with future training courses. If employees are still falling for a certain type of scam, it could be your training that is the issue.
For more information about security awareness training, conducting phishing simulations, and to discover the benefits of real-time security awareness training, contact TitanHQ today for more information about SafeTitan. You can also take advantage of a free trial of the solution before deciding on a purchase.
It is important for security to implement an advanced spam filtering solution to block email threats such as phishing and malware, but security awareness training for the workforce is still necessary. The reason why phishing attacks are successful is that they target a weak point: employees. Humans make mistakes and are one of the biggest vulnerabilities as far as security is concerned. All it takes is for one phishing email to sneak through your defenses and land in an inbox and for the recipient to click a link in the email or open a malicious attachment for a threat actor to get the foothold they need in your network.
The easiest way to target employees is with phishing emails. The majority of phishing emails will be blocked by your spam filter, but some emails will be delivered. It doesn’t matter how advanced and effective your spam filter is, it will not block every single phishing email without also blocking an unacceptable number of genuine emails.
Phishing emails are used to achieve one of three aims: To trick individuals into disclosing credentials, to trick them into emailing sensitive data, or to trick them into installing malware. There are many tactics, techniques, and procedures (TTPs) employed in phishing attacks to make the emails realistic, convincing, and to get employees to act quickly. The emails may closely match standard business emails related to deliveries, job applications, invoices, or requests for collaboration. Spoofing is used to make the messages appear to have come from a trusted sender. Emails can spoof brands and often include the correct corporate logos, formats, and color schemes. While phishing emails include red flags that indicate all is not what it seems, busy employees may not notice those flags. Further, sophisticated, targeted phishing attacks contain very few red flags and are very difficult to identify. Even system administrators can be fooled by these attacks.
Businesses cannot expect every employee to be an expert at identifying phishing emails and other email threats, nor should they assume that employees have a good understanding of security practices that need to be employed. The only way to ensure employees know about security practices and how to recognize a phishing email is to provide security awareness training.
Security Awareness Training Improves Resilience to Phishing Attacks
The purpose of security awareness training is to make the workforce aware of the threats they are likely to encounter and to provide them with the tools they need to recognize and avoid those threats. Security awareness training is not a checkbox item that needs to be completed for compliance, it is one of the most important steps to take to improve your organization’s security posture and it needs to be an ongoing process. You could provide a classroom-based training session or computer-based training session once a year, but the TTPs of cyber threat actors are constantly changing, so that is not going to be sufficient. More frequent training, coupled with security reminders, newsletters, and updates on the latest threats to be wary of will ensure that security is always fresh in the mind, and it will help you to develop a security culture in your organization.
One of the most effective strategies is to augment training with phishing simulations. Phishing simulations involve sending fake but realistic phishing emails to employees to see how they respond. If you do not conduct these tests, you will not know if your training has been effective. The simulations will identify employees that require further training and the simulations will give employees practice at recognizing malicious emails. Reports from these simulations allow security teams to assess how resilient they are to phishing attacks and other email threats and will allow them to take action and focus their efforts to make immediate improvements.
SafeTitan Security Awareness Training & Phishing Simulations
TitanHQ can now help businesses create a human firewall through SafeTitan Security Awareness Training. SafeTitan is the only behavior-driven security awareness platform that delivers training in real-time and will greatly improve resilience to social engineering and advanced phishing attacks.
If you want to improve your resilience to cyberattacks, prevent more data breaches, and avoid the costs and reputation damage caused by those incidents, you need to be training your workforce and running phishing simulations. Get in touch with TitanHQ today for more information and get started creating your human firewall.
TitanHQ, the leading cybersecurity SaaS business, today announced its acquisition of Cyber Risk Aware. Established in 2016, Cyber Risk Aware is a global leader in security awareness and mitigation of human cyber risk, providing assistance to companies to train the workforce on how to protect the company network.
Cyber Risk Aware delivers real-time cyber security awareness training to staff in response to actual staff network behavior. This intuitive and real-time security awareness training reduces the likelihood users will be impacted by the latest threats such as ransomware, BEC attacks, and data breaches, whilst also enabling organizations to meet compliance obligations. Leading global businesses that trust Cyber Risk Aware include Standard Charter, Glen Dimplex, and Invesco.
The acquisition will further bolster TitanHQ’s already extensive cybersecurity offering. The combination of intelligent security awareness training with phishing simulations and TitanHQ’s advanced email protection and DNS security solutions creates a powerful, multi-layered cybersecurity platform that secures end users from compromise. This is the go-to cybersecurity platform for IT Managed Service Providers and internal IT teams.
“This is a fantastic addition to the TitanHQ team and solution portfolio. It allows us to add a human protection layer to our MSP Security platform, with a fantastic feature-rich solution as demonstrated by the high caliber customers using it. Stephen and his team have built a great company over the years, and we are delighted to have them join the exciting TitanHQ journey.” said TitanHQ CEO Ronan Kavanagh.
The solution is available to both new and existing customers and MSP partners at TitanHQ.com and has been re-branded as SafeTitan, Security Awareness Training. Cyber Risk Aware existing clients are unaffected and will benefit from improvements in the platform in terms of phishing simulation content and an exciting, innovative product roadmap.
Stephen Burke, CEO of Cyber Risk Aware, commented: “I am incredibly proud that Cyber Risk Aware has been acquired by TitanHQ, cybersecurity business that I have greatly admired for a long time. Today’s announcement is fantastic news for both our clients and partners. We will jointly bring together a platform of innovative security solutions that address the #1 threat vector used by bad actors that cause 99% of security breaches, “End User Compromise”. When I first started Cyber Risk Aware, my aim was to be the global security awareness leader in delivering the right message, to the right user at the right time. Now as part of TitanHQ, I am more excited than ever about the unique value proposition we bring to market”.
For more information on TitanHQ’s new Security Awareness Solution, visit www.TitanHQ.com/SafeTitan