If you are being repeatedly targeted by a phishing attack, chances are you will eventually click. And if you end up infected, often times your computer will show no obvious signs of the virus or bot. What can you do?

“Plain and simple, spear phishing attacks work. With humans involved, completely eliminating this attack vector may not be possible. But, heeding advice from trusted experts will help stem the tide.”



Michael Kassner

“A recent report by the Ponemon Institute puts the average cost of recovering from a successful phishing attack at $300,000.” Source

Why do they want to infect you? Often times they want your authorization credentials which could give them system access. Once in, they can start looking around for sensitive data and often cover their tracks as they go deeper and deeper into the systems on the network.

Since the detection methods for phishing attacks are frequently failing, the best form of prevention if routine reminders and training on how to avoid becoming a victim and putting the company’s confidential data at risk. This can be done using several methods:

• Phishing attack training game: An example is ClickClickPhish.com which allows individuals to register and be reminded on a regular basis to play the game. The game teaches players to mouse over links and to evaluate the tool tip which displays the 2nd level domain the link navigates to. Players learn how to ascertain if a link is safe to click on. 
• Monthly email flyers: Flyers and brief news letters on the dangers of phishing attacks help employees stay on heightened alert every time they open an email.  
• Oral re-enforcement: Managers should bring up the topic of emailed phishing attacks periodically in company meetings. An example is often a good reminder of how clever the cloaking can be.
• Random testing: Some companies randomly test employees with fake social-engineering attacks. Then then reward those who do not take the bait. For example, everybody not clicking on the fake phishing email gets a lottery ticket for a really great prize. Or maybe the first dozen employees who report a phishing attempt get a prize.

The best attacks are the ones that look official from sites like Facebook and Linkedin. Many professionals are receiving emails from these sites every day and copying the format of these messages is very easy for a bad actor that is trying to infect your system.

“Countering security threats is not only the responsibility of cyber-security professionals. It is the responsibility of all employees.”

Roger Johnson
Vulnerability Assessment Team
Argonne National Laboratory

“Randomly test employees with fake social-engineering attacks. Then reward those who do not take the bait. For example, everybody not clicking on the fake phishing email gets a lottery ticket for a really great prize. Or maybe the first dozen employees who report a phishing attempt get a prize.”

We all need to remember that no one is immune from phishing.