The frequency and sophistication of phishing campaigns continue to grow. Users have improved significantly from training provided by the organization on what to look out for and what to do if they receive phishing attempts.
One of the latest methods uses an old Phishing tactic of notifying users of a fake account lockout or reset required. This common method immediately concerns users because they are fearful of being locked out of their accounts. This is an example of using fear to trick users into following a malicious link and/or signing into a fake login page.
To take it a step further, now phishing scams are increasing the level of urgency by showing a timer and warning the user that they only have 1 hour to follow the instructions before their account will be locked out. By making the timespan so short, this will rush users into making quick decisions leading to costly mistakes.
The countdown timer and link convinces the victim to enter in their login credentials and the site either accepts the password or says that the user has entered the wrong password. Either way, the attacker steals the data.
The CIS Controls (reference below) includes guidance around best practices to train users and staff on how to identify malicious emails and Phishing scams. If you are following the CIS framework, you should be familiar with Control 14 and implemented the safeguards that specifically cover Security Awareness and Skills Training. This includes training users when they are hired and at least once a year. Most businesses conduct training every Quarter or more so users are always aware of the latest threats and can easily identify and avoid falling victim to them.
There are many service providers out there (e.g., Wizer, Mimecast, KnowBe4, etc.) that offer comprehensive Security Awareness Training platforms to help organizations meet these best practices. These platforms allow IT teams to easily configure and deploy training in an automated fashion to all users across the organization. The content provided for the training is very interesting, engaging and always up-to-date, so it includes current best practices and tips. There are also excellent features for tracking and reporting on the training to ensure users complete the training. If you are just looking to get started for free, be sure to check out Wizer which has a free subscription you can sign up for. Amazon and a few other companies have also put together free training that can be utilized. Check out some of the links below to look into some of these options further.
See the list of references below.