February

NIST PR.AT-2

“Recognizing & Defeating Email Threats”

Phishing Awareness

February focuses on phishing awareness and email security. Learn to spot the malicious emails that lead to most breaches before anyone clicks the link.

Cautionary tale: The 'Browser Update' Trap

An insurance company recently suffered a major breach that didn’t start with a shady email. Instead, an employee visited a legitimate, well-known website that had been silently compromised by hackers.

While browsing, a realistic pop-up appeared stating, “Your Chrome Browser is out of date. Click here to update for security.” Trusting the prompt, the employee clicked. Instead of a security patch, the site installed a “Remote Access Trojan” (malware), giving hackers full control over the employee’s computer and the company’s internal network.

The Lesson: Hackers exploit our desire to be secure. Just because a site looks professional or is a 'trusted' brand doesn't mean the content on the screen is safe.

Advanced Phishing Tactics

  • Beyond the Link: Hovering over a link to check the URL is still good practice, but it isn’t foolproof. Attackers now use “URL shorteners” or “open redirects” to hide their true destination.

  • The Urgency Engine: If an email or pop-up creates extreme urgency (e.g., “Account Suspended,” “Unplanned HR Benefit Change,” or “Overdue Invoice”), it is designed to make you act before you think.

  • The “Different Channel” Rule: If you receive a suspicious request, verify it using a different platform. If you get a “weird” email from your boss, send them a quick Slack message or call them to confirm.

Anatomy of a Phish: What to Watch For

  1. Generic Greetings: “Dear Valued Employee” instead of your name.
  2. Mismatched Domains: The “From” name says “IT Support,” but the email address is [email protected].
  3. High Stakes: Threats of disciplinary action or loss of access if you don’t click immediately.
  4. Suspicious Attachments: Unexpected PDFs or .zip files, especially those claiming to be “Invoices” or “Bonus Details.”

February Checklist

  • Use the Button: If an email looks “off,” don’t just delete it. Use the “Report Phishing” button in your email client to alert our security team.
  • Update Manually: Never click a pop-up to update your browser. If you think you need an update, go directly to your browser settings (e.g., Settings > About Chrome).
Symbol Security

Ready to Implement This Month's Security Focus?

Deploy automated security awareness training with Symbol Security. Schedule simulations, track progress, and measure improvement across your organization.

Get Started Today View Full Calendar