ML
    • Recent
    • Categories
    • Tags
    • Popular
    • Users
    • Groups
    • Register
    • Login

    Organizational Security

    IT Discussion
    5
    5
    403
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • Mr. JonesM
      Mr. Jones
      last edited by

      How do you guys handle the broad spectrum of phishing, whaling, scam, etc. attempts?

      Had a user get a scam email recently. Thankfully they forwarded it to my dept, and promptly deleted it. I was reflecting on what we do in our department to educate users and I don't feel like it's enough.

      Do you all ever screenshot the email and send out a warning of basically "this is what a phishing attempt looks like", with added notes on how and why?

      Do you all ever create mock phishing attempts to send out to your organization that when clicked take them to basically a "oops, you did a bad thing, now take this training"? If so, what's a good site/program for that?

      Do you ever report any of the attempts, or is it a simple blacklisting of that domain you deploy? If you do report them, to whom?

      Would love some thoughts and input to see what everyone else is doing or some best practices.

      notverypunnyN 1 Reply Last reply Reply Quote 1
      • notverypunnyN
        notverypunny @Mr. Jones
        last edited by

        @mr-jones knowbe4. They provide training modules for users as well as allow you to run simulated phishing exercises. There are other companies out there that provide the same service(s) but we're using these guys for now.

        scottalanmillerS 1 Reply Last reply Reply Quote 4
        • scottalanmillerS
          scottalanmiller @notverypunny
          last edited by

          @notverypunny said in Organizational Security:

          @mr-jones knowbe4. They provide training modules for users as well as allow you to run simulated phishing exercises. There are other companies out there that provide the same service(s) but we're using these guys for now.

          KnowBe4, and presumably other training platforms, are a great way to go. Teaching the basics as just part of regular workplace competency is a necessity and really, always has been. Expecting workers to be trained elsewhere has never been a good strategy.

          1 Reply Last reply Reply Quote 3
          • dafyreD
            dafyre
            last edited by

            At my day job, we have annual training that is done much like what @Mr-Jones mentions -- mark up an email and show why it is spam/phish, etc

            We also use another platform (not sure what it is) for Phishing our users and then educating them that way.

            dbeatoD 1 Reply Last reply Reply Quote 1
            • dbeatoD
              dbeato @dafyre
              last edited by

              @dafyre There are many options out there.

              If you want to do yourself and work on it
              https://getgophish.com/

              If you want to use a provider, Curricula and Knowbe4 might be your best bet
              https://www.curricula.com/
              https://www.knowbe4.com/

              We have used Sophos Phish and TrendMicro but reporting and the actual templates lack a lot of what Knowbe4 does already. Knowbe4 also has extensive documentation on how to integrate with various email systems and SSO.

              You can also educate the users and create a reporting for those emails either via a Plugin or manually forwarding to a dedicated email account. You would also think about separating permissions and tasks from users. So you would have an admin account that is not your every day user login on the computer and so forth.

              1 Reply Last reply Reply Quote 2
              • 1 / 1
              • First post
                Last post