Phishing is everywhere.  Couple that with a new remote workforce, video conferencing, and corporate messaging, now phishing and vishing are everywhere.  Why?  There are many reasons, including:

  • Increased use of personal computers and phones to conduct our work remotely
  • Increase in phishing emails targeting remote workers
  • Increase in vishing calls to our personal phones targeting remote workers

As the world moved to remote work, the attackers didn’t stop.  But they did shift their techniques to target our workforce at home, who within the corporate network had additional protections.  This shift has put additional pressure on security teams to figure out how to educate and protect those vulnerable workers.  And technology alone can’t stop these attacks.  So what do you do?

We interviewed Whitney Maxwell, Security Consultant from Rapid7, on Enterprise Security Weekly to provide us some recommendations on how to protect our remote workers from phishing and vishing attacks.  Here are her recommendations:

  • Start with awareness. Educating your employees on why phishing/vishing is harmful and empowering them to detect and report phishing attempts is a key element of protection.  For more information, please visit Rapid7’s Phishing Awareness Training
  • Teach them phishing prevention/verification tips. Phishing tips have been pretty standard and include looking for suspicious file attachments and malicious website URLs, promoting good credential behavior, and keeping systems patched for the latest vulnerabilities.  For more information, please visit Rapid7’s Phishing Attacks: A Deep Dive with Prevention Tips
  • Teach them vishing prevention/verification tips. Vishing tips aren’t as well known, but include basic common-sense approaches, including:
    • Asking for their name to look-up in the company directory
    • Asking for internal company information to verify their knowledge
    • Asking for a call back number to verify where they are calling from
    • Asking for their supervisor’s name to look-up in the company directory
    • Avoid emotions, especially if the caller is using an incident to collect information
  • Practice, practice, practice. Companies need to regularly (every 3 months is a good cadence) phish/vish their employees to give them practice at recognizing AND reporting these attacks. For more information, please visit Rapid7’s Tips for a Successful Phishing Engagement

To get a deeper dive, watch the interview on Enterprise Security Weekly here.  Or visit securityweekly.com/rapid7 for more information.